How to Set Up Free SSL with Let’s Encrypt and Certbot

Installing an SSL certificate on your domain is an essential step you should take to secure your WordPress site and now with Let’s Encrypt you can get one for free.

An SSL certificate encrypts the connection between your site and your visitors’ browser so hackers can’t intercept and steal personal information. Normally, SSL certificates can be cumbersome to install and can get expensive, but this is changing fast.

Let’s Encrypt is a new open source certificate authority that’s backed by top companies, including Automattic, the folks behind WordPress, as well as Facebook, Mozilla, Chrome, Cisco and Sucuri. The project aims is to make installing SSL certificates automated and free for all.

Let’s Encrypt has an automated installer called Certbot that can help you add a certificate to your site in a few minutes or less. Certbot is currently in public beta and you can expect many changes in the official release, but the current version is stable enough for you to try on production sites.

What is Let’s Encrypt, Certbot and SSL?

SSL Certificates

SSL (Secure Socket Layer) certificates were first created in 1996 to encrypt the connection between a website and its end user so that the data that’s transferred back and forth is secure. Encrypting data means scrambling human readable text with strings of letters and numbers that can only be deciphered with what’s called a secret key.

Encrypting data means scrambling human readable text with strings of letters and numbers that can only be deciphered with what’s called a secret key. As long as the secret key remains hidden, encrypted data can’t be understood by anyone which makes it the most secure way to safeguard information over the internet.

You can tell when a site has an SSL certificate installed when you see a green padlock displayed in your browser’s address bar along with a https prefix to the URL of the visited site, rather than the standard http.

An SSL certificate is added to a domain and the site becomes secure.
Installing an SSL certificate for your domain helps secure your site.

SSL certificates are installed on domains and one certificate should be installed per domain.

The site that’s attached to the domain gets secured with encryption when the SSL certificate is active. No matter what browser or device your visitors use to access your site, as long as they enter your site’s URL with https at the beginning, their connection is encrypted and secure.

Using an SSL certificate for your WordPress site means that your data, as well as your users’ data, remains safe from prying eyes. Since WordPress is a particularly large target for hackers due to its popularity and transparency, it’s important to take all the appropriate steps toward securing your site.

While WordPress itself is secure if you have the latest version installed, the more obstacles you can place in a hacker’s way to make their attacks more difficult, the less of a chance there is that your site will be compromised. One of the ways you can add an extra layer of protection to your site is by installing an SSL certificate.

Any site that exchanges information with a visitor whether it’s an eCommerce site or accepts user logins needs an SSL certificate. Since all WordPress sites require at least one user to log in, it’s recommended that all WordPress sites have an SSL certificate.

For more details on SSL certificates and how they can help secure your site, check out How to Use SSL and HTTPS with WordPress.

The WPMU DEV site loaded in the Firefox browser.
A green padlock and <em>https</em> in the URL are present meaning an SSL certificate is active.

Let’s Encrypt

Let’s Encrypt is run by the Internet Security Research Group (ISRG), which is a California public benefit corporation and is recognized by the IRS as a tax-exempt organization. It’s a registered Certificate Authority, which means it’s one of the authorized companies able to issue SSL certificates.

It’s an open source project that aims to secure the entire web. Let’s Encrypt saw its official and stable release on April 12, 2016 which made issuing certificates open and available for all public sites and not just staging environments.

Standard certificates are available for free and you aren’t limited to just one, though, there’s a limit to how many certificates can be issued per week, but more on that later.

Installing a certificate through Let’s Encrypt is fast. In fact, it’s a lot quicker than other certificate authorities.

Instead of waiting several hours for your request to be accepted and your certificate is finally issued, you can use SSH and the Certbot installer to issue a certificate for your domain in just a few seconds. The entire process from start to finish typically takes a mere matter of minutes, not hours.

Certbot

Certbot is an Automatic Certificate Management Environment (ACME) client and became available in public beta on May 12, 2016. Once you install Certbot on your server via SSH, you can then call on its commands to install and authorize SSL certificates.

It was formerly known as the Let’s Encrypt ACME client, but has been recently turned over to the Electronic Frontier Foundation (EFF) to maintain and continue the development of the ACME client. The EFF is a non-profit organization that was founded in 1990 and works to defend civil liberties in the digital world and protect user privacy.

