Skip to content

Instantly share code, notes, and snippets.

@willy2k69

willy2k69/letsencrypt-wordpress-setup.md

Forked from harryfinn/letsencrypt-wordpress-setup.md
Created February 3, 2017 13:33
Show Gist options
  • Save willy2k69/ef15deb7b1de65f63016c340badd21e1 to your computer and use it in GitHub Desktop.
Save willy2k69/ef15deb7b1de65f63016c340badd21e1 to your computer and use it in GitHub Desktop.
Download ZIP
Instructions on how to setup a Letsencrypt SSL certificate on a WordPress site
Raw
letsencrypt-wordpress-setup.md

Letsencrypt (for WordPress sites)

Note: This setup assumes you are running Ubuntu 16.04 OS with Apache 2.4.23, older versions of Ubuntu (i.e. 14.04) require minor configuration changes in order for this setup to work.

Setup

Follow the install instructions for certbot (letsencrypt's SSL manager) on https://certbot.eff.org/, making sure to select the correct server OS version.

Note: You only need to complete the Install section, then return to this README in order to setup your SSL

Registering an SSL

Once installed, run the following certbot command:

./certbot-auto certonly --webroot --webroot-path /var/www/html/ --renew-by-default -d yourdomainhere.com

Certbot has a lot of configuration options and when used with Apache, can automatically setup your SSL certificates without the need for apache configuration file amends, however, if using a service such as CloudFlare to manage your DNS and adding caching etc, the command above will be required in order to validate the SSL successfully. It's also recommend to use this command over the built in apache module (at this time) as it will grant great control over your site's SSL.

  • certonly is the command we are running, telling certbot to generate a letsencrypt SSL manually, i.e. without the apache configuration (we'll do this ourselves!)
  • --webroot is the type of authentication we want to use in order to check our domain against with the SSL. This option comes back to the CloudFlare issue, whereby a CloudFlare protected server won't respond with the origin server's IP address, but instead with a dynamic CloudFlare IP, causing the SSL to fail verification.
  • --webroot-path sets the root of your website, this should be where your apache configuration's DocumentRoot is pointing to.
  • --renew-by-default tells letsencrypt to attempt to automatically try to renew this SSL if it is already set and in need of renewal
  • -d sets the domain you which to assign this SSL to, multiple domains can be registered at the same time by passing additional -d flags after each domain.

After running the certonly command you should be prompted for an email address, used to notify you of upcoming SSL's due to expire and upon entering your email the process should complete with a success message similar to:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/byourdomainhere.com/fullchain.pem.
   Your cert will expire on 2017-03-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

Configuring Apache site configs

Once the SSL has been setup for your domain, you need to update your apache site configuration with some additional rules to tell apache how to handle requests over https.

  • Swap into the apache sites available folder cd /etc/apache2/sites-available and open the config file for the site you have attached the SSL certificate to, i.e. nano/vi yourdomain.here.conf
  • As well as having a VirtualHost rule for port 80 (http traffic), we also need to add a VirtualHost rule for port 443 (https traffic). Using the example below, add the missing sections to your site's configuration (note you may have additional settings in your configuration, in which case, merge the rules below with your existing ones):
<VirtualHost *:80>
        ServerName yourdomainhere.com
        ServerAdmin [email protected]
        DocumentRoot /var/www/html
</VirtualHost>

<VirtualHost *:443>
        ServerName yourdomainhere.com
        ServerAdmin [email protected]
        DocumentRoot /var/www/html

        SSLEngine On
        SSLCertificateFile /etc/letsencrypt/live/yourdomainhere.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/yourdomainhere.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/yourdomainhere.com/chain.pem
 
        Header always set Strict-Transport-Security "max-age=15768000"
 
        RequestHeader append "X-Forwarded-Proto" "https"
        RequestHeader set "X-Forwarded-Ssl" "on"
</VirtualHost>

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Note: if you are not using letsencrypt alongside Cloudflare & it's SSL, and you are happy for some older browsers/devices to be unsupported, you can use the following SSLCipherSuite value instead which will give a stronger encryption type cipher designed for modern browsers and devices:

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  • The configuration above tells apache where your SSL certificates are and where to validate them when requests over https are made. You can now save this configuration file.
  • Update apache with service apache reload

Checking how long your SSL is valid for and renewing

I use a package called ssl-cert-check to allow me to check the expiry of my SSL certificates which is simple to use and outputs a simple to view data format.

First install ssl-cert-check with the following command: apt-get install ssl-cert-check

Now to view a certificates expiry date, use the following command: ssl-cert-check -c /etc/letsencrypt/live/yourdomainhere.com/cert.pem

This will return an output similar to the one below:

Host                                                   Status Expires    Days
------------------------------------------------------ ------ ---------- ----
FILE:/etc/letsencrypt/live/yourdomianhere.com/cert.pem Valid  Mar 1 2017 90

Certbot will allow you to renew your SSL when it is within 30 days of expiry, you can setup a cronjob/crontab task to perform this or simply run the the following command ./certbot-auto renew which will attempt to renew any and all certificates on the server.

Configuring WordPress

Install the Really Simple SSL plugin and go to the SSL settings page within the WP admin. Before clicking the Go ahead, activate SSL button, check that the plugin has recognised your SSL, it should display the following message An SSL certificate was detected on your site..

Due to the nature of the SSL setup, the default .htaccess rules may not always perform the correct redirects and require you to disable the plugin from editing your .htaccess file and add the rules manually.

Check which rule(s) may or may not apply for your site here = https://really-simple-ssl.com/knowledge-base/manually-insert-htaccess-redirect-http-to-https/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment