How to Setup HTTPS + SSL Certificates and Achieve A+ Support with Trellis

HTTPS should be enabled everywhere by default. Google has been pushing for HTTPS everywhere for a while, and even uses HTTPS as a ranking signal.

Trellis scores an A+ on the Qualys SSL Labs Test when used with a solid SSL certificate.

SSL Labs A+ result

Have a solid certificate

The first step of having a proper SSL setup is having a solid certificate. We use Comodo SSL certificates, and recommend purchasing a wildcard certificate in order to handle both www and non-www requests to your site.

Before you purchase an SSL certificate you’ll need to generate a private key and CSR file. The CSR file contains content that the certificate authority will ask for, including:

  • Country name, state/province, city
  • Organization name
  • Common name (domain name)
  • Email address

Run the following command to generate a CSR file:

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

If you’re purchasing a wildcard certificate, make sure to use * as the common name.

After entering in your information you’ll end up with two files:

  • example_com.csr — the CSR file
  • example_com.key — the private key, which is used when provisioning your server with Trellis

Once you’ve provided Comodo with the CSR file and purchased your certificate, you will receive an email containing the certificate in text format as well as a zip file that contains the certificate file along with the bundle.

In order to get an A+ score on the SSL Labs test, ignore the bundle from the email and head over to After pasting or uploading your certificate into this site, it will return a certificate that you can download with the appropriate chain.

Using the SSL certificate with Trellis

The Trellis SSL documentation covers how to setup your WordPress site with your new certificate.

On your local machine, create a ssl directory in your homedir (~/ssl/) if it doesn’t already exist. Make sure there’s two files in there:

  • example_com.key — the private key that was generated when you created your CSR
  • example_com.crt — the certificate with the appropriate chain

Next, edit your WordPress site (group_vars/production/wordpress_sites.yml) to enable SSL and set the cert and key paths:

  enabled: true
  cert: ~/ssl/example_com.crt
  key: ~/ssl/example_com.key

You can now provision (or re-provision) your server to get it up and running with your new certificate:

ansible-playbook server.yml -e env=production

At this point you can head over to the Qualys SSL Labs Test site and check out your A+ rating!

Make sure to renew your certificates before they expire. You can use a website monitoring service, such as, to get notifications when getting close to the expiration date.

Start the discussion on Roots Discourse

Ready to checkout?