Server Requirements

Certbot, in its beta version, is stable enough to use on production sites, but it’s not without bugs so it’s recommended that you run tests thoroughly in a staging environment before installing a certificate on a live site.

According to the Let’s Encrypt and Certbot documentation, you need to meet certain server requirements to install certificates:

“The Let’s Encrypt Client presently only runs on Unix-ish OSes that include Python 2.6 or 2.7; Python 3.x support will hopefully be added in the future …. The Apache plugin currently requires a Debian-based OS with augeas version 1.0; this includes Ubuntu 12.04+ and Debian 7+.”

Nginx/0.8.48+ is also highly experimental and isn’t included in the beta version of Certbot.

You also need to run Certbot via SSH and you can use your favorite SSH client such as Terminal for Mac OS X and PuTTY for Windows. Don’t forget that Terminal comes pre-installed, but this isn’t the case for PuTTY.

Certificates can be installed as the root user on your server, but if you really don’t want to install certificates to the root, it’s technically possible if you meet certain requirements:

  • If you don’t use the standalone plugin outlined below which requires you to bind ports 80 or 443
  • If you don’t use the apache or nginx plugins that need to modify webserver configurations

Even if these do apply to you, it’s still possible not to run Cerbot as the root by using either the letsencrypt-nosudo or simp_le options. Keep in mind that these options are not created and maintained by the teams behind Let’s Encrypt and Certbot so you would be using them at your own risk.

Be sure to exercise the same caution you would when installing plugins in your WordPress site since neither are guaranteed to be maintained indefinitely, be bug-free or see regular updates.

Keep in mind that running Certbot as the root may not be possible on shared hosting or managed VPS and dedicated server. It depends on your hosting plan and provider. If you’re not sure if it’s possible, contact your host to find out for sure.

You can also get more details on SSH by checking out A Quick Guide to the Terminal and Command Line Prompt for WordPress.

If you have CDN enabled on your site through Cloudflare, you may run into errors when installing a certificate. This can be avoided by temporarily suspending Cloudflare. When your certificate has finished installing, you can resume the CDN service.

Limitations and Locations

Renewal Terms

Certificates are valid for 90 days and don’t renew automatically, but you can automate the renewal process with a command. There are also limits to how many certificates you can install for certain periods of time.

Rate Limits

There’s a limit of 500 per three-hour period on registrations for an IP address and five certificates per domain and 300 pending authorizations per week. A cap of 100 domains for a single certificate is also in effect.

There’s also a limit of 20 sub-domains and other variations for a single domain per week and five certificates per Fully Qualified Domain Name (FQDN) set per week. This means, if you were to issue a certificate for up to 20 sub-domains, you can issue four more certificates for the exact same grouping of sub-domains as long as it doesn’t exceed 20 sub-domains.

For example, if you issue a certificate for your-site.com, www.your-site.com, blog.your-site.com and store.your-site.com you would be able to issue four more certificates for these same domains in one week. Since it would total 20 domains altogether, you would just reach the limit.

On the other hand, if you were to issue a certificate for five domains, you could only issue three more certificates containing the same domains in one week since this would equal 20 domains.

Currently, wildcard and Extended Validation (EV) SSL certificates aren’t available. These types of certificates may be considered in the future, but it’s currently not up for development at the time this was written.

That being said, wildcard certificates aren’t needed all that much since you can install as many certificates as you want as long as you spread them out so you don’t exceed the rate limit.

Where Your Certificates are Located

Your certificates are stored in files on your server. The cert.pem file includes the certificate for your server while the chain.pem file has all your other certificates. The fullchain.pem file includes all your certificates.

Your secret keys are stored in privkey.pem and should be kept secret from everyone. Otherwise, your certificate can be exploited and infiltrated by hackers.

All these files are located in /etc/letsencrypt/live/domain/. During renewals, /etc/letsencrypt/live/ is updated to reflect the latest changes and files.

Installing Certbot

There are some dependencies that need to be installed before adding Certbot. While some OSes have them pre-installed, not all of them do. You can find out if you need to install the dependencies and find the specific command you need by going to the Certbot website.

