Wordpress One Click Install - How can I get SSL working?

Question

I have a Wordpress site running at http://kinuenagata.com and I’m trying to get SSL to work on it but with no avail. I set up the site using the Wordpress One Click installation on Ubuntu option when I created my droplet.

FYI: I originally set up the droplet using another domain and changed it, more info on that at the end.

Here’s what I’ve done:

First I got an SSL certificate

Generated a CSR based on the instructions here in the section under Generate a CSR and Private Key (For common name I used “www.kinuenagata.com”
Purchased it through dynadot, where my domains are registered
Received the certificate as text, not as a download, so I used nano on SSH to create a .crt file and pasted the certificate text into it and saved it. (I received an AlphaSSL certificate with no intermediate certificate)
Moved the .csr .crt and .key files into /etc/apache2/ssl after creating the directory.

Next I tried to set up the SSL certificate on the Digital Ocean server

Made a backup and modified the “000-default.conf” file as per the same instructions as earlier (Using the steps in the “Install Certificate On Web Server” under the “Apache” section)

It now looks like this:

# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On

<VirtualHost *:80>
        ServerName kinuenagata.com
        Redirect permanent / https://kinuenagata.com/
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        
        ServerName kinuenagata.com
        ServerAlias www.kinuenagata.com
        
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/www.kinuenagata.com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/www.kinuenagata.com.key

        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Enabled the Apache SSL module with sudo a2enmod ssl
Restarted Apache with sudo service apache2 restart

And the current result is that it doesn’t work

If I try going to either https://kinuenagata.com or https://www.kinuenagata.com, I get “ERR_SSL_PROTOCOL_ERROR”
I tried testing the site on SSL Labs and it says “Assessment failed: No secure protocols supported”

Something that may be affecting this

The droplet was originally created using the Wordpress One Click install with the domain name of kinucommunication.com (not kinuenagata.com).

I found instructions online about how to change the domain name of the wordpress site here, which basically said to go to the functions.php file of my theme and then add:

update_option( 'siteurl', 'http://example.com' );
update_option( 'home', 'http://example.com' );

And then after it finishes remove that from the php file and you’re done.

I bring this up because I have some reservations about this method, even though it is suggested by Wordpress.org itself. The reason being that when I log into the server via SSH, I’m logged in as root@kinucommunication.

Also, when I tried using certbot as suggested on the Wordpress One Click install information page (even though I’m not looking to use Let’s Encrypt), it didn’t work. And I got this prompt:

Which names would you like to activate HTTPS for?

1: kinucommunication.com 2: www.kinucommunication.com

Which is based on the original domain name that I set before changing it.

Let me know if you need more details

I really hope to get everything set up correctly!

Shiroka Arukas · Answer

Sorry,I have typed some wrong words for I want to help you as fast as I can.Now I have to note them.

In the paragraph with the only link of a cert tool,you can find this: So now please just deploy the cert with middle ca,we will fix it soon. This should be changed to this: So now please just deploy the cert without middle ca,we will fix it soon.
In the next paragraph,which is below the paragraph mentioned,I talked In the /etc/apache2 directory, there are two related directories sites-available and sites-enable.d.However,there is no d.So the right one can be: In the /etc/apache2 directory, there are two related directories sites-available and sites-enable.

