Securing custom domains with Let's Encrypt security certificates
To secure a custom domain (such as www.whatever.org instead of whatever .wildapricot.org), you need to obtain a custom security certificate (aka SSL certificate) for your domain. After that, you can set your traffic encryption to Always so that all traffic to your site is encrypted and secure.
If you use a custom domain without a security certificate, visitors who access your site using https will typically see a security warning displayed by their browser (e.g. "not secure" or "connection not private"). They can ignore it and use the site but may be scared away by the warning.
From the Domain name management screen, you can order a free security certificate from Let's Encrypt while adding your custom domain name, or afterwards.
If you already have a paid SSL certificate installed on your site and order a Let's Encrypt certificate, the Let's Encrypt certificate will overwrite your existing one.
Wild Apricot does not charge an installation fee or a renewal fee for security certificates from Let's Encrypt.
Ordering a certificate while adding your domain
To order a free security certificate from Let's Encrypt while adding your custom domain name to the Domain name management screen, follow these steps:
- Make sure you've set up your custom domain according to these instructions.
- Log into your Wild Apricot account as a full administrator.
- Go to the Website module (by clicking the Website menu) then click the Settings option.
- Within the Settings screen, click Domain name (under Site settings).
- From the Domain name management screen, click the Add custom domain name button.
- Enter your domain name in the field without the www. Both the regular and www versions of your domain name will be added.
- Make sure the option to install a free SSL certificate from Let's Encrypt is checked.
- Click the Save button.
An hourglass icon will appear for your domain name entries (both regular and www versions), indicating that the certificate is being processed.
Within approximately 30 minutes, the hourglass will be replaced by a green checkmark if the certificate was successfully installed. With the certificate successfully installed, you can verify the installation by trying to access your custom domain using https. Once you've verified the successful installation of your security certificate, you should now do the following:
- Designate one of your custom domain names as the primary domain by clicking the Set as primary link beside the domain name.
- Set the traffic encryption for your site to Always so that all traffic to your site will be encrypted and secure.
If any other icon other than the checkmark appears in place of the hourglass icon, you can click the Check button for more information, and see Checking the status of your certificate below.
Ordering a certificate for an existing domain
To order a free security certificate from Let's Encrypt for a custom domain already added to the Domain name management screen, follow these steps:
- From the Domain name management screen, click the Check button beside each of your custom domain names (both the regular and www versions).
- If your domain doesn't already have a Let's Encrypt security certificate installed, then a message to that effect will appear, and an Issue certificate link will be displayed. Click the Issue certificate link. If that link does not appear, check the message to determine whether a Let's Encrypt security certificate has already been installed for this domain.
- After you click the Issue certificate link, the Domain checking dialog will be updated with a message indicating that the certificate is being installed.
- Click the OK button to exit the dialog.
An hourglass icon will appear for your domain name entry, indicating that the certificate is being processed. Within approximately 30 minutes, the hourglass will be replaced by a green checkmark if the certificate was successfully installed.
You have to click the Issue certificate link for both the www and regular version of your custom domain.
Once you've verified the successful installation of your security certificate, you should set the traffic encryption for your site to Always so that all traffic to your site will be encrypted and secure.
Checking the status of your certificate
On the Domain name management screen, two status icons will appear for each domain name, one for your DNS settings and one for your Let's Encrypt certificate.
The status of security certificates obtained from vendors other than Let's Encrypt are not tracked on this screen.
A green checkmark icon indicates that your DNS settings are correct, or that a Let's Encrypt certificate has been successfully installed for that domain. If any other icon appears, you can click the Check button to view a Domain checking dialog with more details.
