Updated: 11/18/16
The Let’s Encrypt client was recently renamed to “certbot”. I have updated the post to use the correct name but if I miss something use certbot or let me know.
With the announcement of the public beta of the Let’s Encrypt project, it is now nearly trivial to get your site set up with an SSL certificate. One of the best parts about the Let’s Encrypt project is that it is totally free, so there is pretty much no reason to protect your blog set up with an SSL certificate. The other nice part of Let’s Encrypt is that it is very easy to get your certificate issued.
The first step to get started is grabbing the latest source code from GitHub for the project. Log on to your WordPress server (I’m running Ubuntu) and clone the repo. Make sure to install git if you haven’t already.
git clone https://github.com/letsencrypt/certbot.git
There is a shell script you can run to pretty much do everything for you, including installation of any packages and libraries it needs as well as configures paths and other components it needs to work.
cd certbot ./certbot-auto
After the bootstrap is done there should be some CLI options. Run the command with the -h flag to print out help.
./certbot-auto -h
Since I am using Apache for my blog I will use the “–apache” option.
./certbot-auto --apache
There will be some prompts you need to go through for setting up the certificates and account creation.
This process is still somewhat error prone, so if you make a typo you can just rerun the “./letsencrypt-auto” command and follow the prompts.
The certificates will be dropped in to /etc/letsencrypt/live/<website>. Go double check them if needed.
This process will also generate a new apache configuration file for you to use. You can check for the file in /etc/apache2/site-enabled. The import part of this config should look similar to the following:
<VirtualHost *:443> UseCanonicalName Off ServerAdmin webmaster@localhost DocumentRoot /var/www/wordpress SSLCertificateFile /etc/letsencrypt/live/thepracticalsysadmin.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/thepracticalsysadmin.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/thepracticalsysadmin.com/chain.pem </VirtualHost>
As a side note, you will probably want to redirect non https requests to use the encrypted connection. This is easy enough to do, just go find your .htaccess file (mine was in /var/www/wordpress/.htaccess) and add the following rules.
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://example.com/$1 [R,L] </IfModule>
Before we restart Apache with the new configuration let’s run a quick configtest to make sure it all works as expected.
apachectl configtest
If everything looks okay in the configtest then you can reload or restart apache.
service apache2 restart
Now when you visit your site you should get the nice shiny green lock icon on the address bar. It is important to remember that the certificates issued by the Let’s Encrypt project are valid for 90 days so you will need to make sure to keep up to date and generate new certificates every so often. The Let’s Encrypt folks are working on automating this process but for now you will need to manually generate new certificates and reload your web server.
That’s it. Your site should now be functioning with SSL.
Updating the certificate automatically
To take this process one step further We can make a script that can be run via cron (or manually) to update the certificate.
Here’s what the script looks like.
#!/usr/bin/env bash dir="/etc/letsencrypt/live/example.com" acme_server="https://acme-v01.api.letsencrypt.org/directory" domain="example.com" https="--standalone-supported-challenges tls-sni-01" # Using webroot method #/root/letsencrypt/certbot-auto --renew certonly --server $acme_server -a webroot --webroot-path=$dir -d $domain --agree-tos # Using standalone method service apache2 stop # Previously you had to specify options to renew the cert but this has been deprecated #/root/letsencrypt/certbot-auto --renew certonly --standalone $https -d $domain --agree-tos # In newer versions you can just use the renew command /root/letsencrypt/certbot-auto renew --quiet service apache start
Notice that I have the “webroot” method commented out. I run a service (Varnish) on port 80 that proxies traffic but also interferes with LE so I chose to run the standalone renewal method. It is pretty easy, the main difference is that you need to turn off Apache before you run it since Apache binds to to ports 80/443. But the downtime is okay in my case.
I chose to put the script in to a cron job and have it run every 45 days so that I don’t have to worry about logging on to my server to regenerate the certificate. Here’s what a sample crontab for this job might look like.
0 0 */45 * * /root/renew_cert.sh
This is a straight forward process and will help with your search engine juices as well.