I spent 4 hours on setup the SSL of my website. I’ve search a lot of posts about how to enable SSL but nobody mentioned that you need to setup Apache fist. Here I’m sharing the whole process I’ve been using.
Some VPS hosts, like DigitalOcean that I’ve been using, require that your domain must be managed on DigitalOcean to enable the SSL feature. Check their website first for instructions.
Get a SSL certification from Let’s encrypt
Visit Certbot website, choose your software and system and it’ll show you a complete guide.
Here it’s Apache and Ubuntu 16.04. The default is like this.
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache
Since they provide plugin for DigitalOcean, here I used
sudo apt-get install certbot python3-certbot-dns-digitalocean
instead of python-certbot-apache.
Then
sudo certbot --apache
And an addition step for my dns plugin.
sudo certbot -a dns-digitalocean -i apache -d "*.example.com" -d example.com --server https://acme-v02.api.letsencrypt.org/directory
The SSL certs are store in /etc/letsencrypt/live/example.com/, where cert.pem is the public key and privkey.pem is the private.
You might need to add those files to your host’s website.
The Let’s encrypt license need to be renewed every 90 days and certbot will add a schedule using cron to do so.
ls /etc/cron.d
You should be able to see a certbot file and you don’t need to worry about the renewal.
Setup Apache
The most tricky yet most important part that I’ve been struggled to.
Edit the apache configuration file.
sudo nano /etc/apache2/sites-available/000-default.conf
I’ve added port 80 in previous post and now let’s add the 443.
<VirtualHost *:443>
ServerName XX.XX.XX.XX
ServerAdmin XXX@XXX.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/XXX.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/XXX.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/XXX.com/chain.pem
</VirtualHost>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
Setup wp-config.php
Open wp-config.php
sudo nano /var/www/html/wordpress/wp-config.php
Find this part
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}
Insert the following part in front of it.
$_SERVER['HTTPS'] = 'on';
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);
Setup WordPress
Don’t bother with the .htaccess setting, install Really Simple SSL in WordPress plugin page, let it do the job.
Now try to visit https://yoursite.com, if succeed, go to WordPress Settings, change the WordPress Address (URL) and Site Address (URL) to the https address.
DON’T change this unless you could access to the https, or you won’t be able to connect to your admin page and change that setting back.
Oh it’s too late
sudo mysql -u root -p
USE wordpress;
UPDATE wp_options SET option_value='http://XXX.com' WHERE option_id=1;
UPDATE wp_options SET option_value='http://XXX.com' WHERE option_id=2;
Now you can access through http and setup everything else.