Supporting HTTPS in a DigitalOcean WordPress VM

It’s good practice to enable HTTPS on all websites so that visitors to your website have a secure connection. With a WordPress website, HTTPS secures the authentication details you enter when visiting your admin pages. If your visitors leave personal details on a contact form then HTTPS secures those too – provided that you handle the contact form securely. Web browsers are increasingly providing alerts when they visit websites that don’t support HTTPS, and those alerts aren’t a good look. Finally, you might as well add HTTPS early on, so that you don’t need to worry later when your site gets increasingly complex.

The good news is that you can do it for free and it’s a breeze if you’re using a DigitalOcean WordPress VM!

To support HTTPS, you need an SSL Certificate that proves to visitors that your website is what it says it is. Let’s Encrypt is a service that provides SSL Certificates easily and for free.

Before you start, you need to register the domain name for your website and set up the domain configuration for your server so that when you visit yourdomain.com you see your website. This involves setting up the ‘A’ record for the DNS entry for yourdomain.com – go to the administration panel for the website where you registered the domain.

With that task done, you’re ready to enable SSL.

Using Let’s Encrypt requires you run a client on the VM called Certbot. To run Certbot you’ll need to login to the console of your VM and run some commands. First login:

$ ssh root@my_server

Then add the repository that stores the latest version of the Certbot tool:

$ sudo add-apt-repository ppa:certbot/certbot

You’ll probably have to hit Enter to confirm the install. The output will look like:

Now you can update your VM’s list of available software packages:

$ sudo apt-get update

The output will look like:

You’re now ready to install Certbot itself:

$ sudo apt-get install python-certbot-apache

The output might be quite long, but it should end something like:

Certbot is now installed, so run it. Typically you’ll request a certificate that works for both yourdomain.com and www.yourdomain.com, but you can add other domains to the command by adding a “-d” followed by the domain name and repeating as many times as you need.

You’ll need to enter your email address when prompted and agree to the terms and conditions.

During the process you may be asked where to deploy the certificate for the second and subsequent domains in the command:

All the domains you listed are for the same site, so choose option 2.

Once installed you’ll be asked how you want your website to handle people visiting using HTTP.

My recommendation here is to choose option 2. With that option selected, if someone visits http://www.yourdomain.com then they’ll be sent straight to https://www.yourdomain.com  The alternative is to leave them on an insecure connection to http://www.yourdomain.com which reduces the usefulness of this whole process unless you have some very particular needs.

At the end of the process you should get this satisfying message:

You should test that you can visit http://www.yourdomain.com, that it sends you to https://www.yourdomain.com, you get a little green padlock in your browser’s address bar and your website displays correctly. For a more thorough check, visit https://www.ssllabs.com/ssltest/analyze.html where your website should get a good grade, ideally A.

But don’t get too complacent just yet! The certificates provided by Let’s Encrypt only last for 90 days, so your webserver will need to keep renewing them. This is all taken care of automatically, but you should check that it’s going to work by doing a trial run of the renewal process:

At the end of the process it should say:

That command (without the –dry-run) will renew any certificates that will expire in the next 30 days. It gets called twice daily by a timer that certbot installed during the process you just went through. If a certificate is renewed then the timer also reloads your webserver so that it starts using the new certificate. You can check the timer is loaded correctly by the following command, which should generate the output shown:

Just to be sure, put a reminder in your calendar 61 days from now to check the expiry date of your website’s certificate. It should have renewed by then, and the new expiry date should be about 90 days in the future at the time you check. You can get the expiry date by clicking the green padlock in your browser or by visiting https://www.ssllabs.com/ssltest/analyze.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.