In the dropdown boxes, select your webserver type and operating software to display the additional information you need.

The Certbot homepage,
Find commands you need that are specific to your OS on the Certbot website.

The details are displayed under the dropdown boxes so you need to scroll down a bit to view the command you need for installing dependencies and after that’s taken care of, you can go ahead and install Certbot.

The commands to do this are listed on the same page of the Certbot website, underneath the dependencies information. On this page, you should also see commands for automated renewals.

The Certbot instructions for Apache and CentOS/RHEL 6.
Example of the installation instructions that are listed.

You can go ahead and enter those commands via SSH to install Certbot. Once that’s done, you can start installing SSL certificates.

Installing SSL Certificates

When you’re installing your certificates, you can enter your domains in a chain. This means that you can include all variations of a single domain in one certificate. This is perfect for sub-domains, for example.

Instead of creating a new certificate for every sub-domain, you can create one certificate and include multiple sub-domains as long as you don’t exceed the rate limit explained above.

For example, you could create a certificate for your-site.com, www.your-site.com, blog.your-site.com, store.your-site.com and login.your-site.com.

Keep in mind that you shouldn’t include all your separate sites in one certificate such as your-site.com, domain.com and example.com. A setup like this would issue the certificate under your-site.com and the others listed after it would piggyback off the certificate from the domain listed first.

This causes errors when trying to visit https://domain.com and https://example.com. Your certificate would show up as being invalid and your visitors would see a browser error message telling them it’s not safe to view your site.

To avoid this, make sure your totally different domains all have certificates issued for them separately or include the file path for each site. Keeping this information in mind, you can go ahead and install your certificates without error and more details on this are also explained later on.

Also, when you install your first certificate, you’re asked to enter your email and accept the terms of service. Each time you install a certificate after this initial setup, you won’t need to continue entering your email and accepting the terms.

Method 1: Servers with Native Packages Installed

Some hosting companies such as SiteGround and DreamHost have Let’s Encrypt included in the control panel. If you have this option, you can automatically install certificates by going this route.

Many platforms also have native packages installed so you can have an easier time with installing and issuing certificates. You can check with your hosting company if this is the case for the plan you’re on and if so, you need to check the Certbot website as described above.

The site should list the appropriate commands to install your certificate.

Method 2: Standalone Plugin for Test Sites

Before you install your certificate on a live site, it’s recommended that you first try it out in a test environment. The standalone Certbot plugin can be used for exactly this purpose.

When you use this option, you need to kill ports 80 or 443 on your server before installing a certificate. These ports are used to load your site and it causes an error in Certbot if you keep both these ports running.

Port 80 is used to serve up your site with the default HTTP request and port 443 loads your site using SSL so you could use port 443 so your visitors can still access your site without HTTPS while you install your certificate.

Since the commands for stopping and restarting ports varies depending on the type of operating software you use, you should consult your server type’s documentation for the appropriate commands.

Once your desired port is closed, you can enter one of the commands below to let Certbot use the port of your choosing:

  • --standalone-supported-challenges http-01 to use port 80
  • --standalone-supported-challenges tls-sni-01 to use port 443

Next, check the Certbot website for the particular way you should call up Certbot. Replace certbot below with the name of the command you’re asked to use:

In the command above, a single certificate is issued for each of the domains listed since a path has been set for them. The /var/www/example webroot directory would be the path for the first two domains that would be bundled together and /var/www/other would be the path for the second two.

You can either list one path followed by all your other domains if they’re all related or you can list a path between each domain to give each of them a completely separate certificate.

With this in mind, be sure to replace what you need including the /var/www/example/ and /var/www/other paths as well as the domains www.example.com, example.com, other.example.net and another.other.example.net. Replace them as needed with your own paths and domain names.

Your certificates should be issued at this point once Certbot has finished working and you can test it out before issuing certificates to your live sites with the Webroot Certbot plugin.

Method 3: Webroot Plugin for Production Sites

The Webroot Certbot plugin is excellent for installing and issuing certificates on live sites because you don’t need to close the ports that serve up your site. This means you can issue certificates without needing to worry about bringing your site down while you do it.

