They’re free. They’ve been free since 2015. Here’s how to stop getting charged.
The Problem
If you have a website hosted with a budget provider like 123-reg, GoDaddy, Heart Internet, or Fasthosts, there’s a good chance you’re paying between £50 and £150 per year for an SSL certificate. You know — the padlock icon in your browser that means your site uses HTTPS.
Here’s what your hosting provider probably isn’t telling you: SSL certificates have been available for free since Let’s Encrypt launched in 2015. The basic DV (Domain Validated) certificate your host is selling you costs them nothing to obtain. What you’re paying for is pure margin.
How They Get Away With It
Most budget hosting providers use cPanel — the industry-standard control panel for managing websites. cPanel has a built-in feature called AutoSSL that automatically provisions and renews free SSL certificates for every site on the server. No configuration needed. No cost. It just works.
The catch? Many budget hosts deliberately disable AutoSSL so they can sell you their own SSL certificate instead. When you log into cPanel and look at the SSL/TLS Status page, you’ll see a message like: “The certificate will not renew via AutoSSL because it was not issued via AutoSSL.” That’s the host’s doing, not a technical limitation.
Some hosts go further. When you contact support to ask about it, they’ll offer you a “hosting upgrade” that includes SSL — at several times the price of your current plan. One major UK host recently quoted a client £359 + VAT for a 5-year package “with auto SSL included.” That’s over £430 for a feature that should have been free from day one.
Which Hosts Typically Charge for SSL?
- 123-reg — disables AutoSSL, charges £100-150/year for a standard SSL cert
- GoDaddy — sells SSL separately, starting around £60/year
- Heart Internet — SSL available as paid add-on
- Fasthosts — includes SSL on some plans, charges extra on others
- 1&1 (IONOS) — included on newer plans, charged separately on legacy accounts
In contrast, hosts like SiteGround, Cloudways, DigitalOcean, and AWS Lightsail either include free SSL via Let’s Encrypt or make it trivially easy to set up yourself.
Your Options
Option 1: Ask Your Host to Enable AutoSSL
Contact support and ask them to enable AutoSSL or Let’s Encrypt on your account. Some will do it. Many won’t — or they’ll try to upsell you.
Option 2: Install a Free Certificate Manually
You can generate a free SSL certificate from Let’s Encrypt (via a tool like ZeroSSL’s web interface) and install it through cPanel’s SSL/TLS manager. This works on any cPanel host. The downside is that free certificates expire every 90 days, so you’ll need to repeat the process four times a year.
Option 3: Use Cloudflare (Recommended)
Put your site behind Cloudflare’s free plan. Cloudflare handles SSL at their edge — visitors get HTTPS automatically, permanently, with zero maintenance. You also get CDN caching, DDoS protection, and performance optimisation included. This is the approach I use for clients, and it’s the one I’ll walk you through below.
A Real Example
A client recently received an email from their hosting provider saying it was time to renew their SSL certificate. The hosting account was on a cPanel shared plan — the kind of setup where AutoSSL should work out of the box. But the host had disabled it.
When we contacted support to cancel the SSL auto-renewal, the agent tried to upsell a more expensive hosting package “with auto SSL included” — for £359 + VAT over five years. The client’s existing SSL was costing £143 per year.
Instead, we set up Cloudflare’s free plan. Total cost: zero. Time taken: about 30 minutes. The SSL is now permanently handled by Cloudflare, auto-renewing, with a 15-year origin certificate installed as backup. The client will never pay for SSL again.
How to Set Up Cloudflare for Free SSL
What You’ll Need
- Access to your domain registrar (where you manage nameservers — often the same company as your host)
- Access to your hosting cPanel
- About 30 minutes
Step 1: Create a Cloudflare Account
Go to cloudflare.com and sign up for a free account. Click “Add a site,” enter your domain name, and select the Free plan.
Step 2: Let Cloudflare Scan Your DNS
Cloudflare will automatically scan your existing DNS records and import them. This usually takes under a minute. Review the results carefully before proceeding — especially if you have email on your domain (Microsoft 365, Google Workspace, or your host’s email). All your existing records need to be present.
Step 3: Change Your Nameservers
Cloudflare will give you two nameserver addresses. Log into your domain registrar and replace the existing nameservers with Cloudflare’s. This tells the internet to route your domain through Cloudflare.
Propagation usually takes a few minutes to a few hours. Cloudflare will email you when it’s active.
Step 4: Set SSL Mode to “Full”
In the Cloudflare dashboard, go to SSL/TLS and make sure the encryption mode is set to Full (not “Flexible”). If your site already has an SSL certificate installed, this ensures both legs of the connection are encrypted.
Step 5: Fix Your DNS Proxy Settings (Critical)
This is the step most guides skip, and it’s the one that breaks email.
