How to Set Up Free SSL with Let’s Encrypt and Certbot
Installing an SSL certificate on your domain is an essential step you should take to secure your WordPress site and now with Let’s Encrypt you can get one for free.
An SSL certificate encrypts the connection between your site and your visitors’ browser so hackers can’t intercept and steal personal information. Normally, SSL certificates can be cumbersome to install and can get expensive, but this is changing fast.
Let’s Encrypt is a new open source certificate authority that’s backed by top companies, including Automattic, the folks behind WordPress, as well as Facebook, Mozilla, Chrome, Cisco and Sucuri. The project aims is to make installing SSL certificates automated and free for all.
Let’s Encrypt has an automated installer called Certbot that can help you add a certificate to your site in a few minutes or less. Certbot is currently in public beta and you can expect many changes in the official release, but the current version is stable enough for you to try on production sites.
What is Let’s Encrypt, Certbot and SSL?
SSL (Secure Socket Layer) certificates were first created in 1996 to encrypt the connection between a website and its end user so that the data that’s transferred back and forth is secure. Encrypting data means scrambling human readable text with strings of letters and numbers that can only be deciphered with what’s called a secret key.
Encrypting data means scrambling human readable text with strings of letters and numbers that can only be deciphered with what’s called a secret key. As long as the secret key remains hidden, encrypted data can’t be understood by anyone which makes it the most secure way to safeguard information over the internet.
You can tell when a site has an SSL certificate installed when you see a green padlock displayed in your browser’s address bar along with a
https prefix to the URL of the visited site, rather than the standard
SSL certificates are installed on domains and one certificate should be installed per domain.
The site that’s attached to the domain gets secured with encryption when the SSL certificate is active. No matter what browser or device your visitors use to access your site, as long as they enter your site’s URL with
https at the beginning, their connection is encrypted and secure.
Using an SSL certificate for your WordPress site means that your data, as well as your users’ data, remains safe from prying eyes. Since WordPress is a particularly large target for hackers due to its popularity and transparency, it’s important to take all the appropriate steps toward securing your site.
While WordPress itself is secure if you have the latest version installed, the more obstacles you can place in a hacker’s way to make their attacks more difficult, the less of a chance there is that your site will be compromised. One of the ways you can add an extra layer of protection to your site is by installing an SSL certificate.
Any site that exchanges information with a visitor whether it’s an eCommerce site or accepts user logins needs an SSL certificate. Since all WordPress sites require at least one user to log in, it’s recommended that all WordPress sites have an SSL certificate.
For more details on SSL certificates and how they can help secure your site, check out How to Use SSL and HTTPS with WordPress.
Let’s Encrypt is run by the Internet Security Research Group (ISRG), which is a California public benefit corporation and is recognized by the IRS as a tax-exempt organization. It’s a registered Certificate Authority, which means it’s one of the authorized companies able to issue SSL certificates.
It’s an open source project that aims to secure the entire web. Let’s Encrypt saw its official and stable release on April 12, 2016 which made issuing certificates open and available for all public sites and not just staging environments.
Standard certificates are available for free and you aren’t limited to just one, though, there’s a limit to how many certificates can be issued per week, but more on that later.
Installing a certificate through Let’s Encrypt is fast. In fact, it’s a lot quicker than other certificate authorities.
Instead of waiting several hours for your request to be accepted and your certificate is finally issued, you can use SSH and the Certbot installer to issue a certificate for your domain in just a few seconds. The entire process from start to finish typically takes a mere matter of minutes, not hours.
Certbot is an Automatic Certificate Management Environment (ACME) client and became available in public beta on May 12, 2016. Once you install Certbot on your server via SSH, you can then call on its commands to install and authorize SSL certificates.
It was formerly known as the Let’s Encrypt ACME client, but has been recently turned over to the Electronic Frontier Foundation (EFF) to maintain and continue the development of the ACME client. The EFF is a non-profit organization that was founded in 1990 and works to defend civil liberties in the digital world and protect user privacy.
Certbot, in its beta version, is stable enough to use on production sites, but it’s not without bugs so it’s recommended that you run tests thoroughly in a staging environment before installing a certificate on a live site.
According to the Let’s Encrypt and Certbot documentation, you need to meet certain server requirements to install certificates:
“The Let’s Encrypt Client presently only runs on Unix-ish OSes that include Python 2.6 or 2.7; Python 3.x support will hopefully be added in the future …. The Apache plugin currently requires a Debian-based OS with augeas version 1.0; this includes Ubuntu 12.04+ and Debian 7+.”
Nginx/0.8.48+ is also highly experimental and isn’t included in the beta version of Certbot.
You also need to run Certbot via SSH and you can use your favorite SSH client such as Terminal for Mac OS X and PuTTY for Windows. Don’t forget that Terminal comes pre-installed, but this isn’t the case for PuTTY.
