Have a solid certificate
The first step of having a proper SSL setup is having a solid certificate. We use Comodo SSL certificates, and recommend purchasing a wildcard certificate in order to handle both www and non-www requests to your site.
Before you purchase an SSL certificate you’ll need to generate a private key and CSR file. The CSR file contains content that the certificate authority will ask for, including:
- Country name, state/province, city
- Organization name
- Common name (domain name)
- Email address
Run the following command to generate a CSR file:
openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr
If you’re purchasing a wildcard certificate, make sure to use
*.example.com as the common name.
After entering in your information you’ll end up with two files:
example_com.csr— the CSR file
example_com.key— the private key, which is used when provisioning your server with Trellis
Once you’ve provided Comodo with the CSR file and purchased your certificate, you will receive an email containing the certificate in text format as well as a zip file that contains the certificate file along with the bundle.
In order to get an A+ score on the SSL Labs test, ignore the bundle from the email and head over to certificatechain.io. After pasting or uploading your certificate into this site, it will return a certificate that you can download with the appropriate chain.
Using the SSL certificate with Trellis
The Trellis SSL documentation covers how to setup your WordPress site with your new certificate.
On your local machine, create a
ssl directory in your homedir (
~/ssl/) if it doesn’t already exist. Make sure there’s two files in there:
example_com.key— the private key that was generated when you created your CSR
example_com.crt— the certificate with the appropriate chain
Next, edit your WordPress site (
group_vars/production/wordpress_sites.yml) to enable SSL and set the
ssl: enabled: true cert: ~/ssl/example_com.crt key: ~/ssl/example_com.key
You can now provision (or re-provision) your server to get it up and running with your new certificate:
ansible-playbook server.yml -e env=production
At this point you can head over to the Qualys SSL Labs Test site and check out your A+ rating!
Make sure to renew your certificates before they expire. You can use a website monitoring service, such as updown.io, to get notifications when getting close to the expiration date.