Adding Free SSL Certificates to WordPress with Let’s Encrypt

Installing an SSL certificate on your domain is one of the best steps you can take to secure your WordPress site and now with Let’s Encrypt, you can get one for free.

An SSL certificate encrypts the connection between your site and your visitors’ browser so hackers can’t intercept and steal personal information. Normally, SSL certificates can be cumbersome to install and can get expensive, but this is changing fast.

Let’s Encrypt is a new open source certificate authority that’s backed by top companies including Automattic, the folks behind WordPress, as well as Facebook, Mozilla, Chrome, Cisco and Sucuri. The aim of the project is to make installing SSL certificates automated and free for everyone.

These open source certificates are still in public beta and you can expect many changes in the official release, but the current version is stable enough for you to try on production sites.

In today’s post, I’ll walk you through Let’s Encrypt and SSL as well as show you how to install an SSL certificate on your site using SSH and Let’s Encrypt’s automated installation.

Update: You can get the details on the latest changes to the installation process by checking out Adding Free SSL Certificate and HTTPS to WordPress with Let’s Encrypt and Certbot.

What is SSL and Let’s Encrypt?

SSL (Secure Socket Layer) certificates were first created in 1996 to secure the connection between a website and its end user. In 1999, huge improvements were made and the name was changed to TLS (Transfer Layer Security). We still use this version today, although the old name is more commonly used. Sites that have an active certificate display a green https prefix to their URL instead of http.

An SSL encrypted browser.
Browsers with a green https prefix are secured with an SSL certificate.

Websites that accept personal information, eCommerce sites and even any site that requires users to log in need an SSL certificate to prevent hackers from circumventing the connection and stealing the information that passed from the user to a website and vice versa.

Since all WordPress sites include a login page even if there is only one user, it’s recommended that a SSL certificate is installed. For more detail on SSL encryption, check out our guide How to Use SSL and HTTPS with WordPress.

Let’s Encrypt is run by the Internet Security Research Group (ISRG), which is a California public benefit corporation and is recognized by the IRS as a tax-exempt organization. It is a registered Certificate Authority, which means it is one of the authorized companies able to issue SSL certificates.

It’s an open source project that aims to secure the entire web. Standard certificates are available and you aren’t limited to just one, though during the current public beta release there’s a limit of 500 per three-hour period on registrations for an IP address and five certificates per domain and 300 pending authorizations per week. There’s also a limit of 100 domains for a single certificate.

Instead of fiddling with public keys and waiting for several hours until your certificate is fully issued, Let’s Encrypt allows you install a certificate using Shell access, a couple commands and by installing and running Let’s Encrypt’s Automatic Certificate Management Environment (ACME) client. By the time you enter your site’s URL to visit your homepage, your certificate should be already installed. It’s that quick.

Server Requirements

Even though the process is quick, there are some basic requirements you need on your server before you can jump right in and install an SSL certificate.

First and foremost you need to be sure your server’s operating system meets the requirements. According to the documentation:

The Let’s Encrypt Client presently only runs on Unix-ish OSes that include Python 2.6 or 2.7; Python 3.x support will be added after the Public Beta launch …. The Apache plugin currently requires a Debian-based OS with augeas version 1.0; this includes Ubuntu 12.04+ and Debian 7+.

You also need Shell access with software such as Terminal for Mac OS X or PuTTY for Windows. Make sure you have one of these installed on your computer. Don’t forget that Terminal comes pre-installed, but that’s not the case with PuTTY. Certificates can only be installed on the root of your server as well.

If you don’t have root access, you can still install certificates, but only using options such as sudo or yum, which let you run commands as the root while being signed in with a different account. If you run into issues, you may need to switch to the root of your server.

Check with your hosting provider to make sure you have access to SSH and ask for access if you don’t. You may need to upgrade your hosting plan to use this platform, so keep that in mind as well.

You also need to make sure your versions of PHP, Python, Virtualenv and Apache are up-to-date. In some cases, your PHP version is less important, unless you want to use a different installer from Let’s Encrypt’s list of known client implementations or community-made plugins.

The Server Information link in cPanel.
You can check the versions of PHP and Apache you’re using in cPanel.

You can quickly check the version of PHP and Apache you’re using in cPanel. After logging in, click Server Information in the left menu.

Next, you should see a list of additional details about your server including your version of PHP and Apache. You can check your version of Python and Virtualenv via SSH.

To check your version of Python, login to your server via SSH and enter in the command python --version. You should see the version listed if you have it installed and if you’re not running version 2.7.11, then you need to update Python.

You can check your version of Virtualenv in a similar way by typing in the command virtualenv --version and viewing the version that displays. You can check if you’re using the latest version by visiting the Virtualenv page on Python’s site.

Some hosts may have Let’s Encrypt already packaged on your server, but this isn’t always the case. If you don’t have it natively installed, you need to install Git on the root of your server if you don’t already have it. You can check the version you have installed by entering the git --version command. If a version number displays, you have it installed. Just be sure it’s up-to-date by visiting Git’s official site.

While updating and installing these scripts go beyond the scope of this article, you can check out the official documentations for these platforms:

It’s also important to suspend Cloudflare if you have the CDN enabled for your site. Once your SSL certificate is installed you can resume Cloudflare. Otherwise, if you keep it connected to your site while installing Let’s Encrypt, you may run into errors.