The different icons that might appear, and the corresponding status message that is displayed on the Domain checking dialog, are listed below.
|Certificate installation is in progress||Your certificate is being processed. It can take up to 30 minutes to complete processing.|
|Certificate installed||A Let's Encrypt certificate has been successfully installed for this domain.|
|No Let's Encrypt certificate||A Let's Encrypt certificate has not been successfully installed for this domain. If this message appears after trying to install a certificate, see Troubleshooting certificate failures (below).|
|Unable to auto-renew certificate||The existing Let's Encrypt certificate did not automatically renew. See Automatic certificate renewal (below) for more information.|
|Unable to determine certificate status||An unknown error occurred. The certification service may be temporarily unavailable.|
Troubleshooting certificate failures
If an error icon or message appears indicating that your Let's Encrypt certificate has not been successfully installed or renewed, you should review the following list of the most common causes of certificate failures.
- Your custom domain was not set up according to these instructions.
- Your custom domain was previously directed to a different site and there's still an old IPv6 record (AAAA record) within your custom domain settings. In this case, you need to access your domain settings with your domain name provider and remove the IPv6 record (AAAA record).
After correcting issues with your domain, you can reissue the certificate by removing and re-adding your domain on the Domain name management screen, or by clicking the Issue certificate link from the Domain checking dialog.
If you are unable to identify and correct the issue with your domain name, contact Wild Apricot Support.
Automatic certificate renewal
Let's Encrypt security certificates automatically renew themselves every 3 months without any notification. However, if you've made changes to your DNS settings, the certificate might fail to renew.
If your certificate fails to auto-renew, a warning icon will appear beside the domain name, and a message beginning with "Unable to auto-renew certificate" will appear on the Domain checking dialog.
In this case, check your DNS settings against these instructions then try issuing the certificate again.
Security certificates purchased from an external vendor are not automatically renewed.
Obtaining a security certificate from any other vendor
The cost of a one-year security certificate from a vendor other than Let's Encrypt begins around $100. To install the security certificate from a vendor other than Let's Encrypt on your custom domain, we charge an initial fee of $50 and a renewal fee of $50.
The steps involved in purchasing and installing a custom security certificate from a vendor other than Let's Encrypt are as follows:
- Choose a security certificate vendor. You should avoid purchasing certificates from WoSign and StartCom. They are no longer considered to be trusted authorities. For details, click here.
- Have a full account administrator send an email to Wild Apricot support and provide the following information:
Country/region Name (2 letter code)
You can find your two-digit country code at: www.digicert.com/ssl-certificate-country-codes.htm
State/province (full name)
The legally registered name of your organization/company (maximum 64 symbols, including spaces).
Organizational unit name
The name of your department within the organization (frequently this entry will be listed as "IT," "Web Security," or is simply left blank).
The name/domain through which the certificate will be accessed (usually the fully-qualified custom domain name e.g. www.domain.com. Note some vendors might not generate the SSL certificate for both www.domain.com and domain.com, so be sure to specify the main domain you would like to use).
- Our support representative will generate and email you a CSR(Certificate Signing Request). You can use the CSR to order an SSL certificate from your vendor. For security reasons, we cannot accept the sharing of the SSL private keys, or install on our servers SSL certificates that were not based on our Certificate Signing Requests (CSRs).
- Visit your vendor's website and use the CSR to order your certificate. Make sure the SSL certificate you purchase is for Apache or Nginx, and make sure your vendor includes the following statements in the SAN (Subject Alternative Name) section of the certificate so that it applies to your website's URL with and without the www: DNS Name=www.yourdomain.com DNS Name=yourdomain.com
- After receiving the SSL certificate from your vendor, email it to us – usually, it is an archive file or CRT/CER files provided by certificate vendor – and separately send the intermediate certificate file.
- After we receive the certificate from you, we'll install it on your website and let you know when we're done.
- Finally, we will instruct you to update your custom domain's DNS settings. We'll provide the details but you'll need to contact your domain name provider, or access your domain registrar account online, to perform this step.
Once the process is complete, we'll invoice you for the installation fee.
The status of security certificates issued by vendors other than Let's Encrypt will not be tracked on the Domain name management screen.