Similar to the standalone plugin, check the Certbot website for the particular way you should call up Certbot.

Replace certbot below with the name of the command you’re asked to use:

Just as with the standalone plugin, the domains listed after a path are each issued a single certificate. In the example above, www.example.com and example.com are issued one certificate under the path /var/www/example/ and the domains other.example.net and another.other.example.net are issued a certificate under the path /var/www/other.

When you’re entering the command for your sites, you should list a path for each of the domains that are related. To install certificates for separate domains, enter a path for one domain, then repeat this for the other domains you want to issue a certificate for in the one command.

You can alternatively enter one path and one domain and enter the command this way for each of the domains you wish to install certificates.

That being said, be sure to replace /var/www/example/ and /var/www/other with real paths to your sites and www.example.comexample.comother.example.net and another.other.example.net with your actual domain names as needed.

Once Certbot is finished running the command, your SSL certificate should be issued and you can check your newly secured site.

Method 4: Community-Made or Official Plugin

You can also install a certificate with one of many community-made plugins. Just be sure to exercise caution when choosing and installing them since anyone can make and post a plugin.

You can find a list of Certbot plugins made by others in the open source community by checking out the Let’s Encrypt Wiki page.

Renewing and Revoking Certificates

To renew a certificate and set up automated renewals, check the Certbot website as described above for installing Certbot. Once you enter your web server and operating system, the renewal commands are listed.

To revoke a certificate, you can enter in the following command:

Be sure to replace certbot with the actual name of the command that the Certbot website asked you to use and replace your-site.com and your-site.net with the domains where you want a certificate revoked.

If you want to revoke more than one certificate at a time, enter in a space at the end, followed by -d, a space and another domain. If you only want to revoke a certificate for a single domain, remove -d your-site.net from the command above.

Wrapping Up

There are likely going to be a lot of changes that roll out to Certbot so it’s a good idea to frequently check the Let’s Encrypt and Certbot documentation and also the Let’s Encrypt website for updates.

Now that you have added an SSL certificate to your site, you can enforce everyone who visits your site to use it. For details on how to set this up, check out one of our other posts How to Use SSL and HTTPS with WordPress.

If you run into troubles and you need help with Certbot or Let’s Encrypt, you can check out the community forum.

Also, adding an SSL certificate to your site may cause your images not to be displayed since their URL would change, but you can check out Replacing Image Links in WordPress After Installing an SSL Certificate for details on how to fix this error.

Possibly one of the most exciting parts about Let’s Encrypt is that you can use our Domain Mapping plugin to install one certificate and have it apply to all sites in a network. You can learn more about it in our post How to Use One SSL Certificate for Your Entire Multisite Network.

Jenni McKinnon
Are you planning to install a certificate from Let’s Encrypt on your WordPress site? Have you had success already with installing a certificate? Did you have any issues and how did you solve them? Let us know your thoughts in the comments below.

35 Responses

    • Hey Dominic,

      You’re right, the Plesk option is certainly easier, but not everyone has Plesk so I didn’t mention it, but I mostly left it out because it’s listed on the Certbot website and I just couldn’t list every possible command for every possible webserver and OS or else this post would be crazy long and just repeating instructions that are already posted on the Certbot site.

      I figured linking to it would be easier for everyone. What do you think? Would you have preferred everything to be added in? (We would love to improve the way we blog at WPMU DEV if it means making awesome folks like you happy.)

      • The Incredible Code Injector

        Yeah it would get long for sure! I’m just pointing out benefits of Plesk all over the place at the moment because lots of people don’t know much about it and I find its the best panel, this is just one example of why!

        On a slightly separate note, what might be a handy topic for people is – how to use letsencrypt with mutlisite & domain mapping (easy for subdirectory, less so for subdomain but do-able still!)

        Cheers,

  • Site Builder, Child of Zeus

    Nice article… although much was above my head, but for a true developer, I’m sure it is helpful.

    You may want to proofread your post – there are a few duplicate sentences and a partial paragraph that stops partway through then repeats with a full paragraph below it.

    As mentioned in the first post, some hosts now offer easy to install Let’s Encrypt. I have some sites on SiteGround that offer this via cPanel.

