WordPress SSL, Nginx and Let's Encrypt

Secure your Nginx WordPress blog with SSL using Let’s Encrypt

I’ve just enabled SSL on this WordPress blog. It was surprisingly a painless experience and I did it using the brand new, free service called Let’s Encrypt.

Why enabled SSL on your WordPress blog?

What SSL does, is encrypt the information that passes between the different points before it reaches the destination server. The obvious problem with unencrypted data is that as it passes through each of these points, it is in plain text which means anyone could potentially read it.

SSL has traditionally been used on larger websites and e-commerce stores where people care more about their information being kept safely and away from potential threats.

For a long time, SSL was out of reach for the little guy or hobby blogger as the cost involved with acquiring a SSL certificate was quite high.

Now that the Let’s Encrypt service has been launched and is completely free, it’s highly recommended that webmasters start enabling SSL on their websites, big or small.

Once HTTP/2 becomes more mainstream, you will be required to have SSL enabled on your site if you want to adopt it. While it’s not a strict requirement, Browsers like Firefox have already stated they will not support unencrypted HTTP/2 connections.

WordPress SSL on an Nginx server

While setting up SSL on this website, I documented the whole process step by step so that you can do the same on your blog.

As I mentioned in the video, Let’s Encrypt is still very new and, specifically on Nginx, not 100% supported just yet, even though it’s quite easy to get working.

Here is the video. See below for the commands that I run and configs I used, for copying and pasting in your own terminal window.

 WordPress SSL Nginx Commands and Configs

Use this command to clone the project to your server

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Now to generate the certificate

./letsencrypt-auto certonly -a standalone -d mattgeri.com -d www.mattgeri.com

Lastly, the Nginx server domain config

listen 443 ssl spdy;
listen [::]:443 ssl spdy;
ssl_certificate /etc/letsencrypt/live/mattgeri.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mattgeri.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;

ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security max-age=15768000;

ssl_stapling on;
ssl_stapling_verify on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/mattgeri.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;

Renew your Let’s Encrypt Nginx Certificate

To renew your SSL certificate, simply stop your server, run the command below and then start it again.

# Stop your server (Ubuntu specific)
sudo service nginx stop

# Renew certificate
./letsencrypt-auto renew

# Start service
sudo service nginx start

Enjoyed this content? Get an article like this delivered to your inbox every Tuesday...

8 thoughts on “Secure your Nginx WordPress blog with SSL using Let’s Encrypt”

  1. Cool vid. 🙂

    I’m keen to give Let’s Encrypt a try. Got a VM waiting to be played with, I must just allocate some time.

    For interest, you should check out using CloudFlare with WordPress. The CloudFlare SSL offering allows you to have a self signed cert on your server encrypting the connection between your server and the CDN’s network. CloudFlare then serves up a validated cert to the end user, it works pretty well.

    One thing it doesn’t work too well with is, PayFast…

    1. Matt says:

      Thanks Nathan!

      I use CloudFlare but solely for DNS management. I’ve never really checked out what they offer fully. That sounds like a really nice feature.

      I must say though, I’m very excited about where Let’s Encrypt is going. Think there will be wide spread adoption in the future.

      1. Yeah, I’m also amped about an encrypted future. 🙂

        Here’s some more info on CloudFlare SSL: https://www.cloudflare.com/ssl/

  2. Tanvir Hasan says:

    Thanks for this awesome tutorial! I almost got fired from my job as I was trying to do this for a week and fortunately found your tutorial :)

    1. Matt says:

      Glad you got it working Tanvir and didn’t lose your job hehe 🙂

  3. Hey Matt,
    First of all, thanks for the nice tutorial.

    There is a company called Qualys SSL Labs. They have an online service to measure the quality of your certificate as well as configuration of your application container. Honestly speaking I was curious about the quality of your Let’s Encrypt certificate. After watching your video, I check your domain (Sorry, I should have asked for permission, but it’s a public service. Everyone can check everything!). You got “B” ranking which is in my opinion pretty good without any special configuration using Let’s Encrypt.

    I think you can just surf to: https://www.ssllabs.com/ssltest/analyze.html
    And run the test on your domain name again. It gives you a pretty verbose report which can be useful for fine-tuning your configuration in order to get “A+” ranking. Then you can write about your experience in another blog post which I’d love to read.

    I just have a questions:
    – Does Let’s Encrypt work with a domain name with port numbers? I mean something like example.com:1234

    Cheers!

    1. Matt says:

      Thanks Emad! I never knew about SSL Labs. Will definitely check it out and see if I can better my ranking.

      From what I understand, LetsEncrypt currently only works on port 80 and 443.

  4. Hello, I have followed all steps,

    but I am stuck in a problem,
    when I type my adress, it is showing the nginx server webpage instead my webpage.

    any clues how to solve that?

    thanks all.

    Robson

Leave a Reply

Your email address will not be published. Required fields are marked *