When Cloudflare imports your DNS records, it sets most of them to “Proxied” (shown as an orange cloud icon). Proxied means traffic goes through Cloudflare’s servers. This is correct for your website, but wrong for almost everything else.
Cloudflare’s proxy only handles web traffic (HTTP/HTTPS on ports 80 and 443). Services like email, FTP, cPanel, and webmail use different protocols or ports and will break if proxied.
What “Proxied” vs “DNS Only” Means
Proxied (orange cloud): Traffic is routed through Cloudflare. Cloudflare terminates SSL, applies its CDN and security features, then forwards the request to your server. Your server’s real IP address is hidden. This is what you want for your website.
DNS only (grey cloud): Cloudflare simply returns your server’s IP address. Traffic goes directly to your server, bypassing Cloudflare entirely. This is what you need for non-web services.
Which Records Should Be “DNS Only”
Change all of the following to DNS only (grey cloud). Click “Edit” on each record and toggle the cloud icon:
| Record Type | Name | Why DNS Only? |
|---|---|---|
| CNAME | autodiscover | Email auto-configuration (M365, Exchange). Google Workspace uses MX only, but if you see this record, it must be DNS only or Outlook won’t connect. |
| CNAME or TXT | selector1._domainkey (M365), google._domainkey (GWS), or similar | DKIM email signing. Every email provider uses these. If proxied, receiving servers can’t verify your emails are genuine — they go to spam. |
| CNAME or TXT | selector2._domainkey, or any other DKIM selector | Same reason. You may have multiple DKIM records — set them all to DNS only. |
| CNAME or TXT | Any remaining _domainkey records | DKIM for transactional email services (Brevo, Mailchimp, SendGrid, Postmark). Same rule applies. |
| A | cpanel | cPanel uses port 2083, which Cloudflare won’t proxy. |
| A | whm | WHM uses port 2087. |
| A | webmail | Webmail often uses a non-standard port. |
| A | ftp | FTP uses port 21 — not a web protocol. |
| A or MX | Mail server. Applies whether you use cPanel email, M365, Google Workspace, or any other provider. Not web traffic. | |
| A | webdisk, autoconfig, cpcalendars, cpcontacts | cPanel services that don’t use standard web ports. |
Which Records Should Stay “Proxied”
Only your website records should be proxied:
| Record Type | Name | Why Proxied? |
|---|---|---|
| A | yourdomain.com (root) | This is your website — you want Cloudflare’s SSL and CDN. |
| CNAME | www | This is also your website. |
The rule of thumb: if it serves your website, proxy it. If it’s anything else — email, FTP, cPanel, server management — set it to DNS only.
Why This Matters
If you leave email authentication records (DKIM selectors) on “Proxied,” receiving mail servers can’t look up the cryptographic keys that prove your emails are genuine. The result: your emails start landing in spam folders, or get rejected entirely. For a business, this can be devastating — and the cause is invisible unless you know to check DNS proxy settings.
Step 6: Install a Cloudflare Origin Certificate (Optional but Recommended)
Cloudflare handles the visitor-facing SSL, but it still connects to your server over HTTPS. If your host’s SSL certificate expires and you don’t renew it, that connection breaks.
The fix: install a free Cloudflare Origin Certificate on your server. These are valid for up to 15 years.
- In Cloudflare: SSL/TLS > Origin Server > Create Certificate
- Leave the defaults (RSA 2048, your domain + wildcard). Set validity to 15 years.
- Copy the certificate and private key.
- In cPanel: SSL/TLS > Manage SSL sites
- Select your domain, paste the certificate and private key, click Install.
- Back in Cloudflare: change SSL mode from “Full” to “Full (Strict)” — this is the most secure setting and works because Cloudflare trusts its own origin certificates.
You’re done. Your site now has permanent, free, end-to-end encrypted SSL with no annual renewal, no cost, and no dependency on your hosting provider.
Step 7: Cancel Your Paid SSL
Contact your hosting provider and cancel the auto-renewal on your existing paid SSL certificate. Keep the chat transcript or email confirmation — some providers have been known to “accidentally” renew cancelled products.
Summary
| Paid SSL (typical budget host) | Cloudflare Free Plan | |
|---|---|---|
| Annual cost | £50-150/year | Free |
| Renewal | Manual or auto-charged | Automatic, no action needed |
| Origin certificate | Expires annually | 15-year Cloudflare Origin Cert |
| CDN included | No | Yes |
| DDoS protection | No | Yes |
| Setup time | N/A (you’re already paying) | ~30 minutes |
SSL certificates are a solved problem. If your hosting provider is still charging you for one, it’s not because the technology requires it — it’s because their business model depends on it. You have better options.