Certificates can be installed as the root user on your server, but if you really don’t want to install certificates to the root, it’s technically possible if you meet certain requirements:
- If you don’t use the
standaloneplugin outlined below which requires you to bind ports 80 or 443
- If you don’t use the
nginxplugins that need to modify webserver configurations
Even if these do apply to you, it’s still possible not to run Cerbot as the root by using either the letsencrypt-nosudo or simp_le options. Keep in mind that these options are not created and maintained by the teams behind Let’s Encrypt and Certbot so you would be using them at your own risk.
Be sure to exercise the same caution you would when installing plugins in your WordPress site since neither are guaranteed to be maintained indefinitely, be bug-free or see regular updates.
Keep in mind that running Certbot as the root may not be possible on shared hosting or managed VPS and dedicated server. It depends on your hosting plan and provider. If you’re not sure if it’s possible, contact your host to find out for sure.
You can also get more details on SSH by checking out A Quick Guide to the Terminal and Command Line Prompt for WordPress.
If you have CDN enabled on your site through Cloudflare, you may run into errors when installing a certificate. This can be avoided by temporarily suspending Cloudflare. When your certificate has finished installing, you can resume the CDN service.
Limitations and Locations
Certificates are valid for 90 days and don’t renew automatically, but you can automate the renewal process with a command. There are also limits to how many certificates you can install for certain periods of time.
There’s a limit of 500 per three-hour period on registrations for an IP address and five certificates per domain and 300 pending authorizations per week. A cap of 100 domains for a single certificate is also in effect.
There’s also a limit of 20 sub-domains and other variations for a single domain per week and five certificates per Fully Qualified Domain Name (FQDN) set per week. This means, if you were to issue a certificate for up to 20 sub-domains, you can issue four more certificates for the exact same grouping of sub-domains as long as it doesn’t exceed 20 sub-domains.
For example, if you issue a certificate for your-site.com, www.your-site.com, blog.your-site.com and store.your-site.com you would be able to issue four more certificates for these same domains in one week. Since it would total 20 domains altogether, you would just reach the limit.
On the other hand, if you were to issue a certificate for five domains, you could only issue three more certificates containing the same domains in one week since this would equal 20 domains.
Currently, wildcard and Extended Validation (EV) SSL certificates aren’t available. These types of certificates may be considered in the future, but it’s currently not up for development at the time this was written.
That being said, wildcard certificates aren’t needed all that much since you can install as many certificates as you want as long as you spread them out so you don’t exceed the rate limit.
Where Your Certificates are Located
Your certificates are stored in files on your server. The
cert.pem file includes the certificate for your server while the
chain.pem file has all your other certificates. The
fullchain.pem file includes all your certificates.
Your secret keys are stored in privkey
.pem and should be kept secret from everyone. Otherwise, your certificate can be exploited and infiltrated by hackers.
All these files are located in /etc/letsencrypt/live/domain/. During renewals, /etc/letsencrypt/live/ is updated to reflect the latest changes and files.
There are some dependencies that need to be installed before adding Certbot. While some OSes have them pre-installed, not all of them do. You can find out if you need to install the dependencies and find the specific command you need by going to the Certbot website.
In the dropdown boxes, select your webserver type and operating software to display the additional information you need.
The details are displayed under the dropdown boxes so you need to scroll down a bit to view the command you need for installing dependencies and after that’s taken care of, you can go ahead and install Certbot.
The commands to do this are listed on the same page of the Certbot website, underneath the dependencies information. On this page, you should also see commands for automated renewals.
You can go ahead and enter those commands via SSH to install Certbot. Once that’s done, you can start installing SSL certificates.
Installing SSL Certificates
When you’re installing your certificates, you can enter your domains in a chain. This means that you can include all variations of a single domain in one certificate. This is perfect for sub-domains, for example.
Instead of creating a new certificate for every sub-domain, you can create one certificate and include multiple sub-domains as long as you don’t exceed the rate limit explained above.
For example, you could create a certificate for your-site.com, www.your-site.com, blog.your-site.com, store.your-site.com and login.your-site.com.
Keep in mind that you shouldn’t include all your separate sites in one certificate such as your-site.com, domain.com and example.com. A setup like this would issue the certificate under your-site.com and the others listed after it would piggyback off the certificate from the domain listed first.
This causes errors when trying to visit https://domain.com and https://example.com. Your certificate would show up as being invalid and your visitors would see a browser error message telling them it’s not safe to view your site.
To avoid this, make sure your totally different domains all have certificates issued for them separately or include the file path for each site. Keeping this information in mind, you can go ahead and install your certificates without error and more details on this are also explained later on.
Also, when you install your first certificate, you’re asked to enter your email and accept the terms of service. Each time you install a certificate after this initial setup, you won’t need to continue entering your email and accepting the terms.
