Requirements

  • The latest version of AMIMOTO AMI
  • You can access your site with a TLD such as example.com
  • WordPress Install is Complete
  • You've set your instance to use a fixed, Elastic IP

Covered in this guide

  • Generating a SSL Cert
  • Search and Replace with WP-CLI
  • Setting a Renewal Schedule for Let's Encrypt

Tips and Notes

If you're setting up a new AMI, make a note of the AMI instance ID. This ID is created and used for your WordPress install directory.


For example, if your ID is i-abc123, the WordPress install path will be:

/var/www/vhosts/i-abc123


Optionally, when the AMI is only running one site you can CD into this directory using a wildcard path.

$ cd /var/www/vhosts/

1. Generating a SSL Cert

Login to the server

$ ssh -i ssh-key.pem ec2-user@example.com

Change to root user

$ sudo su -

Generating SSL certificate for example.com

# letsencrypt certonly -t -d example.com \
-a webroot --webroot-path=/var/www/vhosts/example.com/ \
--rsa-key-size 2048

Note: You should replace example.com with your domain name.

Set email address to get mails from Let's Encrypt

Enter email address (used for urgent notices and lost key recovery) (Enter 'c'
to cancel): info+letsencrypt@example.com ※

Agree with Terms of Service of Let's Encrypt

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

Let's Encrypt has been installed to the server.

The certificate and its chain is installed the following directory.

/etc/letsencrypt/live/example.com/fullchain.pem

Also, secret key is installed the following directory.

/etc/letsencrypt/live/example.com/privkey.pem

2. Modifying Nginx's configuration file

You could install digital certificate, then update configuration file (/etc/nginx/conf.d/example.com-ssl.conf) with copying example.com.conf as example.com-ssl.conf.

Copy configuration file for example.com.

# cd /etc/nginx/conf.d
# cp example.com.conf example.com-ssl.conf
# vi example.com-ssl.conf

Configurations

server {
listen 443 ssl http2;
server_name example.com;
root /var/www/vhosts/example.com;
index index.html index.htm;
charset utf-8;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;

access_log /var/log/nginx/example.com-ssl.access.log main;
error_log /var/log/nginx/example.com-ssl.error.log;

include /etc/nginx/drop;

add_header X-Cache-Status $upstream_cache_status;
expires $expires;

set $mobile "";
#include /etc/nginx/mobile-detect;

include /etc/nginx/wp-front;

location ~* /(phpmyadmin|myadmin|pma) { access_log off; log_not_found off; return 404; }

#
# redirect server error pages to the static page /50x.html
#
error_page 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

Note: You should replace example.com with your domain name.

Restarting Nginx processes for applying changes.

# service monit stop
# service nginx restart
# service monit start

You can add return 301 https://example.com$request_uri; to /etc/nginx/conf.d/example.com.conf, if you want to redirect access HTTP to HTTPS.

Configurations on example.com.conf

server {
listen 80;
server_name example.com;
root /var/www/vhosts/example.com;
index index.html index.htm;
charset utf-8;

access_log /var/log/nginx/example.com.access.log main;
error_log /var/log/nginx/example.com.error.log;

include /etc/nginx/drop;

add_header X-Cache-Status $upstream_cache_status;
expires $expires;

set $mobile "";
#include /etc/nginx/mobile-detect;

location / {
return 301 https://example.com$request_uri;
}

#
# redirect server error pages to the static page /50x.html
#
error_page 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

Restarting Nginx processes for applying changes.

# service monit stop
# service nginx restart
# service monit start

That's all for installing certificate and modifying configuration file for Nginx.

3. [Optional] Automatically renewing certificate

Let's Encrypt will be expired within 90 days when it's issued. You can renew it automatically using cronjob.

※ Run certbot renew command to check and update the certificate every Monday 1:00 AM.

# crontab -e

add the following lines.

# Renewing Lets Encrypt certificate
0 1 * * 1 /certbot renew && /sbin/service nginx restart > /dev/null 2>&1

The end result should look something like this.

@reboot /bin/sh /opt/local/provision > /dev/null 2>&1

# Renewing Lets Encrypt certificate
0 1 * * 1 /certbot renew && /sbin/service nginx restart > /dev/null 2>&1

You're done!

Search and Replace URLs to use HTTPS using the WP-CLI Command

$ wp search-replace 'http://example.com' 'https://example.com' --skip-columns=guid

That's all

Did this answer your question?