Introduction :
In this tutorial you will learn to get free SSL for wordpress and serverpilot from Let’s Encrypt .
If you are running personal/business website or blog, SSL (Secure Sockets Layer) certificate helps to encrypt the data which transmitted via the Internet. Transmission of your login information, Credit card information over an unsecured connection like public WiFi or Hotspot can be intercepted by eavesdroppers to get details of all your sensitive data.
You can get your SSL cert for your website from trusted CA like VeriSign, GeoTrust, Comodo, Symantec. Although SSL cert for your website going to cost you some bucks and this depends on your type of SSL cert requirement.
In recent event google chrome official announced that, chrome browser will start marking website and a warning will appear in address bar of browser, which transmit passwords and Credit card information over insecure connection from January 2017. Read More..
What is Let’s Encrypt
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG). Read more at Let’s encrypt website.
Let’s Encrypt: the good stuff
- Its completely free, so you don’t have to pay huge some of amount to get website SSL cert from trusted CA .
- Installation process and to renew your SSL cert is very easy.
- Let’s encrypt limit their cert to 90 days, Shorter lifetimes decrease the compromise window in situations like Heartbleed.
Let’s Encrypt: the bad stuff
- Let’s encrypt cert is only valid for 90 days, you need to renew SSL cert after each 90 days or automate the renewal of certs.
- It only offers domain validated certs (ie: no extended validation) , there’s no requirement for any ownership information other than an email for contact purposes. This means a normal internet user won’t be able to tell difference between identity verified website and non verified website which uses let’s encrypt SSL .
You can read about : Start a Self hosted wordpress blog using digitalocean and serverpilot .
Installation
Below tutorial is intended for use who has setup their wordpress website using serverpilot and digitalocean .
If you are looking for your own wordpress website or blog setup read this tutorial .
Step 1. Login into your server using putty by providing root credentials .
Step 2. You need to install Let’s Encrypt and switch into its directory.
$ git clone https://github.com/letsencrypt/letsencrypt $ cd letsencrypt
Step 3. Now you need to stop nginx on server to generate cert from Let’s encrypt or else it will show an error .
$ service nginx-sp stop
$ ./letsencrypt-auto certonly --standalone -d yourdomain.com -d www.yourdomain.com
If your Cert generation is successful you will get a response in shell that your newly generated certificate can be found at /etc/letsencrypt/live/$domain. Your cert full path will be shown in shell .
Now start your nginx service .
$ service nginx-sp start
Step 4. Next you need to switch to /etc/nginx-sp/vhosts.d . At this location serverpilot stores the configuration files for website or apps created in serverpilot control pannel .
$ cd /etc/nginx-sp/vhosts.d
Login into your serverpilot control pannel and find out the apps name associated with your website domain www.yourdomain.com for which you have just generated SSL cert .
Step 5. You need to create a SSL configration file for your app at location /etc/nginx-sp/vhosts.d .
$ nano yourappname.ssl.conf
Replace yourappname with the app name associated with yourdomain .
You will get a balnk shell, where you need to fill out the configuration for SSL . Replace “yourdomain.com” and “www.yourdomain.com” with your actual domain name. Copy and paste below code with appropriate changes .
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl on;
# letsencrypt certificates
ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem;
#SSL Optimization
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain/chain.pem;
#root directory and logfiles
root /srv/users/serverpilot/apps/yourappname/public;
access_log /srv/users/serverpilot/log/yourappname/yourappname_nginx.access.log main;
error_log /srv/users/serverpilot/log/yourappname/yourappname_nginx.error.log;
#proxyset
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto $scheme;
#includes
include /etc/nginx-sp/vhosts.d/yourappname.d/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/yourappname.d/*.conf;
}
Once you are done with changes press CTR+X to save this file . Now restart nginx-sp so that changes can take place .
$ service nginx-sp restart
Step 6. Your domain is now having SSL cert, you can verify it at SSL Server Test from Qualys SSL Labs .
Login to your wordpress Admin dashboard and update the WordPress Address and site address to https instead of HTTP .
WordPress Address (URL) : https://yourdomain.com
Site Address (URL) : https://yourdomain.com
Step 7. By default your website will still use http, to force your website to use https you need to make changes to .htaccess file by redirecting http connection to https .
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
Login into your server using WINSCP software, and go to location “/srv/users/serverpilot/apps/yourappname/public” and enable hidden files to see .htaccess file in your apps directory .
Now open it and write down below codes in .htaccess file and save it . Your website should automatically directs to HTTPS . Next you can also install Really Simple SSL plugin to fix the insecure content delivery over HTTP .
Step 8. Since Let’s Encrypt only offer SSL cert for 90 Days, you need to renew it after each 90 days for valid SSL cert. It would be really difficult for any one to renew their SSL cert after each 90 days. To over come this issue you can automatically renew the SSL cert using Cron .
To edit your root user’s cron tab in SSH shell type
$ crontab -e
Now it will ask for editor, choose any editor you like, nano editor is more convenient for me . Add this command to end of file .
@monthly /root/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot -w /srv/users/serverpilot/apps/yourappname/public -d yourdomain.com -d www.yourdomain.com
Change the home directory to the directory your letsencrypt git copy resides in, the app_name with your server pilot app name and yourdomain .
Note : If you have setup multiple domain on single server, there is rate limit on renewal of SSL cert . You can read more about it here .
If your website is still not redirecting to HTTPS, you can edit “appname.conf” file located at /etc/nginx-sp/vhosts.d . Rename the file to “appname.custom.conf” and add this line in server block . If you directly add this line without renaming the original file, serverpilot will overwrite this file over the time and may be you can loose your configuration .
return 301 https://yourdomain.com$request_uri;
Now check your nginx-sp conf by using
nginx-sp -t
If everything is fine in your conf file it will show syntax is ok and test is successful .
Now restart and reload the nginx-sp by executing below command .
service nginx-sp restart service nginx-sp reload
Now your website will be forced to use SSL .
Resources :
What is Cron
Summary :
Its good to have website with SSL cert and it shows good reputation to your website visitors as well as to search engines . Let’s encrypt may have some limitation on their SSL cert but for a personal blog or average website its good to have free SSl cert rather than to pay some huge amounts for SSL from CA . Let me know in comments, what do you think about implementing Let’s encrypt SSL cert on websites . Soon i will be posting a video tutorial of whole installation process .
