Cara Setup HTTPS untuk Website: Panduan SSL Certificate

Benefits:
✓ Google ranking factor
✓ User trust (padlock icon)
✓ Data encryption
✓ Required for some features
✓ Browser warnings without it
✓ E-commerce requirement

Level: Basic
Validates: Domain ownership only
Best for: Blogs, personal sites
Cost: Free - $100/year
Issuance: Minutes

Level: Medium
Validates: Organization + domain
Best for: Business websites
Cost: $50-200/year
Issuance: 1-3 days

Level: High
Validates: Full organization verification
Best for: E-commerce, banks
Cost: $100-500/year
Issuance: 1-2 weeks

Most popular free option:
- Free forever
- Auto-renewal
- Widely supported
- DV certificates

Supported by:
- Most hosting providers
- Cloudflare
- cPanel
- Plesk

Benefits:
- Free SSL included
- No installation needed
- CDN included
- Easy setup

1. Login to cPanel
2. Find "SSL/TLS" or "Let's Encrypt"
3. Click "Generate Certificate"
4. Select domain
5. Install certificate
6. Enable force HTTPS

1. Sign up at Cloudflare
2. Add your website
3. Change nameservers
4. Enable "Always Use HTTPS"
5. Set SSL mode to "Full (strict)"

# Ubuntu/Debian with Certbot
sudo apt update
sudo apt install certbot

# For Nginx
sudo apt install python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com

# For Apache
sudo apt install python3-certbot-apache
sudo certbot --apache -d yourdomain.com

# Auto-renewal test
sudo certbot renew --dry-run

Plugins:
- Really Simple SSL (easiest)
- WP Force SSL
- SSL Insecure Content Fixer

Process:
1. Install SSL certificate first
2. Install plugin
3. Activate and configure
4. Test site

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

define('FORCE_SSL_ADMIN', true);

// If behind reverse proxy
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS']='on';

After enabling HTTPS:
☐ Update site URL in CMS settings
☐ Update internal links (or use relative)
☐ Fix mixed content warnings
☐ Update canonical tags
☐ Update XML sitemap
☐ Update robots.txt
☐ Update CDN settings
☐ Update Google Search Console
☐ Update Google Analytics
☐ Update third-party integrations

Definition:
HTTPS page loading HTTP resources

Types:
- Mixed active (scripts, stylesheets)
- Mixed passive (images, video)

Browser behavior:
- May block resources
- Security warning
- Broken functionality

Methods:
1. Browser DevTools Console
2. WhyNoPadlock.com
3. SSL Check tools
4. Manual code review

Common culprits:
- Hardcoded HTTP URLs
- External scripts
- Images from HTTP sources
- Embedded content

Solutions:
1. Update to HTTPS URLs
2. Use protocol-relative URLs (//example.com)
3. Use relative URLs (/path/to/file)
4. Fix in database (WordPress)

WordPress database fix:
Search: http://yourdomain.com
Replace: https://yourdomain.com

Test your SSL:
1. SSL Labs (ssllabs.com/ssltest)
   - Comprehensive test
   - Grade A-F rating
   - Security recommendations

2. Why No Padlock
   - Find mixed content
   - Quick check

3. Browser DevTools
   - Console for errors
   - Security tab

ERR_CERT_DATE_INVALID
→ Certificate expired, renew it

ERR_CERT_AUTHORITY_INVALID
→ Not trusted CA, use proper certificate

ERR_CERT_COMMON_NAME_INVALID
→ Domain mismatch, get correct certificate

Too many redirects:
→ Check for redirect loops
→ Verify server config
→ Check CMS settings

Mixed redirect types:
→ Use 301 only
→ Consistent www/non-www

Before migration:
☐ Backup website
☐ Obtain SSL certificate
☐ Test in staging if possible

During migration:
☐ Install certificate
☐ Configure redirects
☐ Test site functionality
☐ Check for mixed content

After migration:
☐ Update all settings
☐ Submit to GSC
☐ Monitor for issues
☐ Test SSL grade