As I just wrote in a blog post before, Let’s encrypt just launched the beta test. In the beta phase your whitelisted domains will gain a valid certificate for 90 days, but this duration will be increased soon. So it is time to set the certificate up and make the web more secure.

As the „automatic“ script offered by Let’s encrypt isn’t compatible with the Bitnami WordPress Amazon Machine Image (AMI), which I am currently utilizing to host this website, here are the necessary steps to get your certificated installed and working on a Ubuntu 14.04 Bitnami instance on Amazon AWS:

1. Get the necessary scripts from github:
   git clone https://github.com/letsencrypt/letsencrypt

   1	git clone https://github.com/letsencrypt/letsencrypt

   1. If you haven´t installed git, just download the current version of the ACME script and extract it on your server:
      wget https://github.com/letsencrypt/letsencrypt/archive/master.zip unzip master.zip

      1 2	wget https://github.com/letsencrypt/letsencrypt/archive/master.zip unzip master.zip

2. Change your active directory to the newly created:
   cd letsencrypt

   1	cd letsencrypt

3. First we will stop the Bitnami / WordPress stack:
   sudo /opt/bitnami/ctlscript.sh stop

   1	sudo /opt/bitnami/ctlscript.sh stop

   This step should work with all Bitnami instances.
4. Start the ACME client with the production URL as an option from the command line.
   sudo ./letsencrypt-auto --agree-dev-preview --server \ https://acme-v01.api.letsencrypt.org/directory auth

   1 2	sudo ./letsencrypt-auto --agree-dev-preview --server \ https://acme-v01.api.letsencrypt.org/directory auth

   When you call the script, there might be some updates that will be installed during bootstrapping. The script is written in Python and you might need root rights to install all necessary dependencies.

   You can only get a certificate when your domains are whitelisted at Let´s encrpyt during the beta phase.

5. Then you need to enter your mail address. I took the same one I registered with to the beta test.

Now enter the domain names you would like to get a certificate for. Please keep in mind, that only those domain names are valid, that are already registered and white listed at Let’s Encrypt

If you get the following information displayed, you need to stop the https services first.

Finally, you need to agree to the Terms of Services to be enabled to use the free SSL certificated from Let’s Encrypt.

After finishing the steps above, you will get feedback on the console where you can find your certificates:

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /full/path/seiler.it/fullchain.pem. Your cert will expire on 2016-01-30. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.

1 2 3 4 5

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at    /full/path/seiler.it/fullchain.pem. Your cert will    expire on 2016-01-30. To obtain a new version of the certificate in    the future, simply run Let's Encrypt again.

In this directory you can find the following files:
cert.pem,  chain.pem,  fullchain.pem and privkey.pem
You should get a copy of the certificates to a local folder on your computer.

Now we need to add these certificates to the Bitnami AMI.  Just edit your httpd confic file and double check, that you added all certificates the right way:

sudo nano /path/to/apps/<your_application>/conf/httpd-vhosts.conf and /path/to/apps/apache2/conf/bitnami/bitnami.conf

1	sudo nano /path/to/apps/<your_application>/conf/httpd-vhosts.conf and /path/to/apps/apache2/conf/bitnami/bitnami.conf

In my case that would be:  /path/to/bitnami/apps/wordpress/conf/httpd-vhosts.conf and   /path/to/bitnami/apache2/conf/bitnami/bitnami.conf This step should work on all Bitnami instances relying on Apache.
In the  httpd-vhosts.conf I changed the  <VirtualHost> settings of the three  SSLCertificateFile* parameters to point to the correct location of the newly signed certificates. You do not need to care about the file types of the certificates (.pem). Those will just work as they only contain plain text. The overall section will look like the following lines:

<VirtualHost *:443> ServerName seiler.it ServerAlias www.seiler.it DocumentRoot "/path/to/htdocs" SSLEngine on SSLCertificateFile "/path/to/cert.pem" SSLCertificateKeyFile "/path/to/privkey.pem" SSLCertificateChainFile "/path/to/fullchain.pem" Include "/path/to/conf/httpd-app.conf" </VirtualHost>

1 2 3 4 5 6 7 8 9 10

<VirtualHost *:443>     ServerName seiler.it     ServerAlias www.seiler.it     DocumentRoot "/path/to/htdocs"     SSLEngine on     SSLCertificateFile "/path/to/cert.pem"     SSLCertificateKeyFile "/path/to/privkey.pem"     SSLCertificateChainFile "/path/to/fullchain.pem"     Include "/path/to/conf/httpd-app.conf" </VirtualHost>

In the  bitnami.conf I changed changed the same lines

<VirtualHost _default_:443> DocumentRoot "/opt/bitnami/apache2/htdocs" SSLEngine on SSLCertificateFile "/path/to/cert.pem" SSLCertificateKeyFile "/path/to/privkey.pem" SSLCertificateChainFile "/path/to/fullchain.pem" [/fusion_builder_column][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][...] </VirtualHost>

1 2 3 4 5 6 7 8

<VirtualHost _default_:443>   DocumentRoot "/opt/bitnami/apache2/htdocs"   SSLEngine on   SSLCertificateFile "/path/to/cert.pem"   SSLCertificateKeyFile "/path/to/privkey.pem"   SSLCertificateChainFile "/path/to/fullchain.pem" [/fusion_builder_column][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][...] </VirtualHost>

 

In the next step save and restart your hosting services:

sudo /opt/bitnami/ctlscript.sh start

1	sudo /opt/bitnami/ctlscript.sh start

There should be no error or warning displayed on the console.

Edit your  wp-config.php  and change your default host to https://

//define('WP_SITEURL', 'http://seiler.it'); //define('WP_HOME', 'http://seiler.it'); define('WP_SITEURL', 'https://seiler.it'); define('WP_HOME', 'https://seiler.it');

1 2 3 4 5

//define('WP_SITEURL', 'http://seiler.it'); //define('WP_HOME', 'http://seiler.it');   define('WP_SITEURL', 'https://seiler.it'); define('WP_HOME', 'https://seiler.it');

Now you should check your domain, if it is working with https://

You might see some (or a lot, when unlucky) of mixed content warnings in the developer console of your browser, and your server might not load all images / other content. These are caused by references to „unsecure“ destinations where your images or other content like CSS and JavaScript files are loaded from. For instance, in you WordPress theme you might have set up a referenes to a logo or for other images / content, that are utilizing complete URLs, starting with http:// and not just relative paths. As this „problem“ can get quite complex I am linking here some pages that deal with the mixed content warning that might help you with a solution:

1. https://css-tricks.com/moving-to-https-on-wordpress/
2. http://www.smartinternetlifestyle.com/how-to-redirect-http-to-https-on-wordpress/
3. http://www.redirect301.de/weiterleitung-http-nach-https.html
4. http://designmodo.com/wordpress-https/
5. https://www.webongo.de/wordpress-https-umstellen/ (German language)

If everything is fine, we are going finally to update your .htaccess file. Just add the following to the very beginning of the file:

RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

1 2 3

RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

About certificate renewals and life times

Taken from the Email about the beta phase of Let’s encrypt, here are information about the current life time of certificates and how to deal with this short life time:

Certificates from Let’s Encrypt are valid for 90 days. We recommend renewing them every 60 days to provide a nice margin of error. As a beta participant, you should be prepared to manually renew your certificates at that time. As we get closer to General Availability, we hope to have automatic renewal tested and working on more platforms, but for now, please play it safe and keep track.