Rocknerd is now fully SSL-enabled! How to do this yourself.

UPDATE: This post is out of date. If you have a command line and root, SSLing your Apache is even more trivial now. Go to certbot.eff.org and follow the instructions.


See that green lock up there? Rocknerd is now served over SSL, with a certificate from Let’s Encrypt. The old insecure addresses should send you to the secure versions. Please try https://rocknerd.co.uk/ on all your gadgets and let me know of any problems, with as much detail as you can.

(Why SSL? Because what you browse is nobody else’s business. And because Google will like it better. And Theresa May won’t.)

This guide assumes you are comfortable with the Debian/Ubuntu command line. The stuff below is literally what I did just now.

James (whose server it is) already had certbot installed, but I didn’t know this and set it up by hand anyway. It’s trivial.

Our server is running Debian and I have root. Working from this page, I ran the following:

git clone https://github.com/certbot/certbot
cd certbot
sudo ./letsencrypt-auto

The script did an apt-get update;apt-get upgrade, worked out it was running on Apache, detected all the domains our Apache served and offered to generate a cert for all of them. I just told it to do the aliases of rocknerd.co.uk for now. It did so, generated and installed the cert. That’s it, I had a working SSL site! It gave me SSLLabs test URLs for rocknerd.co.uk and www.rocknerd.co.uk, which both rated the site “A”. So there.

(It also asks you if you want to auto-redirect all http:// to https:// — tell it yes.)

Let’s Encrypt certs are short-term. I made sure my cert was auto-renewed by putting this in /etc/cron.d/letsencrypt-rocknerd (checks weekly, renews the cert if it’s under 30 days from expiry):

30 2 * * 1 root /home/sites/letsencrypt/letsencrypt-auto renew >>/home/sites/log/rocknerd.co.uk/le-renew.log

Next was WordPress itself.

  1. Go to Settings->General Settings and set your WordPress Address and Site Address to start https:// .

  2. Add this to wp-config.php, to force logins and admin to SSL:
    define('FORCE_SSL_ADMIN', true);
  3. If you’re still getting a mixed-content warning from your site, go to the Inspector (hit F12) in Firefox or Chrome and see what’s being served by http:// — in my case a couple of links in a widget. Fix those, clear WP-Super-Cache and try again.

If you want to SSL your WordPress and don’t understand the above, Google “SSL WordPress” for many more pointy-clicky guides. If you’ve SSLed your own WordPress with a plugin or similar, please comment.

2 thoughts on “Rocknerd is now fully SSL-enabled! How to do this yourself.

  1. > sudo ./letsencrypt-auto
    FATAL: FreeBSD support is very experimental at present…

    i swear to effen god

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.