You also need to stop any processes using ports 80 and 443 in order to prevent an error when you try to install a certificate. In order to do this, enter the following command:

When the process finishes, repeat this command, replacing 80 with 443.

Once your certificate is installed you need to renew it within 90 days or it will expire. You should get an email notification beforehand to remind you. In the official release, it’s in Let’s Encrypt’s plan to make certificates automatically renew, but for now this is something you will need to do manually.

Fortunately, all you need to do to renew a certificate is repeat the installation process and since it’s automatic, there’s a lot less work involved.

Once your certificate has been successfully installed, the final step is to change your site’s URL to include your new SSL encryption. We have a guide to help you do this called How to Use SSL and HTTPS with WordPress.

Now that we have gotten all these details out of the way, let’s get on with actually installing the Let’s Encrypt SSL certificate.

Method 1: Servers with Native Packages Installed

Since Let’s Encrypt has been around for quite some time, Debian, Arch Linux, Gentoo, FreeBSD, and OpenBSD have packages that come pre-installed, which means you don’t have to install the ACME client and you can skip right to getting your certificate. It’s also a lot simpler than running the regular commands.

Once you log in to your server from your SSH client, enter the following command to jump-start the process:

Once the success messages appear, you can go ahead and run your first certificate with the command below, being sure to substitute the dummy values for the correct ones:

Replace [email protected] with the email where you would like to receive notifications and change with the domain where you would like to install the certificate.

You can also install certificates on multiple domains by adding them to the end.

Don’t forget to add your real email address and replace, and with the domains where you want a certificate installed.

You should see many lines appear letting you know your certificate was successfully installed and that means you’re done. You can now change your site’s URL in the backend of WordPress to include the https prefix.

Method 2: Installing Let’s Encrypt Yourself

If your server doesn’t already have native packages for Let’s Encrypt already installed, the commands above won’t work. Fortunately, you can still install a certificate – just with a few more commands.

It all starts with installing Let’s Encrypt. Log into the root of your server using SSH and call the packaged Let’s Encrypt file on GitHub using Git:

Next, go to the Let’s Encrypt file you just installed with this line:

Finally, finish installing Let’s Encrypt with this command:

Now you’re ready to run the ACME client and install your certificate. The commands are similar to the ones you would use if the package is pre-installed on your server, but with a small amendment of switching letsencrypt for letsencrypt-auto.

The final command should look similar to the one below:

Don’t forget to replace [email protected] with your actual email and for the domain where you want the certificate installed.

If you want to install a certificate on multiple domains while registering them with the same email address, you can add the domains to the end of the line as shown in the example below:

You would replace the same details as you would in the previous example while also swapping and for the other domains you want to include.

Once you enter in the command, the certificates are installed for all the domains you included and you should see a message that displays to let you know the installation was successful. When you see this message, you can go ahead and update your WordPress site’s URL to include the https prefix.

If you’re running Apache 2.4 on a Debian-based OS with version 1.0+ of the libaugeas0 package, you can use the Apache plugin. The command is similar and only requires one amendment:

Just as with the previous examples, swap [email protected] with your actual email address, and, and with your real domains.

Revoking a Certificate

Now that you have a certificate installed, you may get into a situation where you need to revoke your certificate such as if your site is hacked, for example. All you need is one command.

If you installed a certificate on a server that already had Let’s Encrypt installed, enter this line into your SSH client:

If you installed a certificate yourself, run this command instead:

Replace example-cert.pem with the real name of your certificate. You can find your live certificates under etc/letsencrypt/live/ and it’s usually named cert.pem.

That’s it. Your certificate should be revoked and you can install a new one.

Getting Help and Plugins

There are tons of clients and plugins built by the Let’s Encrypt community to provide different ways to install a certificate. You can see a List of Client Implementations on the Let’s Encrypt site and a list of all the available community plugins on GitHub.

It’s important to note that none of these clients or plugins are guaranteed to work and their security is certainly not guaranteed, either. You need to be sure to take the same precautions with these options as you would any other plugin.

If you find you run into troubles and need help, You can find Let’s Encrypt on Freenode with the tag #letsencrypt or you can get support on the forum located on Let’s Encrypt’s site. You can also submit issues in their Bug Tracker on GitHub.

When you’re asking for help, you do need to include some important details:

  • Copy and paste exact command line used and the output
  • Copy and paste logs from /var/log/letsencrypt
  • Copy and paste letsencrypt --version output
  • Your operating system, including the specific version
  • Specify which installation method you have chosen

Keep in mind that the first two requirements include personally identifiable information including your domain names and email. You may want to edit out this information and swap them for placeholders instead.

Wrapping Up

While there are still many changes going on behind the scenes of Let’s Encrypt, you can now automatically install an SSL certificate for all of your domains with a few simple commands. Once the public beta closes and the official release becomes available, you will be free to install a certificate on any domain, not just production sites.

Stay tuned to Let’s Encrypt on Twitter for future announcements or check out the project’s blog.

Possibly one of the most exciting parts about Let’s Encrypt is that you can use our Domain Mapping plugin to install one certificate and have it apply to all sites in a network. You can learn more about it in our post How to Use One SSL Certificate for Your Entire Multisite Network.

Are you planning to install a certificate from Let’s Encrypt on your WordPress site? Do you want to see a post on getting an SSL certificate with a web-based installer? Feel free to share your thoughts and let us know in the comments below.