So recently I read about Let’s Encrypt. It’s a pretty awesome service that provides free short-lived SSL certificates.
I thought it would be cool to share the steps I took to get my WordPress installation running Ubuntu/Apache set up with fresh SSL certificates and automated renewal.
1. Make sure that port 443 is open on the firewall:
ufw allow 443/tcp
Note: I took an extra step here to remove the additional IPv6 rule that is created
2. Ensure that ServerName and ServerAlias are configured in the vhosts configuration file:
3. Download certbot-auto and request a certificate by following the instructions here:
Note: Once certbot-auto had downloaded, I moved it to /usr/sbin/ so I could access it in my $PATH.
4. Update WordPress Address (URL) and Site Address (URL) under Settings > General so WordPress knows that SSL is now being used:
5. Create a redirect in /etc/apache2/sites-enabled/000-default.conf to push all requests to https://www:
<VirtualHost *:80> ServerAdmin webmaster@localhost ServerName www.domain.co.uk ServerAlias domain.co.uk Redirect permanent / https://www.domain.co.uk/ </VirtualHost>
6. Automate the certificate renewal with a cron job that runs every day at 00:30:
30 00 * * * certbot-auto renew --post-hook "service apache2 restart" --quiet --no-self-upgrade
Note: The –post-hook switch will restart apache only if the certificate is renewed
7. Restart apache
service apache2 restart
8. Finally I informed Google about the change by adding two new properties to my Webmaster Tools account:
9. For piece of mind, check the new configuration using Qualys SSL Labs:
The whole process took about 15 minutes. Worth the effort if you ask me 🙂
Disclaimer: Follow the above steps at your own risk and be sure to make backups of any configuration file you edit!