How to set up a free SSL certificate for your website in 2026

What SSL is and why it stopped costing money

SSL (more accurately TLS, but everyone still says SSL) is the cryptographic protocol that encrypts traffic between a browser and a server. Two visible effects: the URL becomes https:// instead of http://, and the browser padlock appears in the address bar.

Until 2015, SSL certificates cost $50–$300/year per domain and required manual installation. Then Let's Encrypt launched, a free certificate authority backed by Mozilla, Cisco, and EFF. Since 2018, every modern web host has integrated Let's Encrypt for automatic, free SSL.

The practical implication for 2026: you don't buy SSL certificates anymore. You deploy your app, point a domain at it, and the host's auto-SSL pipeline issues a Let's Encrypt cert in minutes. The browser padlock appears. SSL renews automatically every 90 days, forever, at no cost.

How free SSL works on modern hosts

The flow is the same on Vercel, Netlify, Render, Railway, Cloudflare Pages, and livemy.app:

1. You add your domain to the host's project settings.

2. The host instructs you which DNS records to add at your registrar.

3. You add the records. DNS propagates.

4. The host detects that the domain now resolves to its servers.

5. The host triggers Let's Encrypt to verify domain ownership (via HTTP-01 or DNS-01 challenge).

6. Let's Encrypt issues a 90-day certificate.

7. The host installs it and starts serving HTTPS.

8. Every 60 days, the host auto-renews the cert before expiration.

Total elapsed time on a clean setup: 5–15 minutes from "add domain" to working HTTPS.

Step-by-step: enable SSL on livemy.app

Step 1: Deploy your app and confirm it loads

Before adding a custom domain, confirm your app works on the temporary your-app.livemy.site URL. livemy.app's subdomain is HTTPS by default — the cert there is already in place.

Step 2: Add your custom domain

Project Settings → Domains → Add custom domain. Paste your domain (e.g., yourapp.com). livemy.app shows the DNS records to add.

Step 3: Add the DNS records at your registrar

Log into your registrar's DNS panel, add an A record at apex pointing to livemy.app's IP and a CNAME at www pointing to your livemy.site subdomain. Save.

Step 4: Wait

livemy.app polls DNS every few minutes. Once propagation completes, it triggers Let's Encrypt verification. Cert issuance takes seconds once verification succeeds.

Expected timeline: 5–15 minutes for both DNS propagation and SSL issuance combined. Refresh your custom domain URL in the browser; the padlock should appear.

Step 5: Verify

Open https://yourapp.com in a fresh incognito window. Click the padlock. Confirm the certificate is issued by Let's Encrypt and the validity period is 90 days from today. That's a healthy SSL setup.

Five things that quietly break SSL

1. DNS records not yet propagated when host tries to issue cert

Symptom. Host says "unable to verify domain ownership". Adding the domain takes longer than expected.

Cause. Let's Encrypt's HTTP-01 challenge requires hitting a specific URL on your domain. If DNS hasn't propagated to the verification server yet, the challenge fails.

Fix. Wait. Most hosts retry every 5–15 minutes. Confirm propagation with dnschecker.org. If it's been over an hour with confirmed propagation but still no cert, contact host support.

2. Cloudflare proxy intercepting the verification request

Symptom. SSL issuance fails specifically when your DNS is on Cloudflare with the orange cloud (proxy) enabled.

Cause. Cloudflare's proxy is now in front of your server. The Let's Encrypt verification request hits Cloudflare instead of your actual host.

Fix. In Cloudflare DNS, click the orange cloud to switch to gray cloud ("DNS only"). Save. Wait for cert issuance to complete (5–10 minutes). Once HTTPS is working, switch back to orange cloud if you want Cloudflare's CDN. The cert renewal will continue to work as long as Cloudflare's SSL mode is set to "Full" or "Full (strict)".

3. Mixed content warnings after HTTPS works

Symptom. Padlock shows but is grayed out or has a warning icon. Console says "mixed content".

Cause. Your page is served over HTTPS but loads at least one resource (image, script, stylesheet, video) over HTTP. Modern browsers block or warn about this.

Fix. Search your codebase for http:// URLs. Replace with https:// or relative URLs (//example.com/... which inherits the page's protocol). Common offenders: hardcoded image URLs from old CDNs, third-party widgets, embed codes.

4. AAAA record pointing at an old IPv6 address

Symptom. Site works on some networks (IPv4) but fails on others (IPv6). SSL appears to work then suddenly doesn't.

