In this tutorial we will enable
https on wordpress site. We will install letsencrypt ssl certificate using EFF's Certbot client. We will perform installation on wordpress vm hosted on google cloud. However you can follow the same steps for your self hosted wordpress setup.
Steps to Install Let's Encrypt's Free SSL Certificates on Wordpress
Before proceeding with ssl certificate installation we will assume that you have working wordpress site and accessible via domain name. It is also assumed that you can ssh wordpress server either via browser or via local machine.
- Enable HTTPS for Wordpress VM
Open Google Cloud Console and Edit Compute Engine Instance to enable
HTTPStraffic. This will open HTTPS port
- Test SSH Connection
In order to access vm hosting wordpress via terminal you should either open vm terminal in google cloud console or can configure key based ssh connection to login from local machine as described earlier.
techmonger@ubuntu:~$ ssh 220.127.116.11 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. techmonger@google-vm:~$
- Backup Configuration Files
During certificate installation apache's configuration file will get overwritten by certbot. We should backup apache configuration files present inside
.htaccessfile present inside
/var/www/html/(if you have one). We can restore configuration if something breaks during certificate installation.
$ mkdir /tmp/apache_config_backup/ $ cp -r /etc/apache2/* /tmp/apache_config_backup/ $ cp /var/www/html/.htaccess /tmp/
- Install Certbot Client
To install certbot client read instructions at
https://certbot.eff.orgfor your webserver and operating system. We are using Wordpress VM at google cloud which come up with Linux (Debian) OS and Apache webserver. With following command we will install certbot.
$ sudo apt-get install python-certbot-apache -t stretch-backports
- Install Certificates with Certbot
Certificates installation process will be same for the wordpress setup as that of static website on google cloud. We will go through it again.
Initiate Certificate Installation Program
$ sudo certbot --authenticator webroot --installer apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer apache
Provide valid Email Address
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): firstname.lastname@example.org
Accept (A) Let's Encrypt Terms and Conditions
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory (A)gree/(C)ancel: A
Option to Share Email with EFF. Select (Y/N) depending on your preferences.
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. (Y)es/(N)o: Y
Domain name to install certificate for. (
No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): example.com Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com
Web Server root where website content is stored and accessible.(
Input the webroot for example.com: (Enter 'c' to cancel): /var/www/html Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Option To configure
HTTPSredirect. Select 1 or 2 depending on whether or not you want to configure redirect.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ----------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS You can undo this change by editing your web server's configuration. ----------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf -----------------------------------------------------
Message for Successful Configuration
Congratulations! You have successfully enabled https:/example.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=example.com
Details about certificate files
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-09-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF:https://eff.org/donate-le
- Change Wordpress Address and Site Address
Login wordpress and move to
WordPress Address (URL)and
Site Address (URL)to https version of the site.. it might give you an error for the ssl certficate security exception. Confirm security exception to make changes.
- Test HTTPS Connection
You can check HTTPS connection of your wordpress website in browser. If you are facing issues while connecting with HTTPS then learn about configuration changes made by certbot to tweak them or restore old configuration back.
- Auto Renewal of Certificates
SSL certificates provided by let'sencrypt would expire after 90 days of installation. Certbot will create cronjob to autonew certificates inside
/etc/cron.d/certbot. Learn how certbot's auto renewal script is setup as cron.