Method 1: Servers with Native Packages Installed
Some hosting companies such as SiteGround and DreamHost have Let’s Encrypt included in the control panel. If you have this option, you can automatically install certificates by going this route.
Many platforms also have native packages installed so you can have an easier time with installing and issuing certificates. You can check with your hosting company if this is the case for the plan you’re on and if so, you need to check the Certbot website as described above.
The site should list the appropriate commands to install your certificate.
Method 2: Standalone Plugin for Test Sites
Before you install your certificate on a live site, it’s recommended that you first try it out in a test environment. The
standalone Certbot plugin can be used for exactly this purpose.
When you use this option, you need to kill ports 80 or 443 on your server before installing a certificate. These ports are used to load your site and it causes an error in Certbot if you keep both these ports running.
Port 80 is used to serve up your site with the default HTTP request and port 443 loads your site using SSL so you could use port 443 so your visitors can still access your site without HTTPS while you install your certificate.
Since the commands for stopping and restarting ports varies depending on the type of operating software you use, you should consult your server type’s documentation for the appropriate commands.
Once your desired port is closed, you can enter one of the commands below to let Certbot use the port of your choosing:
--standalone-supported-challenges http-01to use port 80
--standalone-supported-challenges tls-sni-01to use port 443
Next, check the Certbot website for the particular way you should call up Certbot. Replace
certbot below with the name of the command you’re asked to use:
In the command above, a single certificate is issued for each of the domains listed since a path has been set for them. The
/var/www/example webroot directory would be the path for the first two domains that would be bundled together and
/var/www/other would be the path for the second two.
You can either list one path followed by all your other domains if they’re all related or you can list a path between each domain to give each of them a completely separate certificate.
With this in mind, be sure to replace what you need including the
/var/www/other paths as well as the domains
another.other.example.net. Replace them as needed with your own paths and domain names.
Your certificates should be issued at this point once Certbot has finished working and you can test it out before issuing certificates to your live sites with the Webroot Certbot plugin.
Method 3: Webroot Plugin for Production Sites
The Webroot Certbot plugin is excellent for installing and issuing certificates on live sites because you don’t need to close the ports that serve up your site. This means you can issue certificates without needing to worry about bringing your site down while you do it.
Similar to the standalone plugin, check the Certbot website for the particular way you should call up Certbot.
certbot below with the name of the command you’re asked to use:
Just as with the standalone plugin, the domains listed after a path are each issued a single certificate. In the example above,
example.com are issued one certificate under the path
/var/www/example/ and the domains
another.other.example.net are issued a certificate under the path
When you’re entering the command for your sites, you should list a path for each of the domains that are related. To install certificates for separate domains, enter a path for one domain, then repeat this for the other domains you want to issue a certificate for in the one command.
You can alternatively enter one path and one domain and enter the command this way for each of the domains you wish to install certificates.
That being said, be sure to replace
/var/www/other with real paths to your sites and
another.other.example.net with your actual domain names as needed.
Once Certbot is finished running the command, your SSL certificate should be issued and you can check your newly secured site.
Method 4: Community-Made or Official Plugin
You can also install a certificate with one of many community-made plugins. Just be sure to exercise caution when choosing and installing them since anyone can make and post a plugin.
You can find a list of Certbot plugins made by others in the open source community by checking out the Let’s Encrypt Wiki page.
Renewing and Revoking Certificates
To renew a certificate and set up automated renewals, check the Certbot website as described above for installing Certbot. Once you enter your web server and operating system, the renewal commands are listed.
To revoke a certificate, you can enter in the following command:
Be sure to replace
certbot with the actual name of the command that the Certbot website asked you to use and replace
your-site.net with the domains where you want a certificate revoked.
If you want to revoke more than one certificate at a time, enter in a space at the end, followed by
-d, a space and another domain. If you only want to revoke a certificate for a single domain, remove
-d your-site.net from the command above.
There are likely going to be a lot of changes that roll out to Certbot so it’s a good idea to frequently check the Let’s Encrypt and Certbot documentation and also the Let’s Encrypt website for updates.
Now that you have added an SSL certificate to your site, you can enforce everyone who visits your site to use it. For details on how to set this up, check out one of our other posts How to Use SSL and HTTPS with WordPress.
If you run into troubles and you need help with Certbot or Let’s Encrypt, you can check out the community forum.
Also, adding an SSL certificate to your site may cause your images not to be displayed since their URL would change, but you can check out Replacing Image Links in WordPress After Installing an SSL Certificate for details on how to fix this error.
Possibly one of the most exciting parts about Let’s Encrypt is that you can use our Domain Mapping plugin to install one certificate and have it apply to all sites in a network. You can learn more about it in our post How to Use One SSL Certificate for Your Entire Multisite Network.