Enable Let’s Encrypt SSL for WordPress and auto redirect to https on Ubuntu

developer

Either follow the single site installation or multi site installation then continue here.

Install Let’s Encrypt’s certbot

snap install --classic certbot

Enable Apache’s mod_SSL, enable the SSL configuration (alternatively you can also execute a2ensite default-ssl.conf) and shutdown Apache that is listening on port 80

a2enmod ssl
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl.conf
systemctl stop apache2

Get our certificate

certbot certonly --standalone -d blog.softwareperformance.expert

Check /etc/letsencrypt/live/ folder, you should be able to see the secret key and the certificate.

# ls /etc/letsencrypt/live/blog.softwareperformance.expert/
README  cert.pem  chain.pem  fullchain.pem  privkey.pem

You can inspect the content if you wish using the openssl command. I believe cert.pem is the actual certificate, chain.pem is the intermediate certificate(s), while fullchain.pem contains both the intermediate and the certificate itself.

# openssl x509 -in fullchain.pem -text

For Apache httpd, you will need fullchain.pem and privkey.pem only. Open /etc/apache2/sites-available/default-ssl.conf and specify them.

SSLCertificateFile /etc/letsencrypt/live/blog.softwareperformance.expert/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/blog.softwareperformance.expert/privkey.pem

Restart Apache

systemctl restart apache2

You should now have SSL enabled.

To renew without needing to take Apache down, do this

certbot renew --webroot -w /var/www/html
systemctl reload apache2

Alternatively you could do this also, this uses certbot’s Apache module

certbot renew --apache

To automate in cron, add the “-q” flag (for quiet). There is also “–dry-run” flag to simulate renewal.

certbot renew -q --apache && systemctl reload apache2
or
certbot renew -q --webroot -w /var/www/html && systemctl reload apache2

To auto redirect from http to https, add these text in /var/www/html/.htaccess, this should be in top, just after RewriteEngine On.

RewriteEngine On

RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]

Now if you go to http://blog.softwareperformance.expert/a-blog-post, it will redirect to https://blog.softwareperformance.expert/a-blog-post

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *