Question

Wordpress One Click Install - How can I get SSL working?

Posted February 20, 2020 222 views
WordPressOne-Click Install Apps

I have a Wordpress site running at http://kinuenagata.com and I’m trying to get SSL to work on it but with no avail. I set up the site using the Wordpress One Click installation on Ubuntu option when I created my droplet.

FYI: I originally set up the droplet using another domain and changed it, more info on that at the end.

Here’s what I’ve done:

First I got an SSL certificate

  1. Generated a CSR based on the instructions here in the section under Generate a CSR and Private Key (For common name I used “www.kinuenagata.com
  2. Purchased it through dynadot, where my domains are registered
  3. Received the certificate as text, not as a download, so I used nano on SSH to create a .crt file and pasted the certificate text into it and saved it. (I received an AlphaSSL certificate with no intermediate certificate)
  4. Moved the .csr .crt and .key files into /etc/apache2/ssl after creating the directory.

Next I tried to set up the SSL certificate on the Digital Ocean server

  1. Made a backup and modified the “000-default.conf” file as per the same instructions as earlier (Using the steps in the “Install Certificate On Web Server” under the “Apache” section)

It now looks like this:

# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On

<VirtualHost *:80>
        ServerName kinuenagata.com
        Redirect permanent / https://kinuenagata.com/
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@localhost

        ServerName kinuenagata.com
        ServerAlias www.kinuenagata.com

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/www.kinuenagata.com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/www.kinuenagata.com.key

        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
  1. Enabled the Apache SSL module with sudo a2enmod ssl
  2. Restarted Apache with sudo service apache2 restart

And the current result is that it doesn’t work

Something that may be affecting this

The droplet was originally created using the Wordpress One Click install with the domain name of kinucommunication.com (not kinuenagata.com).

I found instructions online about how to change the domain name of the wordpress site here, which basically said to go to the functions.php file of my theme and then add:

update_option( 'siteurl', 'http://example.com' );
update_option( 'home', 'http://example.com' );

And then after it finishes remove that from the php file and you’re done.

I bring this up because I have some reservations about this method, even though it is suggested by Wordpress.org itself. The reason being that when I log into the server via SSH, I’m logged in as root@kinucommunication.

Also, when I tried using certbot as suggested on the Wordpress One Click install information page (even though I’m not looking to use Let’s Encrypt), it didn’t work. And I got this prompt:

Which names would you like to activate HTTPS for?


1: kinucommunication.com
2: www.kinucommunication.com


Which is based on the original domain name that I set before changing it.

Let me know if you need more details

I really hope to get everything set up correctly!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hi @raimanau,

It’s my pleasure to answer your question.I can’t see what’s wrong with your configuration,so if you don’t mind,I want to tell you the whole steps to deploy SSL on apache.

First you need to get your cert,which should be like this:

1_root_bundle.crt    # root ca & middle ca
2_xxx.xxx.xxx.crt # domain cert
3_xxx.xxx.xxx.key # private key

You said you didn’t receive your middle ca,and I know what you have experienced.You can download your middle ca on this site:
https://certificatechain.io/
This tool work when your cert chain is broken.So now please just deploy the cert with middle ca,we will fix it soon.

Then,it’s time to config the 000-default.conf file.
In the /etc/apache2 directory, there are two related directories sites-available and sites-enable.dWe can find under the sites-enabled directory, there is a file 000-default.conf. Actually this is a soft link with sites-ssl/000-default.conf file.We need to configure another SSL certificate. We need to rely on another file, which is default-ssl.conf. First, we need to set a soft link and link this file to the sites-enabled folder:

ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

Then modify this file 000-default-ssl.conf, because a soft link has already been made, in fact, modifying 000-default-ssl.conf or default-ssl.conf is the same.

This file looks like this before it was modified (after removing its own comments):

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on

        SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

    </VirtualHost>
</IfModule>

Then transfer the certificate (3 files) downloaded to your customized directory.Then we need to modify it to this:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin add your mail here

        DocumentRoot /var/www/ # where your site is located
        ServerName add your domain here

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        # Attention,you need to add these three lines:
        SSLCertificateFile custom cert path/2_xxx.xxx.xxx.crt
        SSLCertificateKeyFile custom cert path/3_xxx.xxx.xxx.key
        SSLCertificateChainFile custom cert path/1_root_bundle.crt

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
    </VirtualHost>
</IfModule>
Name Function
SSLEngine on enable SSL function
SSLCertificateFile domain certificate file
SSLCertificateKeyFile private key file
SSLCertificateChainFile certificate chain file

Save it after changing it.

Then, we load the Apache2 SSL module:

sudo a2enmod ssl   #load
sudo service apache2 restart# restart

At this point, enter https:// in your browser and your domain name should already be able to access the site through https. At this time, the browser should already have a small green lock.

But … this is not enough, because if we do not actively enter https://, if we enter the domain name directly, we will directly jump to the ordinary http access of port 80, so we need to force the use of https to access.

We just need to open the file /etc/apache2/sites-available/000-default.conf and add three lines to any place in your <VirtualHost *: 80> tag:

RewriteEngine on
RewriteCond   %{HTTPS} !=on
RewriteRule   ^(.*)  https://%{SERVER_NAME}$1 [L,R]

Then save and start the redirection of Apache2

 sudo a2enmod rewrite

then

sudo service apache2 restart

Now you can visit your site with https://,but you will receive the note ‘a broken cert chain’ from browser.So we can go to the site I mentioned above and type in your domain to get the full cert chain.Then what should you do?Modify the chain file in the custom cert path from a broken one to a new one you get just now.Then

sudo service apache2 restart

DONE!

If there are still any other questions,welcome to reply to this answer and I will try me best to help you.

よかれと祈りつつ!
Shiroka

  • Hi @Shiroka and thank you so much for all your help so far!

    I tried what you mentioned, but I couldn’t do everything.

    When I pasted my certificate at Certificatechain.io, I got an error saying “this is not a valid certificate.”

    Also, the unmodified version of my default-ssl.conf looks a bit different from yours. It looks like this:

    UseCanonicalName On
    
    <VirtualHost *:80>
            ServerAdmin webmaster@localhost
    
            ServerName kinucommunication.com
            ServerAlias www.kinucommunication.com
    
            DocumentRoot /var/www/html
    
            <Directory /var/www/html/>
                Options FollowSymLinks
                AllowOverride All
                Require all granted
            </Directory>
    
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
    
    

    So I changed it to look like this (I changed the order to match yours more closely as well):

    UseCanonicalName On
    
    <VirtualHost _default_:443>
            ServerAdmin webmaster@kinuenagata.com
    
            DocumentRoot /var/www/html
            ServerName kinuenagata.com
            ServerAlias www.kinuenagata.com
    
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    
            SSLEngine on
            SSLCertificateFile etc/apache2/ssl/www.kinuenagata.com.crt
            SSLCertificateKeyFile etc/apache2/ssl/www.kinuenagata.com.key
            # Problem? See note below.
    
            <Directory /var/www/html/>
                Options FollowSymLinks
                AllowOverride All
                Require all granted
            </Directory>
    
    
    </VirtualHost>
    
    

    You advised to add SSLCertificateChainFile custom cert path/1_root_bundle.crt but I don’t think I have the 1_root_bundle.crt anywhere, so I didn’t add it. Is that ok?

    Also, wasn’t sure if I should add/change:

            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                    SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                    SSLOptions +StdEnvVars
            </Directory>
    

    Because I didn’t have it in the original file like yours.

    I look forward to your response!!! You are really helpful! Thank you!

    • Hi,

      Actually,you can bind your intermediate ca and signed ca(root ca) to one cert file,just copy the intermediate ca file from

      BEGIN CERTIFICATE
      

      to

      END CERTIFICATE
      

      Then you get a cert chain with two ca bond.Remember to paste the intermediate ca above the root ca.As for your broken middle ca,here is two samples I quoted from alphassl site,you can try them:

      -----BEGIN CERTIFICATE-----
      MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG
      A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
      b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
      MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
      YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj
      kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL
      dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs
      MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA
      cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn
      kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het
      ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
      AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE
      VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw
      b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu
      Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6
      Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X
      yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0
      XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS
      xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG
      l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV
      odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm
      MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZ
      Uw== 
      -----END CERTIFICATE-----
      
      -----BEGIN CERTIFICATE-----
      MIIEMTCCAxmgAwIBAgILBAAAAAABMYnGOdwwDQYJKoZIhvcNAQELBQAwTDEgMB4G
      A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
      Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTEwODAyMTAwMDAwWhcNMjIwODAy
      MTAwMDAwWjA3MREwDwYDVQQKEwhBbHBoYVNTTDEiMCAGA1UEAxMZQWxwaGFTU0wg
      Q0EgLSBTSEEyNTYgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
      ANoB7OTsc2D7fo9qt8YX45JkMtSsANmiD7nt7muKhsqSZ9l0111HAjyPQNaebRTN
      w9opOacPBQpoomYaHsSyi3ZY5atdHY9AszmL7x6DfSLQ46kALuxTz2IZhUQoTMAn
      y3sO7BBkABCkBcygcr5BbDFbSOSx7Lkj61VN0H1iSqW0paRZhcUlkab+pgmfBhBt
      j4EMZEBecwCa4C5lmFQQAHCYyOHtNF/YnMcNwNYjWUX8/lV6hu6UYCLxrtHmVUb2
      mcUbCHRfrLBkhI+JOByhp5AhTwJuveBhZ9T4QocPCvfJBG0qqS/vQqXf3aNT25ge
      gfmacnta3k8+f6JYoOIXrWcCAwEAAaOCAScwggEjMA4GA1UdDwEB/wQEAwIBBjAS
      BgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBT1zdU8CFD5ak86t5faVoPmadJo
      9zBFBgNVHSAEPjA8MDoGBFUdIAAwMjAwBggrBgEFBQcCARYkaHR0cHM6Ly93d3cu
      YWxwaGFzc2wuY29tL3JlcG9zaXRvcnkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6
      Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC1yMy5jcmwwPgYIKwYBBQUHAQEEMjAw
      MC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vcm9vdHIz
      MB8GA1UdIwQYMBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUA
      A4IBAQCsXKadiWS87Tm5J5Oo1LKRJ8jSO5hOppCNqLZeIEmgPk+JK7ReNnsPBUUM
      5yv0VVIU9EO+pPbrPV9Hh8RMHxMJMTk4e0Nmks+C7yAGytwu/2jmMJ/eCxmSjh3B
      lBFArzM22zcOCBBSwa8Md2yww3qKmpDez3ONw4QrnwajyinF3YpI8opg/jVqG9B9
      1jqUEnCfRC8zuZVDiK7S6d3v7as24HOyFGKCSRrylYGr2RIbngnwonL8TzbQbiv5
      R+/MeTmEbHHhKH1x5aNWau5XyNEdj34tAG3c0LR6lUpUjRop5MKxFk23ph4i1+CB
      Nm+uXmPCXTU4uHD+4WWdpJn5/iAY
      -----END CERTIFICATE-----
      

      You talked about you don’t have the 1_root_bundle.crt,it is just the composite of intermediate and root ca I mentioned above.

      As for the <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
      </FilesMatch>
      <Directory /usr/lib/cgi-bin>
      SSLOptions +StdEnvVars
      </Directory>

      The https won’t stop if you clear it.So you can take it out for sure.

      If all my suggestions still can’t work,you can search this keywords:Mozilla SSL configuration generator with Google.It will give you a suit advice.And at last,if you choose to use that,please select MODERN mode,coz other modes include SSL3 protocol are now abandoned.

      Regards,
      Shiroka

      • Thanks again @Shiroka !! I really, really appreciate how much you are helping me. And I hope I can get everything working soon!

        Before I go any further, I want to confirm that I have the correct steps. Would that be ok?

        Steps to getting a site a SSL enabled

        Create a website with a domain

        1. Set up domain enabled website (in this case WordPress)

        Get SSL certificates

        1. Generate a Certificate Signing Request and Private Key on the server
          -> 3_xxx.xxx.xxx.key in your instructions
        2. Use the CSR to purchase a Trusted CA Signed SSL Certificate
          -> 2_xxx.xxx.xxx.crt in your instructions
        3. Get the Root Certificate from the Domain Certificate issuer (in my case from the AlphaSSL website)
        4. Get the Intermediate Certificate from the Domain Certificate issuer as well (in my case also from the AlphaSSL website)
        5. Concatenate the Root Certificate and Intermediate Certificate using a service like: Certificatechain.io
          -> 1_root_bundle.crt in your instructions

        Install certificates on web server

        1. Create a soft link between /etc/apache2/sites-available/000-default.conf and /etc/apache2/sites-enabled/000-default.conf
        2. Modify /etc/apache2/sites-enabled/000-default.conf
          a. Change VirtualHost from port 80 to 443
          b. Change ServerAdmin
          c. Change ServerName
          d. Add SSLEngine on
          e. Add SSLCertificateFile with custom cert path
          f. Add SSLCertificateKeyFile with custom cert path
          g. Add SSLCertificateChainFile custom cert path
        3. Load Apache2 SSL module
        4. Restart Apache2 server

        Configure web server to always use HTTPS

        1. Modify /etc/apache2/sites-available/000-default.conf with the new rules
        2. Start the redirection
        3. Restart Apache2

        Are those steps correct?

        New problem

        When checking the site using the analyzer at SSLlabs.com, I got a message that says: Certificate name mismatch. And it said that the domain name extracted from the certificate was; WordPressa00354jkns201908162f1827

        Thanks again for all your time so far. I truly appreciate it.

        • Hi,

          On the whole you are right,but a little fault.The 5th step in GET SSL CERT part shows you learned my meaning wrongly.If your cert is full and you don’t find any problems after checked with SSLLABS,you can take this step away.The step shall only be used when you have configured your cert but the browser shows ERRBROKENCERTIFICATE_CHAIN,you can view this site to get proper cert chain.

          The problem new occurred may is you deployed the default SSL.Maybe you didn’t save each file after changed it.Please check if you have done so.Otherwise you can assign new path for cert,anywhere is ok,just don’t let them expose to somewhere public can visit.

          Regards,
          Shiroka

Sorry,I have typed some wrong words for I want to help you as fast as I can.Now I have to note them.

  1. In the paragraph with the only link of a cert tool,you can find this: So now please just deploy the cert with middle ca,we will fix it soon. This should be changed to this: So now please just deploy the cert without middle ca,we will fix it soon.

  2. In the next paragraph,which is below the paragraph mentioned,I talked In the /etc/apache2 directory, there are two related directories sites-available and sites-enable.d.However,there is no d.So the right one can be: In the /etc/apache2 directory, there are two related directories sites-available and sites-enable.

Kind regards,
Shiroka

  • Thank you for such detailed instructions and the further correction!!!!! I am going to apply this later tonight and I will let you know how it goes!!!

  • Regarding #2,

    When I look at my /etc/apache2 directory, I have:

    • sites-available
    • sites-enabled

    Is that because I used the command you mentioned in the original post which contains the d?

    ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
    

    Thanks again!

    • No not,it’s my fault,you are right.These two are be there with apache service installed.Just keep on,the right one should be sites-enabled.

      • Got it! Thank you again!

        Actually, I wrote a longer response after trying the steps that you gave me, but the comment is under review by the moderation team (maybe because of the external link I posted). So hopefully we’ll see that soon!

Submit an Answer