How to Set Up Let’s Encrypt SSL for WordPress on Apache Behind a Firewall

Securing your WordPress website with SSL is essential for protecting user data and improving your site’s trustworthiness. Let’s Encrypt offers free SSL certificates that are easy to set up. If your server is running Apache, hosting WordPress, and is protected by a firewall, follow this simple guide to install Let’s Encrypt SSL behind your firewall.

Prerequisites

Before you start, ensure you have the following:

• Ubuntu Server (preferably 18.04 LTS or later)
• Apache installed and running
• WordPress set up on your Apache server
• Firewall enabled (using UFW – Uncomplicated Firewall)
• Domain Name pointed to your server’s IP address
• Sudo Access to your server

Installing Certbot for Let’s Encrypt

Certbot is the recommended tool for obtaining Let’s Encrypt SSL certificates.

1. Update Your Package List:

   sudo apt update
   

2. Install Certbot and the Apache Plugin:

   sudo apt install certbot python3-certbot-apache -y
   

Configuring the Firewall

Let’s Encrypt needs to access your server on ports 80 (HTTP) and 443 (HTTPS) to verify your domain and install the SSL certificate.

1. Allow OpenSSH (if not already allowed):

   sudo ufw allow OpenSSH
   

2. Allow Apache Full Profile:Apache’s Full profile includes both HTTP and HTTPS.

   sudo ufw allow 'Apache Full'
   

3. Enable the Firewall (if not already enabled):

   sudo ufw enable
   

4. Check Firewall Status:Ensure that the correct ports are open.

   sudo ufw status
   

   Example Output:

   Status: active
   
   To                         Action      From
   --                         ------      ----
   OpenSSH                    ALLOW       Anywhere
   Apache Full                ALLOW       Anywhere
   OpenSSH (v6)               ALLOW       Anywhere (v6)
   Apache Full (v6)           ALLOW       Anywhere (v6)
   

Obtaining and Installing the SSL Certificate

1. Run Certbot with Apache Plugin:This command will obtain and install the SSL certificate automatically.

   sudo certbot --apache
   

2. Follow the On-Screen Prompts:
   • Enter Your Email Address: For urgent renewal and security notices.
   • Agree to Terms of Service: Type A to agree.
   • Share Your Email: Choose whether to share your email with the Electronic Frontier Foundation (optional).
   • Select the Domain: Choose the domain you want to secure (e.g., example.com and www.example.com).
3. Choose Redirect Option:Certbot will ask if you want to redirect HTTP traffic to HTTPS. It’s recommended to choose the redirect option to ensure all traffic is secure.
   • Press 2 to Redirect all traffic to HTTPS.
4. Completion Message:After successful installation, you’ll see a message like:

   Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   

Configuring Apache for HTTPS

Certbot usually handles the Apache configuration automatically. However, you can verify and make manual adjustments if needed.

1. Check the Apache Configuration:

   sudo nano /etc/apache2/sites-available/000-default-le-ssl.conf
   

2. Ensure the Following Lines Exist:

   <VirtualHost *:443>
       ServerName example.com
       ServerAlias www.example.com
   
       DocumentRoot /var/www/html
   
       SSLEngine on
       SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
   
       <Directory /var/www/html>
           AllowOverride All
       </Directory>
   
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
   </VirtualHost>
   

   Replace example.com with your actual domain name.

3. Save and Exit:
   • Press CTRL + O to save.
   • Press Enter to confirm.
   • Press CTRL + X to exit.
4. Test Apache Configuration:

   sudo apache2ctl configtest
   

   You should see:

   Syntax OK
   

5. Reload Apache:

   sudo systemctl reload apache2
   

Automating Certificate Renewal

Let’s Encrypt certificates are valid for 90 days, but Certbot sets up automatic renewals.

1. Check the Renewal Process:Certbot installs a cron job or systemd timer for automatic renewals. To test the renewal process, run:

   sudo certbot renew --dry-run
   

   You should see output indicating a successful renewal test.

2. Ensure the Renewal Timer is Active (For Systemd):

   sudo systemctl status certbot.timer
   

   Example Output:

   ● certbot.timer - Run certbot twice daily
      Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
      Active: active (waiting) since Mon 2021-01-25 10:00:00 UTC; 1 weeks ago
   

Testing Your SSL Installation

After installation, verify that your site is secure.

1. Visit Your Website:Open a web browser and go to https://yourdomain.com.
2. Check for the Secure Padlock:Look for a padlock icon in the address bar indicating a secure connection.
3. Use SSL Testing Tools:
   • SSL Labs’ SSL Test
   • Why No Padlock?

   Enter your domain to get a detailed report on your SSL configuration.

Frequently Asked Questions (FAQ)

1. Do I Need to Open Ports 80 and 443 Permanently?

Yes. Let’s Encrypt uses port 80 to verify domain ownership. Keep both ports open to ensure smooth certificate renewals.

2. What If I Can’t Open Port 80?

If port 80 is blocked, Let’s Encrypt won’t be able to verify your domain. Consider switching to the DNS challenge method, but it’s more advanced.

3. Can I Manually Renew My Certificate?

Yes. Run the following command:

sudo certbot renew

However, automation is recommended to avoid expiration.

4. What Happens If the Certificate Expires?

Your website will show security warnings to visitors, and HTTPS connections will fail. Renewing the certificate promptly is crucial.

5. Can I Use Let’s Encrypt with Multiple Domains?

Yes. During the Certbot installation, select all the domains you want to secure.

6. Is Let’s Encrypt Really Free?

Yes. Let’s Encrypt provides free SSL certificates, making secure websites accessible to everyone.

7. How Secure Are Let’s Encrypt Certificates?

Let’s Encrypt certificates use the same encryption standards as paid certificates, ensuring strong security.

8. Can I Use Let’s Encrypt with Custom Apache Configurations?

Yes. Let’s Encrypt works with most Apache setups. Ensure your configurations are compatible with Certbot.

9. What Should I Do If Renewal Fails?

Check your firewall settings, ensure ports 80 and 443 are open, and verify the Certbot configuration.

10. Does Let’s Encrypt Support Wildcard Certificates?

Yes. With the DNS challenge method, you can obtain wildcard certificates covering all subdomains.

Helpful Resources

• Let’s Encrypt Official Website
• Certbot Documentation
• Apache SSL/TLS Configuration
• UFW Firewall Guide
• WordPress HTTPS Plugin

Conclusion

Setting up Let’s Encrypt SSL for your WordPress site running on Apache behind a firewall enhances your website’s security and trustworthiness. By following this guide, you can effortlessly install and configure SSL certificates, ensuring that your visitors enjoy a secure browsing experience.

Always keep your server and applications updated, monitor your SSL certificate’s status, and maintain your firewall configurations to sustain ongoing security. Embrace the power of free SSL certificates with Let’s Encrypt and take your WordPress site to the next level of security.