How do I convert my Drupal site to https?

Traditionally sites that don't transfer potentially sensitive information needn't have an SSL certificate (this is the thing that makes a padlock show on the browser address bar). However Google have recently announced that Chrome will force the issue of https with an all too clear message ("Not secure") on the address bar as of Chrome release 56 - approx release date 31st Jan 2017.

Further information: https://www.wordfence.com/blog/2017/01/chrome-56-ssl-https-wordpress/.

The upshot of this is that your site's visitors are likely to panic and leave. We now install SSL as standard, but needed to sweep through all Drupal sites that we control in order to get to this point.

We recommend converting your Drupal site to SSL / https / make secure regardless of whether you are transferring secure data or not. Here's how to make your Drupal 7 site secure...

1) Purchase an SSL certificate

These come in many shapes and sizes. For a basic information website, you don't need anything fancy. You need one that covers your domain with and without www (although it's a good idea to redirect one to the other!). There are more options should you be using multiple subdomains. For basic needs, cost is around £50/year. We used ssls.com.

Find it, pay for it and wait for the confirmation email. 

2) Fire up cPanel

Look for SSL/TLS (under security). First thing to do is generate a Private Key. Just do as it recommended and hit 'generate'.

You now need to create a CSR. Just feed it the Private Key you just created (or create on here). Fill out all of the details as indicated. Note, the code for UK is GB, go with it. Most is self explanatory, we didn't need the pass phrase.

Now copy the CSR to your clipboard. You're going to need it in a mo...

3) Head to your SSL provider

Right, now remember that SSL certificate you purchased, well now we need to hook it up with the domain. Find the option to activate your SSL certificate... it will ask you for a CSR. Just so happens you've already created one! Paste it into the appropriate box, fill out any details that may be requested. Now submit the request.

You'll also need to download an activation file. FTP into your site and upload the activation key file provided to you to the root of your site.

4) Put the kettle

At this point it's best to chill out and wait for confirmation emails. Your certificate is being processed. We found this took about 15 minutes, but allowing 30 mins will give some time for it to propagate and avoid caching issues.

4) Install the certificate

Assuming it's now active, you're good to go. Return to cPanel and upload the certificate (again, this is under SSL/TLS). Scroll to the top, paste in the certificate (it should have been emailed to you).

Now go to the next option 'install' which simply pulls in your uploaded certificate. It works out all details and just hit 'install certificate'.

6) Go for a walk

Again, avoid caching issues by taking it easy at this point. Generally 15 minutes was all it took.

7) Visit your Drupal site via https

So, all of the above steps are typical of any site running on Apache / cPanel. Drupal has a few quirks to look out for:

If you visit the site via https (in chrome) you may find it says 'Secure' straight away. Bingo. Pretty unlikely though...

8) Tidy templates and resources

More likely you will have some tidying up to do. Inspect the page in chrome. You need to fix any resource errors (js, css, img etc.) that's referenced via http. If it's a Google resource eg, fonts, simply edit the template and add an 's' to the URL (it was their idea, so assume all of their resources use https now!).

If you have seemingly unfathomable absolute paths, don't blow a gasket wondering why you can't see them, check the next step first. In other words, fix the obvious ones.

9) Check the base url!

Go to settings.php in /sites/default/ and check the base url. If it's ever been edited it probably needs changing to https. If this is wrong you can find you have an unholy number of aforementioned unfathomable http paths. Generally this is the golden ticket to tidying up a load of issues.

10) Continue to mop up

Check all pages for mixed resources and pray that content editors haven't used absolute paths on local images (they shouldn't be doing this and you would be right to give them a ticking off!). If they have, you may need to write a SQL statement to do a find and replace.

11) Finally, force https

Once you're happy that there will be no problems accessing the site via https, you can go ahead and proudly display your SSL padlock. Find the .htaccess file in the root (this is a hidden file). Edit it and paste in the following code immediately below 'rewrite engine on' to ensure all traffic is redirected to https.


RewriteCond %{HTTP_HOST} !^www. [NC]

RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTP:X-Forwarded-Proto} !https

RewriteCond %{HTTPS} off

RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]