SSL For Self-Hosted WordPress

Originally published January 14, 2018 @ 2:05 pm

Just some notes for setting up SSL with your self-hosted WordPress installation. Just got around to doing this the other day. Yeah, I know, about time…

Install the required software, if you don’t already have it:

yum -y install mod_ssl openssl

First, I had to clean up apache’s ssl.conf because all those comments were annoying me:

grep -v ^# /etc/httpd/conf.d/ssl.conf | grep . > /tmp/ssl.conf
/bin/mv /tmp/ssl.conf /etc/httpd/conf.d/ssl.conf
chown apache:apache /etc/httpd/conf.d/ssl.conf
chmod 644 /etc/httpd/conf.d/ssl.conf

The next step would be to download and run certbot to generate your real SSL cert – not that self-signed crap. However, certbot uses Python and I have three versions of Python on the server. This gets certbot confused between 2.6 and 2.7 because it’s authors didn’t test it properly, so some temporary cleanup was in order:

mv /usr/local/bin/python2.7 /usr/local/bin/python2.7_back
mv /usr/local/lib/python2.7 /usr/local/lib/python2.7_back

Now download and run certbot-auto script:

mkdir -p /var/adm/bin
wget -O /var/adm/bin/certbot-auto https://dl.eff.org/certbot-auto
chmod a+x /var/adm/bin/certbot-auto
/var/adm/bin/certbot-auto --authenticator webroot --installer apache
service httpd restart

Jump through the prompts, certbot will get your certs and update the appropriate sections of your httpd.conf (make a backup of it, if you don’t have one already). All of the cert stuff will be in /etc/letsencrypt.

Once you bounce httpd, you can check on the cert’s details from CLI like so:

echo | openssl s_client -showcerts -servername igoroseledko.com -connect igoroseledko.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

The command above will also tell you when the cert is going to expire, so you can write a simple one-liner (sort of) to send you an email when the cert is, say, three days away from the expiry date.

d=igoroseledko.com; if [ $((( $(date -d "$(grep -oP "(?<=Not After\s:\s).*(?=$)" <(echo | openssl s_client -showcerts -servername ${d} -connect ${d}:443 2>/dev/null | openssl x509 -inform pem -noout -text))" +'%s') - $(date +'%s') ))) -lt 259200 ]; then echo "SSL cert for ${d} expires in less than three days." | mailx -s "Cert expires for ${d}" your_email@gmail.com; fi

The certs are good for ninety days, so unless your mind is like a steel trap, it’s a good idea to set up a cronjob to automate license renewal. Test the renewal process:

/var/adm/bin/certbot-auto renew --dry-run

If everything looks good, you can set up a cron job using the following example from the certbot site:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /var/adm/bin/certbot-auto renew

This will run the update process twice a day at noon and midnight with a random wait time. Or you can just schedule it to run twice a day at some arbitrary time close to twelve hours apart.

Two more steps left: update settings in WordPress and Google Analytics/Webmaster Tools (if you use those things). In WordPress, go to Settings –> General and change “WordPress Address (URL)” and “Site Address (URL)” to say https://. Now install, activate and enable “Really Simple SSL” plugin. It will help you fix any mixed content issues where some elements of your site (like images, for example) may not be using SSL, which is a problem.

In Google Analytics, click the “Admin” gear icon and under Account –> Property –> Property Settings –> Default URL select https. Also under Account –> Property –> View –> View Settings –> Website’s URL select https as well. Save.

In Webmaster Tools you would need to add a version of your site using the https:// link because Webmaster Tools treats http and https versions of your site as to separate entities. After you add the https version of the site, you may remove the old one if you want. But you don’t have to.