    If you change from http to https you also need to go into dashboard-settings-general and change site URL to https. Also, you need to review your site to make sure all images still work. (You may have mentioned this – I started skimming article once it got into SSH and code.)

    If you use Cloudflare CDN there are a couple plugins that are helpful to install to force https.

    I always appreciate these blog posts and always learn something new… even if some info goes over my head. :-) Thanks.

      • I won’t ignore it because you were right! I literally just fixed it now. For some reason, for a few of last versions of WordPress, the post editor duplicates sentences from time to time. We catch most instances of it, but sometimes it gets added without us even seeing it. We’re not sure why it happens yet.

        I also forgot to link to one of our other posts on fixing broken image links so I added that at the end as well. Thanks so much for reminding me!

        Also, please don’t be afraid to point out mistakes. It only helps us improve and we’re really grateful for it. Thanks for being nice about it, too. :)

  • The Crimson Coder

    Hi Jenni, in your article you write about installing an SSL on root….

    Your comment; “Certificates can be installed as the root user on your server, but if you really don’t want to install certificates to the root, it’s technically possible if you meet certain requirements:”

    What exactly happens when the ssl is installed as the root user? Does that make it work like a wildcard? I have a multisite with some TLDs mapped to a subdomain thus the end user sees the Top Level Domain instead of the subdomain.

    i.e. a multisite subdomain.maindomain.com = tld.com because tld.com is mapped to subdomain.maindomain.com so going to tld.com is same as gong to subdomain.com.

    I need to put an ssl on tld.com which is parked.

    Thx –rick

    • The main reason is because Certbot needs to write to certain files and root access is required to do this. If you’re not using the standalone plugin or Apache or Nginx, then you can run Certbot without root privileges.

      Not running it as root doesn’t affect the actual SSL certificate or how it’s installed. It’s just needed in many cases to run Certbot.

      Let me know if you have anymore questions. :)

    • WP Unicorn

      Greetings DigiBlueArc :-)

      We found that even in the best of circumstances that one cannot put a Lets Encrypt SSL certificate on a parked/alias domain … at least in the control panel we are using.

      However, one can put them on add on domains without issue.

      With that said you may want to try deleting the parked/alias domain and add it back in as a “addon” domain using the path /public_html/ and it should map and work with your mapping to the sub domain as you have anticipated.

      Joe :-)

  • Flash Drive

    Hi Jennie, thank you for this very detailed and helpful article, which I am bookmarking for when the next time I need SSL.

    I am wondering, though how does SSL add additional security to a website that does not collect any user data? When you say that “all WordPress sites require at least one user to log in”…how so, on sites where no user accounts are even being created from the front-end? Certainly no WP site requires anyone with back-end user roles to be logged in for it to function.

    • Hey Jacob,

      Thanks for your comment :)

      You still need at least one admin account to have your site up and running, there’s no need to be logged in for the site to function but it needs to be there and it will be used for logging in sooner or later :)

      There’s not much more security added if there’s no data from users being submitted on your site, it does make your site look better in eyes of the users and more professional.
      I think that all sites should use SSL by default, regardless of their use :)

      Cheers,
      Predrag

    • WP Unicorn

      Greetings Jacob :-)

      There are many other advantages of having SSL incorporated into your site not limited to but including those mentioned by Predrag.

      The whole idea of course is a secure and accurate connection between the client and the site they are visiting and of course data is going back and forth between the two … client and web site as in the site itself and cookies etc.

      In addition, SSL can alert the visitor to a potentially hacked site and/or prevent the visitor from receiving malware etc. from said hacked site via injection ( Yahoo anyone? http://www.scmagazine.com/hackers-spread-malware-via-yahoo-ads/article/437075/ ) as the browser will alert to the fact the site is unsecure and has unsecure content and depending on the browser will block the visitor from visiting said hacked site.

      As you mentioned “I am wondering, though how does SSL add additional security to a website that does not collect any user data?” – to be accurate it is not so much about if the web site is collecting user data or not but the fact that all data transferred between visitor and said site is secure which is most likely the reason why Google indexing prefers secure sites … for all the reasons mentioned above.

      https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

      https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html

      Though I had never read those articles that are directly form Google … skimming through it I see they confirm my assertion concerning the security of sites and of the visitor regarding the thwarting of injection and the like.

