Webdev here but this http/https stuff is basically a complete blind spot.
The site in question is http://amygalbraith.com and i do not want to append “www” to the URL because we have significant SEO invested in the “naked” root. This is a paid account already so apparently there’s a non-domain-specific certificate associated with the domain right now. I’ve checked out the “how to set up https” article and it basically just says to set the Crypto > SSL setting to"strict" and the force traffic to use https instead of http. When I change those settings though, the site shows a “your connection is not secure” error.
I assume there’s some down time when changing these settings, but I don’t want to switch them at 11pm and leave them overnight if there’s something else I have to do that I’m not aware of. It is a live site that ranks highly for the keywords it’s optimized for so I want to limit any downtime to the absolute minimum.
Can anyone help with further context or instruction?
Hosting is with Dreamhost
Dreamhost nameservers
DNS is managed by Cloudflare
CNAMEs set up for both www and non-www
In addition to the SSL Strict, it helps to turn on Always Use HTTPS.
As for the Not Secure error, do you have an SSL certificate set up over at DreamHost? I know I was able to do that so I could use Full SSL. Without SSL at DreamHost, you’d have to use Flexible SSL here.
As an aside, when I hosted at DreamHost, I manually set up my Cloudflare account and used Cloudflare’s DNS servers. I just liked having the full control over my settings…which included not having to use CNAMEs.
That being said, if you’re already using Cloudflare, HTTPS shouldn’t impact the use of www vs. naked root.
For anyone running into this in the future, my site is active now and it does use https. I have a free self-signed certificate active that I added using my hosting provider’s admin (Dreamhost). In the Cloudflare Crypto panel, I set SSL to “full” and turned the “Always use HTTPS” setting to on. I did all of this at about 11pm, and initially the site showed the “this site is not secure” warning. When I woke up at 6am, everything worked fine and the “secure” lock was showing up.
I have a subdomain that isn’t working yet but that’s another issue.