Secure WordPress sites, free and easy
Requirements
- The latest version of AMIMOTO AMI
- You can access your site with a TLD such as example.com
- WordPress Install is Complete
- You've set your instance to use a fixed, Elastic IP
Covered in this guide
- Generating a SSL Cert
- Search and Replace with WP-CLI
- Setting a Renewal Schedule for Let's Encrypt
Tips and Notes
If you're setting up a new AMI, make a note of the AMI instance ID. This ID is created and used for your WordPress install directory.
/var/www/vhosts/i-abc123
For example, if your ID is i-abc123, the WordPress install path will be:
Optionally, when the AMI is only running one site you can CD into this directory using a wildcard path.
$ cd /var/www/vhosts/
1. Generating a SSL Cert
Login to the server
$ ssh -i ssh-key.pem ec2-user@example.com
Change to root user
$ sudo su -
Generating SSL certificate for example.com
# letsencrypt certonly -t -d example.com \
-a webroot --webroot-path=/var/www/vhosts/example.com/ \
--rsa-key-size 2048
Note: You should replace example.com with your domain name.
Set email address to get mails from Let's Encrypt
Enter email address (used for urgent notices and lost key recovery) (Enter 'c'
to cancel): info+letsencrypt@example.com ※
Agree with Terms of Service of Let's Encrypt
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
Let's Encrypt has been installed to the server.
The certificate and its chain is installed the following directory.
/etc/letsencrypt/live/example.com/fullchain.pem
Also, secret key is installed the following directory.
/etc/letsencrypt/live/example.com/privkey.pem
2. Modifying Nginx's configuration file
You could install digital certificate, then update configuration file (/etc/nginx/conf.d/example.com-ssl.conf) with copying example.com.conf as example.com-ssl.conf.
Copy configuration file for example.com.
# cd /etc/nginx/conf.d
# cp example.com.conf example.com-ssl.conf
# vi example.com-ssl.conf
Configurations
server {
listen 443 ssl http2;
server_name example.com;
root /var/www/vhosts/example.com;
index index.html index.htm;
charset utf-8;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
access_log /var/log/nginx/example.com-ssl.access.log main;
error_log /var/log/nginx/example.com-ssl.error.log;
include /etc/nginx/drop;
add_header X-Cache-Status $upstream_cache_status;
expires $expires;
set $mobile "";
#include /etc/nginx/mobile-detect;
include /etc/nginx/wp-front;
location ~* /(phpmyadmin|myadmin|pma) { access_log off; log_not_found off; return 404; }
#
# redirect server error pages to the static page /50x.html
#
error_page 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
Note: You should replace example.com with your domain name.
Restarting Nginx processes for applying changes.
# service monit stop
# service nginx restart
# service monit start
You can add return 301 https://example.com$request_uri; to /etc/nginx/conf.d/example.com.conf, if you want to redirect access HTTP to HTTPS.
Configurations on example.com.conf
server {
listen 80;
server_name example.com;
root /var/www/vhosts/example.com;
index index.html index.htm;
charset utf-8;
access_log /var/log/nginx/example.com.access.log main;
error_log /var/log/nginx/example.com.error.log;
include /etc/nginx/drop;
add_header X-Cache-Status $upstream_cache_status;
expires $expires;
set $mobile "";
#include /etc/nginx/mobile-detect;
location / {
return 301 https://example.com$request_uri;
}
#
# redirect server error pages to the static page /50x.html
#
error_page 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
Restarting Nginx processes for applying changes.
# service monit stop
# service nginx restart
# service monit start
That's all for installing certificate and modifying configuration file for Nginx.
3. [Optional] Automatically renewing certificate
Let's Encrypt will be expired within 90 days when it's issued. You can renew it automatically using cronjob.
※ Run certbot renew command to check and update the certificate every Monday 1:00 AM.
# crontab -e
add the following lines.
# Renewing Lets Encrypt certificate
0 1 * * 1 /certbot renew && /sbin/service nginx restart > /dev/null 2>&1
The end result should look something like this.
@reboot /bin/sh /opt/local/provision > /dev/null 2>&1
# Renewing Lets Encrypt certificate
0 1 * * 1 /certbot renew && /sbin/service nginx restart > /dev/null 2>&1
You're done!
Search and Replace URLs to use HTTPS using the WP-CLI Command
$ wp search-replace 'http://example.com' 'https://example.com' --skip-columns=guid
That's all