      Last but not least, it was only after the “Edward Snowden” revelations that Google and many others went on the security march to make it as inconvenient and hard as possible for the spooks to be spying on people which includes those cookies that most sites including WordPress sites exchange with the visitors.

      If that cookie data were not important as well why would the EU go through so much trouble to make a “cookie” law http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm?

      The answer is self evident … though one may think there is no exchange of data between the visitor and the site … in reality there is nothing but data being exchanged between the visitor and site which is in the best interest of the visitor and the site owner to remain secure keeping it un-manipulated by both criminal elements and the spooks.

      Therefore Jenni is absolutely accurate and spot on in her statement that SSL adds additional security and though she did not go into all the details specifying who, what, when and where the fact remains it is the absolute truth of the matter.

      In summary, the only people/entities that do not benefit from the additional SSL security are those criminals and spooks who seek to intercept and use/manipulate said data/information while at the same time the benefits are enormous for the visitor and site owner not limited to but including making it as hard as practical for the data to be intercepted/used/manipulated … higher Google rankings and much more.

      Joe :-)

  • WPMU DEV Initiate

    Hi Jenni,

    Thank you so much!

    I would really like to know how to use this with a domain mapping plugin that isn’t your own. Does it work? I have a sub-domain Multisite install of WordPress.

    Sounds cheeky I know but I use a lightweight version without as many features as yours but you know… looking at your domain mapping functionality I’m heavily considering signing back up again!

  • WPMU DEV Initiate

    Wow! That was a thorough explanation! I dabble with coding and am very experimental with my website, but this sounds very complex for most users. Certainly none of my clients would be game for it. I’m waiting for a true plug and turn on SSL option for my WordPress sites. But if that doesn’t happen, I’ll be sure to refer back to the post for the steps required. Thanks!

    • WP Unicorn

      Greetings on65acres :-)

      If the host has already implemented Let’s Encrypt into the control panels then it is literally easy peasy to implement with a few mouse clicks and forcing SSL it just as easy using a plugin like WP Force SSL located in the WordPress repository https://wordpress.org/plugins/wp-force-ssl/

      Obviously it can be forced on in solo WordPress installs and on a site by site basis in a MultiSite.

      The whole implementation is incredibly easy considering the circumstances I mentioned i.e. the host has implemented it in their control panel and using the WP Force SSL plugin.

      Joe :-)

  • New Recruit

    Thanks for the article. Open source security certificates, what a great initiative! Some hosting providers like Siteground have already upgraded their servers so installing Lets Encrypt certificates is just a couple of mouse clicks and they renew automatically. I suspect all of the major players will soon follow.

    • WP Unicorn

      Greetings John :-)

      Yes open source security certificates are a great initiative which the initiative was started right after the Edward Snowden spying disclosures and true they are only a point and a click to install/activate right in cPanel … plus as you mentioned they auto renew so nothing complicated about that.

      There is no need for to wait for major players either as minor players like WPMU Hosting implemented it in cPanel months ago so clients … like any hosting company implementing this technology … no longer need to **purchase SSL certificates so there is no excuse for a site not to be secured.

      ** This is not relevant at this time for wildcard certificates as Let’s Encrypt has not yet developed a solution for wild card certificates to date.

      In regards to wild card certificates … Let’s Encrypt are considering this development though and we look forward to the implementation.

      However, in the mean time one can just add the target sub domain to their control panel “sub domains” using the path /public_html/ and then issue the free Let’s Encrypt certificate to the sub domain.

      Not as convenient as a wild card certificate but still free and considering the time it takes to implement … a couple of minutes … well worth the effort.

      Joe :-)

  • WPMU DEV Initiate

    I have been told that I can’t access my Hosted WordPress Site using Shell (PuTTy) so I used Certbot’s wizard to generate and download a handful of text files (4 not counting the 2 for domain verification). Presumably one is my private key and one is the certificate. Where do I put these things or how do I “install” the certificate? PS, I can FTP.

Comments are closed.