Originally published January 14, 2018 @ 2:05 pm
Just some notes for setting up SSL with your self-hosted WordPress installation. Just got around to doing this the other day. Yeah, I know, about time…
Install the required software, if you don’t already have it:
yum -y install mod_ssl openssl
First, I had to clean up apache’s ssl.conf because all those comments were annoying me:
grep -v ^# /etc/httpd/conf.d/ssl.conf | grep . > /tmp/ssl.conf /bin/mv /tmp/ssl.conf /etc/httpd/conf.d/ssl.conf chown apache:apache /etc/httpd/conf.d/ssl.conf chmod 644 /etc/httpd/conf.d/ssl.conf
The next step would be to download and run certbot
to generate your real SSL cert – not that self-signed crap. However, certbot
uses Python and I have three versions of Python on the server. This gets certbot
confused between 2.6 and 2.7 because it’s authors didn’t test it properly, so some temporary cleanup was in order:
mv /usr/local/bin/python2.7 /usr/local/bin/python2.7_back mv /usr/local/lib/python2.7 /usr/local/lib/python2.7_back
Now download and run certbot-auto
script:
mkdir -p /var/adm/bin wget -O /var/adm/bin/certbot-auto https://dl.eff.org/certbot-auto chmod a+x /var/adm/bin/certbot-auto /var/adm/bin/certbot-auto --authenticator webroot --installer apache service httpd restart
Jump through the prompts, certbot
will get your certs and update the appropriate sections of your httpd.conf
(make a backup of it, if you don’t have one already). All of the cert stuff will be in /etc/letsencrypt
.
Once you bounce httpd
, you can check on the cert’s details from CLI like so:
echo | openssl s_client -showcerts -servername igoroseledko.com -connect igoroseledko.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
The command above will also tell you when the cert is going to expire, so you can write a simple one-liner (sort of) to send you an email when the cert is, say, three days away from the expiry date.
d=igoroseledko.com; if [ $((( $(date -d "$(grep -oP "(?<=Not After\s:\s).*(?=$)" <(echo | openssl s_client -showcerts -servername ${d} -connect ${d}:443 2>/dev/null | openssl x509 -inform pem -noout -text))" +'%s') - $(date +'%s') ))) -lt 259200 ]; then echo "SSL cert for ${d} expires in less than three days." | mailx -s "Cert expires for ${d}" your_email@gmail.com; fi
The certs are good for ninety days, so unless your mind is like a steel trap, it’s a good idea to set up a cronjob to automate license renewal. Test the renewal process:
/var/adm/bin/certbot-auto renew --dry-run
If everything looks good, you can set up a cron job using the following example from the certbot
site:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /var/adm/bin/certbot-auto renew
This will run the update process twice a day at noon and midnight with a random wait time. Or you can just schedule it to run twice a day at some arbitrary time close to twelve hours apart.
Two more steps left: update settings in WordPress and Google Analytics/Webmaster Tools (if you use those things). In WordPress, go to Settings –> General and change “WordPress Address (URL)” and “Site Address (URL)” to say https://
. Now install, activate and enable “Really Simple SSL” plugin. It will help you fix any mixed content issues where some elements of your site (like images, for example) may not be using SSL, which is a problem.
In Google Analytics, click the “Admin” gear icon and under Account –> Property –> Property Settings –> Default URL select https
. Also under Account –> Property –> View –> View Settings –> Website’s URL select https
as well. Save.
In Webmaster Tools you would need to add a version of your site using the https://
link because Webmaster Tools treats http
and https
versions of your site as to separate entities. After you add the https
version of the site, you may remove the old one if you want. But you don’t have to.
Experienced Unix/Linux System Administrator with 20-year background in Systems Analysis, Problem Resolution and Engineering Application Support in a large distributed Unix and Windows server environment. Strong problem determination skills. Good knowledge of networking, remote diagnostic techniques, firewalls and network security. Extensive experience with engineering application and database servers, high-availability systems, high-performance computing clusters, and process automation.