https
How to get free HTTPS on your own server
The padlock in the address bar isn't a luxury anymore — it's free, automatic, and expected. Here's what HTTPS actually does, why it stopped costing money, and how it gets set up without you ever managing a certificate.
Open any site today and look at the address bar. There's a little padlock, and the address starts with https://. Open a site without it and your browser does something far less subtle: a grey "Not secure" label, sometimes a full-page warning that sends visitors running.
If you're hosting something on your own server, you want the padlock. The good news: it's free, it's automatic, and it's easier than it has ever been. Here's what's going on.
What the padlock actually means
HTTPS does two jobs at once:
- It encrypts the connection. Everything between a visitor's browser and your server is scrambled, so nobody in between — a café Wi-Fi, an internet provider — can read it.
- It proves who you are. A small file called a certificate vouches that this domain really is served from this server, and not by an impostor.
That's the whole point of the padlock: private, and provably you.
It used to cost money. Now it doesn't.
For years, certificates were something you bought — a yearly fee, a clunky renewal, the kind of chore people forgot about until their site broke. That changed with Let's Encrypt, a non-profit that issues certificates for free and automates the whole thing. Today, paying for a basic certificate is the exception, not the rule.
So when an old tutorial tells you to "buy an SSL certificate" — you usually don't have to. The free one is trusted by browsers just the same.
The one thing that has to come first
A certificate is issued for a domain name, and the authority issuing it needs to confirm that the name really points at your server. Which means one rule: your domain has to point at the server before HTTPS can turn on. Padlock second, always.
If you haven't done that step yet, start there — we wrote a short guide on pointing a domain at your server. Once the name resolves, the certificate can be issued in seconds.
How it gets set up — and renewed forever
Modern web servers handle this for you. When a request arrives for your domain, the server can request a certificate, prove it controls the domain, install it, and start serving over HTTPS — often automatically, the first time someone visits.
The one detail worth knowing: free certificates are short-lived on purpose — they expire every 90 days. That sounds like a chore, but it isn't, because renewal is automated too. The server quietly renews in the background, long before anything expires. You set it up once and stop thinking about it.
When it still says "Not secure"
Two common reasons, both easy to fix:
- The domain isn't pointing at the server yet (or hasn't propagated). HTTPS can't finish until it does — go back one step.
- **The page loads over HTTPS but pulls in something over plain
http://** — an old image or script link. Browsers flag that as "mixed content." Updating those links tohttps://clears it.
Neither is a dead end. Both just mean you're one small fix away.
The shortcut
You can wire all of this up by hand. Or you can let Server Manager do it: once your domain points at the server, it turns on HTTPS for you, installs the certificate, and renews it forever — no files to copy, no 90-day reminder, nothing to maintain. The padlock just appears, and stays.
Yours, and trusted
The padlock used to signal that a company ran a site. Now it's available to anyone with a domain and a server — including you. Your own box, your own name, the same padlock trust as everyone else on the internet, for free.
The help guides cover HTTPS, certificates, and domains in more depth whenever you want it.