markdown 有关如何在WordPress站点上设置Letsencrypt SSL证书的说明

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了markdown 有关如何在WordPress站点上设置Letsencrypt SSL证书的说明相关的知识,希望对你有一定的参考价值。

# Letsencrypt (for WordPress sites)

Note: This setup assumes you are running Ubuntu 16.04 OS with Apache 2.4.23, older versions of Ubuntu (i.e. 14.04) require minor configuration changes in order for this setup to work.

## Setup

Follow the install instructions for `certbot` (letsencrypt's SSL manager) on https://certbot.eff.org/, making sure to select the correct server OS version.

Note: You only need to complete the `Install` section, then return to this README in order to setup your SSL

## Registering an SSL

Once installed, run the following `certbot` command:

`certbot certonly --webroot --webroot-path /var/www/html/ --renew-by-default -d yourdomainhere.com`

Certbot has a lot of configuration options and when used with Apache, can automatically setup your SSL certificates without the need for apache configuration file amends, however, if using a service such as CloudFlare to manage your DNS and adding caching etc, the command above will be required in order to validate the SSL successfully. It's also recommend to use this command over the built in apache module (at this time) as it will grant great control over your site's SSL.

- `certonly` is the command we are running, telling certbot to generate a letsencrypt SSL manually, i.e. without the apache configuration (we'll do this ourselves!)
- `--webroot` is the type of authentication we want to use in order to check our domain against with the SSL. This option comes back to the CloudFlare issue, whereby a CloudFlare protected server won't respond with the origin server's IP address, but instead with a dynamic CloudFlare IP, causing the SSL to fail verification.
- `--webroot-path` sets the root of your website, this should be where your apache configuration's `DocumentRoot` is pointing to.
- `--renew-by-default` tells letsencrypt to attempt to automatically try to renew this SSL if it is already set and in need of renewal
- `-d` sets the domain you which to assign this SSL to, multiple domains can be registered at the same time by passing additional `-d` flags after each domain.

After running the `certonly` command you should be prompted for an email address, used to notify you of upcoming SSL's due to expire and upon entering your email the process should complete with a success message similar to:

```
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/byourdomainhere.com/fullchain.pem.
   Your cert will expire on 2017-03-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
```

## Configuring Apache site configs

Insure that the `ssl` module has been enabled on apache, to enable run `a2enmod ssl` then `service apache2 restart`. Without this module your apache configuration will not work and likely through the following error when attempting to restart: `Invalid command 'SSLEngine'`

Once the SSL has been setup for your domain, you need to update your apache site configuration with some additional rules to tell apache how to handle requests over `https`.

- Swap into the apache sites available folder `cd /etc/apache2/sites-available` and open the config file for the site you have attached the SSL certificate to, i.e. `nano/vi yourdomain.here.conf` 
- As well as having a `VirtualHost` rule for port 80 (http traffic), we also need to add a `VirtualHost` rule for port 443 (https traffic). Using the example below, add the missing sections to your site's configuration (note you may have additional settings in your configuration, in which case, merge the rules below with your existing ones):

**_Note: If setting up your SSL for the first within WordPress (or any other system that requires activation of SSL before
becoming active), comment out the `Redirect permanent` line in the seciton below until after this has been completed. 
Otherwise you might find yourself either locked out of the system before it is activated or in an endless redirect loop!_**

```
<VirtualHost *:80>
        ServerName yourdomainhere.com
        ServerAdmin me@yourdomainherec.om
        DocumentRoot /var/www/html
        
        Redirect permanent / https://yourdomainhere.com/
</VirtualHost>

<VirtualHost *:443>
        ServerName yourdomainhere.com
        ServerAdmin me@yourdomainhere.com
        DocumentRoot /var/www/html
        
        ErrorLog ${APACHE_LOG_DIR}/yourdomainhere.com-error.log
        CustomLog ${APACHE_LOG_DIR}/yourdomainhere.com-access.log combined
        
        SSLEngine On
        SSLCertificateFile /etc/letsencrypt/live/yourdomainhere.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/yourdomainhere.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/yourdomainhere.com/chain.pem
 
        Header always set Strict-Transport-Security "max-age=15768000"
 
        RequestHeader append "X-Forwarded-Proto" "https"
        RequestHeader set "X-Forwarded-Ssl" "on"
</VirtualHost>

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
```

*Note*: if you are not using letsencrypt alongside Cloudflare & it's SSL, and you are happy for some older browsers/devices to be unsupported, you can use the following `SSLCipherSuite` value instead which will give a stronger encryption type cipher designed for modern browsers and devices:
```
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
```

- The configuration above tells apache where your SSL certificates are and where to validate them when requests over `https` are made. You can now save this configuration file.
- Update apache with `service apache reload`

## Checking how long your SSL is valid for and renewing

I use a package called `ssl-cert-check` to allow me to check the expiry of my SSL certificates which is simple to use and outputs a simple to view data format.

First install `ssl-cert-check` with the following command: `apt-get install ssl-cert-check`

Now to view a certificates expiry date, use the following command: 
`ssl-cert-check -c /etc/letsencrypt/live/yourdomainhere.com/cert.pem`

This will return an output similar to the one below:

```
Host                                                   Status Expires    Days
------------------------------------------------------ ------ ---------- ----
FILE:/etc/letsencrypt/live/yourdomianhere.com/cert.pem Valid  Mar 1 2017 90
```

Certbot will allow you to renew your SSL when it is within 30 days of expiry, you can setup a cronjob/crontab task to perform this or simply run the the following command `./certbot-auto renew` which will attempt to renew any and all certificates on the server.

## Cron job renewal example

First run `crontab -e` (you may be prompted for which editor to use, use which even you'd prefer!). Once within the crontab file, add the following to the bottom of the file:

```txt
00 03 * * * certbot renew --quiet --renew-hook "service apache2 reload"
```

This will run every day at 3am, calling the `certbot renew` command, with a couple params to silence the output and to reload
apache when the renew completes. This will ensure that once your site reaches 30 days before renewal, the SSL will be renewed
without any manual input :)

## Configuring WordPress

Install the `Really Simple SSL` plugin and go to the `SSL` settings page within the WP admin. Before clicking the `Go ahead, activate SSL` button, check that the plugin has recognised your SSL, it should display the following message `An SSL certificate was detected on your site.`.

Due to the nature of the SSL setup, the default `.htaccess` rules may not always perform the correct redirects and require you to disable the plugin from editing your `.htaccess` file and add the rules manually.

Check which rule(s) may or may not apply for your site here = https://really-simple-ssl.com/knowledge-base/manually-insert-htaccess-redirect-http-to-https/

以上是关于markdown 有关如何在WordPress站点上设置Letsencrypt SSL证书的说明的主要内容,如果未能解决你的问题,请参考以下文章

如何在同一个域上部署 WordPress 站点和 Django 站点?

WordPress 安装 Markdown 插件

Wordpress 自动将站点 url 添加到 href,尽管 href 不为空

如何在 Wordpress 多站点安装 (3.0) 中同时查询所有博客选项表?

如何允许单个 Wordpress 站点接受我的 .ttf 文件上传?

如何获取安装在远程服务器上的 Wordpress 站点的本地运行副本?