Cause. You added an A record for the new host but forgot to remove the AAAA record from the old host. IPv6-capable browsers prefer AAAA records, so half your users hit the old (now-broken) destination.

Fix. Delete or update every AAAA record alongside your A records. Run dig AAAA yourapp.com to confirm only the new IPv6 (or no IPv6, if your host only supports IPv4) is returned.

5. Self-hosted setup with expired or misconfigured Let's Encrypt

Symptom. SSL worked for months, then suddenly the browser shows "certificate expired".

Cause. You're self-hosting on a VPS with a Let's Encrypt setup that isn't auto-renewing. Certbot's cron job died, or the renewal hook didn't reload nginx.

Fix. Manual renewal: sudo certbot renew && sudo systemctl reload nginx. Long-term: switch to Caddy as your reverse proxy (auto-handles certs with zero config) or move to a managed host that handles this for you (livemy.app, Render, Railway, etc.).

When you might still buy a paid SSL certificate

Honest section. Free SSL covers 99% of cases. Paid certs still exist for:

• Extended Validation (EV) certificates — the kind that used to show the company name in green in the address bar. Modern browsers stopped displaying the company name in 2019, so EV is largely cosmetic now. Some financial and government sectors still require it for internal policy reasons.

• Organization Validation (OV) certificates — includes verified company info in the cert metadata. Useful for B2B trust where customers technically inspect certs. Free Domain Validation (DV) certs from Let's Encrypt only verify the domain, not the organization.

• Specific compliance requirements — some regulated industries mandate certificates from specific CAs. Check your compliance officer before assuming free SSL is fine.

For everyone else — personal projects, SaaS products, blogs, e-commerce — free Let's Encrypt SSL is the right answer.

FAQ

Is Let's Encrypt SSL as secure as paid SSL?

Yes. The cryptography is identical. Let's Encrypt's certificates use the same algorithms and key strengths as paid certs from DigiCert, Sectigo, or GoDaddy. The difference is in what the CA verifies (Let's Encrypt verifies domain control; paid OV/EV certs verify organization details) and the validity period (Let's Encrypt is 90 days with auto-renewal; paid certs are typically 1–2 years).

Does my host auto-renew the certificate?

If you're on a managed host (livemy.app, Vercel, Netlify, Cloudflare Pages, Render, Railway, Fly.io), yes — renewal happens automatically before each 90-day expiration. If you're self-hosting on a VPS, you need Certbot's cron job or a tool like Caddy that handles it for you.

How long does SSL setup take after DNS propagates?

Seconds to a few minutes once DNS is propagated and verification succeeds. The whole flow from "add domain" to "padlock visible" typically takes 5–15 minutes including DNS propagation.

Why is my site showing "Not Secure" even after I set up SSL?

Three common reasons. First, you're visiting http:// explicitly (try https:// in the URL bar). Second, the cert was issued for one variant of your domain (e.g., apex) but you're visiting another (e.g., www). Third, mixed content — your HTTPS page is loading at least one HTTP resource (see gotcha #3).

Can I force HTTPS so users always get the secure version?

Yes — most modern hosts have a "Force HTTPS" or "Redirect HTTP to HTTPS" toggle in domain settings. livemy.app enables this by default for all custom domains. Once on, any HTTP request returns a 301 redirect to the HTTPS equivalent. Combined with HSTS headers (also worth enabling), browsers stop attempting HTTP entirely after the first visit.

What's HSTS and should I enable it?

HSTS (HTTP Strict Transport Security) is a header that tells browsers to only ever use HTTPS for your domain, even if the user types http:// explicitly. Worth enabling on any production site — prevents downgrade attacks. Start with a short max-age (a few hours) while testing, then extend to a year for production. Be cautious: once a browser has cached HSTS for your domain, it won't visit you over HTTP until the cache expires. Don't enable it if you might need to downgrade SSL later.

Browser padlock in 5 minutes — no manual cert work

If you've deployed an app and you've got a domain, free Let's Encrypt SSL is 5 minutes away. Modern hosts make it automatic; the only friction is the DNS propagation wait.

→ Start free on livemy.app · Free Let's Encrypt SSL on every custom domain, auto-renewing, no manual cert installation, no paid certificates. $20/month flat on Maker.

Stuck on a verification failure, mixed content warning, or expired cert? Email hello@livemy.app with your domain and what the browser is showing. Replies inside one business day.

Read next

• How to connect a custom domain to your AI-built app in 2026

• How to deploy a Next.js app without Vercel in 2026

• Cheap Vercel alternatives 2026: 6 hosts that actually replace it

• How to self-host n8n in 2026: the complete guide