Let’s Encrypt | Doug Carter

lockscreen Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.
https://letsencrypt.org/

I used the following commands to install the letsencrypt tools on my server and generate a certificate:
git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt ./letsencrypt-auto -a webroot \ -d www.{{domain-name}} -d {{domain-name}} \ --webroot-path ~{{domain-owner}/htdocs/ certonly
I enabled the Apache SSL module (a2enmod ssl) and added NameVirtualHost *:443 to ports.conf, then added the following lines to the server configuration for my site:
SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.{{domain-name}}/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/www.{{domain-name}}/chain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.{{domain-name}/privkey.pem SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
The certificate expires after 90 days so I installed a script to automatically renew it and called it at regular intervals from /etc/crontab:
#!/bin/sh # from https://letsencrypt.org/howitworks/ if ! /root/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then echo Automated renewal failed: cat /var/log/letsencrypt/renew.log exit 1 fi service apache2 reload

The site now scores an A on the Qualys SSL Labs SSL Server Test.

Update: Images were being blocked by Firefox until I updated my WordPress configuration (wp-config.php) to change the protocol to https in the following settings:
define('WP_SITEURL', 'https://' . $_SERVER['SERVER_NAME'] . '{{home-path}}'); define('WP_HOME', 'https://' . $_SERVER['SERVER_NAME'] . '/'); define('WP_CONTENT_URL', 'https://' . $_SERVER['SERVER_NAME'] . '{{content-path}}');
If these are not configured in wp-config.php you will need to update the settings in your WordPress Control Panel under Settings / General / WordPress Address and Settings / General / Site Address.

Tested on Debian Wheezy with Apache 2.2.22 and Debian Jessie with Apache 2.4.10.