Kind regards, Shiroka

Shiroka Arukas · Answer

Hi @raimanau , It’s my pleasure to answer your question.I can’t see what’s wrong with your configuration,so if you don’t mind,I want to tell you the whole steps to deploy SSL on apache. First you need to get your cert,which should be like this: 1_root_bundle.crt # root ca & middle ca 2_xxx.xxx.xxx.crt # domain cert 3_xxx.xxx.xxx.key # private key You said you didn’t receive your middle ca,and I know what you have experienced.You can download your middle ca on this site:https://certificatechain.io/ This tool work when your cert chain is broken.So now please just deploy the cert with middle ca,we will fix it soon. Then,it’s time to config the 000-default.conf file.In the /etc/apache2 directory, there are two related directories sites-available and sites-enable.dWe can find under the sites-enabled directory, there is a file 000-default.conf. Actually this is a soft link with sites-ssl/000-default.conf file.We need to configure another SSL certificate. We need to rely on another file, which is default-ssl.conf. First, we need to set a soft link and link this file to the sites-enabled folder: ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf Then modify this file 000-default-ssl.conf, because a soft link has already been made, in fact, modifying 000-default-ssl.conf or default-ssl.conf is the same. This file looks like this before it was modified (after removing its own comments): ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars Then transfer the certificate (3 files) downloaded to your customized directory.Then we need to modify it to this: ServerAdmin <^>add your mail here<^> DocumentRoot /var/www/ # where your site is located ServerName <^>add your domain here<^> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on # Attention,you need to add these three lines: SSLCertificateFile custom cert path/2_xxx.xxx.xxx.crt SSLCertificateKeyFile custom cert path/3_xxx.xxx.xxx.key SSLCertificateChainFile custom cert path/1_root_bundle.crt SSLOptions +StdEnvVars SSLOptions +StdEnvVars Name Function SSLEngine on enable SSL function SSLCertificateFile domain certificate file SSLCertificateKeyFile private key file SSLCertificateChainFile certificate chain file Save it after changing it. Then, we load the Apache2 SSL module: sudo a2enmod ssl #load sudo service apache2 restart# restart At this point, enter https:// in your browser and your domain name should already be able to access the site through https. At this time, the browser should already have a small green lock. But … this is not enough, because if we do not actively enter https://, if we enter the domain name directly, we will directly jump to the ordinary http access of port 80, so we need to force the use of https to access. We just need to open the file /etc/apache2/sites-available/000-default.conf and add three lines to any place in your tag: RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R] Then save and start the redirection of Apache2 sudo a2enmod rewrite then sudo service apache2 restart Now you can visit your site with https://,but you will receive the note ‘a broken cert chain’ from browser.So we can go to the site I mentioned above and type in your domain to get the full cert chain.Then what should you do?Modify the chain file in the custom cert path from a broken one to a new one you get just now.Then sudo service apache2 restart DONE! If there are still any other questions,welcome to reply to this answer and I will try me best to help you. よかれと祈りつつ！Shiroka

Shiroka Arukas · Answer

Hi @raimanau , It’s my pleasure to answer your question.I can’t see what’s wrong with your configuration,so if you don’t mind,I want to tell you the whole steps to deploy SSL on apache. First you need to get your cert,which should be like this: 1_root_bundle.crt # root ca & middle ca 2_xxx.xxx.xxx.crt # domain cert 3_xxx.xxx.xxx.key # private key You said you didn’t receive your middle ca,and I know what you have experienced.You can download your middle ca on this site:https://certificatechain.io/ This tool work when your cert chain is broken.So now please just deploy the cert with middle ca,we will fix it soon. Then,it’s time to config the 000-default.conf file.In the /etc/apache2 directory, there are two related directories sites-available and sites-enable.dWe can find under the sites-enabled directory, there is a file 000-default.conf. Actually this is a soft link with sites-ssl/000-default.conf file.We need to configure another SSL certificate. We need to rely on another file, which is default-ssl.conf. First, we need to set a soft link and link this file to the sites-enabled folder: ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf Then modify this file 000-default-ssl.conf, because a soft link has already been made, in fact, modifying 000-default-ssl.conf or default-ssl.conf is the same. This file looks like this before it was modified (after removing its own comments): ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars Then transfer the certificate (3 files) downloaded to your customized directory.Then we need to modify it to this: ServerAdmin <^>add your mail here<^> DocumentRoot /var/www/ # where your site is located ServerName <^>add your domain here<^> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on # Attention,you need to add these three lines: SSLCertificateFile custom cert path/2_xxx.xxx.xxx.crt SSLCertificateKeyFile custom cert path/3_xxx.xxx.xxx.key SSLCertificateChainFile custom cert path/1_root_bundle.crt SSLOptions +StdEnvVars SSLOptions +StdEnvVars Name Function SSLEngine on enable SSL function SSLCertificateFile domain certificate file SSLCertificateKeyFile private key file SSLCertificateChainFile certificate chain file Save it after changing it. Then, we load the Apache2 SSL module: sudo a2enmod ssl #load sudo service apache2 restart# restart At this point, enter https:// in your browser and your domain name should already be able to access the site through https. At this time, the browser should already have a small green lock. But … this is not enough, because if we do not actively enter https://, if we enter the domain name directly, we will directly jump to the ordinary http access of port 80, so we need to force the use of https to access. We just need to open the file /etc/apache2/sites-available/000-default.conf and add three lines to any place in your tag: RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R] Then save and start the redirection of Apache2 sudo a2enmod rewrite then sudo service apache2 restart Now you can visit your site with https://,but you will receive the note ‘a broken cert chain’ from browser.So we can go to the site I mentioned above and type in your domain to get the full cert chain.Then what should you do?Modify the chain file in the custom cert path from a broken one to a new one you get just now.Then sudo service apache2 restart DONE! If there are still any other questions,welcome to reply to this answer and I will try me best to help you. よかれと祈りつつ！Shiroka

Related

Question