It’s good practice to enable HTTPS on all websites so that visitors to your website have a secure connection. With a WordPress website, HTTPS secures the authentication details you enter when visiting your admin pages. If your visitors leave personal details on a contact form then HTTPS secures those too – provided that you handle the contact form securely. Web browsers are increasingly providing alerts when they visit websites that don’t support HTTPS, and those alerts aren’t a good look. Finally, you might as well add HTTPS early on, so that you don’t need to worry later when your site gets increasingly complex.
The good news is that you can do it for free and it’s a breeze if you’re using a DigitalOcean WordPress VM!
To support HTTPS, you need an SSL Certificate that proves to visitors that your website is what it says it is. Let’s Encrypt is a service that provides SSL Certificates easily and for free.
Before you start, you need to register the domain name for your website and set up the domain configuration for your server so that when you visit yourdomain.com you see your website. This involves setting up the ‘A’ record for the DNS entry for yourdomain.com – go to the administration panel for the website where you registered the domain.
With that task done, you’re ready to enable SSL.
Using Let’s Encrypt requires you run a client on the VM called Certbot. To run Certbot you’ll need to login to the console of your VM and run some commands. First login:
$ ssh root@my_server
Then add the repository that stores the latest version of the Certbot tool:
$ sudo add-apt-repository ppa:certbot/certbot
You’ll probably have to hit Enter to confirm the install. The output will look like:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s). More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot Press [ENTER] to continue or ctrl-c to cancel adding it gpg: keyring `/tmp/tmpu5v0045d/secring.gpg' created gpg: keyring `/tmp/tmpu5v0045d/pubring.gpg' created gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com gpg: /tmp/tmpu5v0045d/trustdb.gpg: trustdb created gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) OK |
Now you can update your VM’s list of available software packages:
$ sudo apt-get update
The output will look like:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [107 kB] Hit:2 https://repos.sonar.digitalocean.com/apt main InRelease Get:3 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial InRelease [24.3 kB] Get:7 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages [14.9 kB] Hit:4 http://sfo1.mirrors.digitalocean.com/ubuntu xenial InRelease Get:5 http://sfo1.mirrors.digitalocean.com/ubuntu xenial-updates InRelease [109 kB] Get:6 http://sfo1.mirrors.digitalocean.com/ubuntu xenial-backports InRelease [107 kB] Get:8 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en [9,252 B] Fetched 371 kB in 3s (114 kB/s) Reading package lists... Done |
You’re now ready to install Certbot itself:
$ sudo apt-get install python-certbot-apache
The output might be quite long, but it should end something like:
|
1 2 3 4 5 6 7 8 9 |
Setting up letsencrypt (0.22.2-1+ubuntu16.04.1+certbot+1) ... Setting up python3-augeas (0.5.0-1+ubuntu16.04.1+certbot+1) ... Setting up python3-certbot-apache (0.22.0-1+ubuntu16.04.1+certbot+2) ... Setting up python-certbot-apache (0.22.0-1+ubuntu16.04.1+certbot+2) ... Setting up python3-icu (1.9.2-2build1) ... |
Certbot is now installed, so run it. Typically you’ll request a certificate that works for both yourdomain.com and www.yourdomain.com, but you can add other domains to the command by adding a “-d” followed by the domain name and repeating as many times as you need.
|
1 |
$ sudo certbot --apache -d yourdomain.com -d www.yourdomain.com |
You’ll need to enter your email address when prompted and agree to the terms and conditions.
During the process you may be asked where to deploy the certificate for the second and subsequent domains in the command:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
We were unable to find a vhost with a ServerName or Address of www.yourdomain.com. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) ------------------------------------------------------------------------------- 1: 000-default.conf | | | Enabled 2: 000-default-le-ssl.conf | yourdomain.com | HTTPS | Enabled ------------------------------------------------------------------------------- |
All the domains you listed are for the same site, so choose option 2.
Once installed you’ll be asked how you want your website to handle people visiting using HTTP.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- |
My recommendation here is to choose option 2. With that option selected, if someone visits http://www.yourdomain.com then they’ll be sent straight to https://www.yourdomain.com The alternative is to leave them on an insecure connection to http://www.yourdomain.com which reduces the usefulness of this whole process unless you have some very particular needs.
At the end of the process you should get this satisfying message:
|
1 2 3 |
Congratulations! You have successfully enabled https://yourdomain.com and https://www.yourdomain.com |
You should test that you can visit http://www.yourdomain.com, that it sends you to https://www.yourdomain.com, you get a little green padlock in your browser’s address bar and your website displays correctly. For a more thorough check, visit https://www.ssllabs.com/ssltest/analyze.html where your website should get a good grade, ideally A.
But don’t get too complacent just yet! The certificates provided by Let’s Encrypt only last for 90 days, so your webserver will need to keep renewing them. This is all taken care of automatically, but you should check that it’s going to work by doing a trial run of the renewal process:
At the end of the process it should say:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
------------------------------------------------------------------------------- ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/yourdomain.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) ------------------------------------------------------------------------------- |
That command (without the –dry-run) will renew any certificates that will expire in the next 30 days. It gets called twice daily by a timer that certbot installed during the process you just went through. If a certificate is renewed then the timer also reloads your webserver so that it starts using the new certificate. You can check the timer is loaded correctly by the following command, which should generate the output shown:
|
1 |
Just to be sure, put a reminder in your calendar 61 days from now to check the expiry date of your website’s certificate. It should have renewed by then, and the new expiry date should be about 90 days in the future at the time you check. You can get the expiry date by clicking the green padlock in your browser or by visiting https://www.ssllabs.com/ssltest/analyze.html