Pi to WordPress – Part 5: SSL Cert
This is part 5 of a series, documenting the setup of an out-of-the-box Raspberry Pi to a self-hosted SSL WordPress site.
By now your WordPress site should be available on a custom domain over HTTP. It’s tempting to finish at this stage, but I’d highly recommend going the extra step to offer a HTTPS version of your site.
If not purely for the educational benefit of generating and installing an SSL cert, there are plenty of advantages to having your site available as HTTPS.
Firstly, and most importantly, Chrome will display “Not secure” on all HTTP websites:
It will display an even angrier red version of the above once a user begins to enter text into any form on your HTTP site, even into something as simple as the search feature on your WordPress site:
Second, a HTTPS site is essential for secure encrypted traffic between browser and web server. Not so important initially for our WordPress blog, as we won’t be expecting any sensitive information to be passed, but in the future you may require this, if for example you are taking online payments, login credentials or user’s personal information.
And finally, your site will benefit slightly in terms of Google ranking if it is HTTPS. Again, maybe not so important for a WordPress blog, but worth keeping in mind.
So, let’s look at generating an SSL certificate. First, what is an SSL certificate, and how does it make our website more secure? In short, an SSL certificate is formal verification from a trusted 3rd party that your server is who it claims to be. It also embeds cryptographic keys on your server, which a connecting browser will use to encrypt the data sent to the web server.
The third-party that verifies your server is called a Certificate Authority (CA). An SSL provider will supply you with an SSL cert from a CA once your server/domain passes their identify checks.
Traditionally, SSL certs have been somewhat expensive to purchase, and in many ways this remains the case. Below are the “recommended” SSL providers for personal/blog sites from sslshopper.com:
If you’re like me, you want to keep the costs for a self-hosted blog site to a minimum. Thankfully, there is a free open Certificate Authority called Let’s Encrypt that provide free SSL certs. We’ll generate a Let’s Encrypt SSL cert from https://www.sslforfree.com/
Once you visit the site, enter the domain name you registered previously into the form and click “Create Free SSL Certificate”:
You will be presented with three ways to prove ownership of your domain:
Automatic FTP Verification and Manual Verification (FTP) are undoubtedly the fastest, although we are yet to enable FTP on our Pi. For now we’ll go with the slower Manual Verification (DNS). Follow the step-by-step instructions on the verification page. This involves adding a TXT record to our domain’s DNS, which you can modify by again logging into your domain provider and going to their DNS management page.
Note the warning in step 2: “Your DNS software may auto-add the domain in the name field”. This was the case for GoDaddy, so I removed .defaultroot.com from both name fields, resulting in “_acme-challenge” and “_acme-challenge.www” as the names required for verification to work.
Set the TTL to as low as your provider will allow, and then it’s just a case of waiting until the verification links provided by sslforfree return the correct message. The time that needs to expire should be roughly equal to what you’ve set the TTL.
Once you see “TXT Record(s) Found” in the verification links (you can ignore any warning about TTL) and the values match, click “Download SSL Certificate”.
It will take a moment to generate the certificate files. On the next page, sign up for expiry notification if you like, and then click “Download All SSL Certificate Files”.
You’ll download a zip that contains “certificate.crt” and “private.key” (we won’t be concerned with “ca_bundle.crt”). You will need to upload these to your Pi. The easiest way to do this is via FTP. Below is a quick guide for installing and enabling FTP on your Pi:
https://pimylifeup.com/raspberry-pi-ftp/
Once you have FTP enabled, you can connect via an FTP client (FileZilla for example) and upload the certificate.crt and private.key files to your newly created FTP folder. I’d recommend renaming the files first, to yourdomain.crt and yourdomain.key.
Once uploaded, you will need to enable SSL for your site, and upload the keys to the correct directory. Below is an excellent guide by Brian Boucheron to do just that. Until I found this guide I was struggling to get my certs working. Follow this guide to the letter, starting from Step 2, and you should be up and running without any problems. Step 3, adjusting the firewall, will not be relevant to us.
Your site should now be available via HTTPS, with a secure padlock next to your domain:
You can click the padlock, select Certificate, and view further details on the certificate, such as the CA, expiry date and encryption details:
At this stage, you should have a fully working, self-hosted, SSL-secured WordPress site. Congratulations! But was it worth it?! Only you can decide that, and if it’s worth maintaining going forward, but I’ll give my thoughts in the next and final part.