Update; 20 October 2017
The below method doesn’t seem to work with Raspian Stretch (Jessie is fine though); however, I’ve written a quick how-to specific to Stretch here.
Adding SSL to your website is all the rage these days. Everyone’s doing it and for good reason. Not only does it actually make your site safer for the end user but if you’re looking to have your website indexed by the likes of Google, it’s a huge factor in their ranking system (and has been since 2014).

My goal here is to show you how easy it really is to add an SSL certificate to your self-hosted site and rid those fears of insecurity (web server related, your personal life is your own problem).

First things first; I’m writing this from the point of you already have installed WordPress on your Raspberry Pi. If you haven’t, no problem. I’m far from an expert myself and used the e-tinkers tutorial to get it up and running (you’re reading this, thus it works). It’ll get you from start to finish and even start walking the line of SSL certificates, however, it uses a pay-service (via Namecheap) and that’s where I bailed.

I admit I was kind of stuck for a while. I’m cheap and didn’t really want to pay for SSL and thought I was out of luck. Then I found Let’s Encrypt which has the mission to make the web a safer place via SSL, for free (I’m assuming you know what Let’s Encrypt is. If you don’t, check it out to get the gist.). However, even after finding that I was stuck for a few weeks as I was unable to find a way to implement the Let’s Encrypt certificates. Or so I thought.

While researching a home cloud-server I came across pestmeester.nl. The entire site is a goldmine of info. But I only found one thing of real use for my external web server: the installation of  Let’s Encrypt SSL certificates.

Let’s get started.

The following is assuming that you followed the e-tinkers tutorial to install WordPress on your Raspberry Pi. If you didn’t you may need to figure out the paths you did use.

Part One:

This is actually the really easy part. You’ll need to download and install the Really Simple SSL WordPress plugin. This will make short time of getting you up to snuff with using SSL across your site. Go ahead and activate it. You should get a warning that there is no active certificate located. Don’t worry, below is where we’re going to install it. If you don’t get such a warning then you’re awesome and already have a certificate installed.

I also use Cloudflare as a DNS for my site. If you do, be sure to set you your encryption (under Crypto on their site) to Flexible.

Part Two:

One: Be sure to update your RPi, open up Terminal and type:
sudo apt-get update && sudo apt-get upgrade -y

Two: We’re going to install Git:
sudo apt-get install git

Three:
sudo git clone https://github.com/certbot/certbot /etc/letsencrypt

Four: This’ll get the actual certificate for your web server(s). This is where pestmeester‘s install and mine/ours will differ, type:
sudo /etc/letsencrypt/certbot-auto certonly --agree-tos --webroot -w /var/www/html -d mysite.com -d www.mysite.com -d mail.mysite.com -d srv01.mysite.com

The line /var/www/html is where the WordPress installation is using the e-tinkers tutorial. If your install is in a different folder, this is the line where is should point to. The mysite.com should be your own site (e.g. -d ryanerickson.com). In the code above you’re getting four different certificates. I personally only needed one, so my code ended just after the first -d mysite.com.

After you’ve given your email address and agreed to any TOS that you need to you should see a message like this

Almost done.

The only real issue with using Let’s Encrypt SSLs is that they expire on a regular basis (it’s part of the free deal). But since the Raspberry Pi is a Linux machine we can always run a cronjob to do the work for us. So, while still in Terminal type
sudo crontab -e

Then add the following into that:
0 6 * * * /etc/letsencrypt/certbot/certbot-auto renew --text >> /etc/letsencrypt/certbot/certbot-cron.log && sudo service nginx reload

Hit ctrl+x, y, and enter to save and exit. The cronjob will run daily but will only renew your certificate when it’s about 30 days out (per  pestmeester’s site).

So now your certificate is installed and shouldn’t expire so long as you don’t move your system.

Now for me, the Really Simple SSL plugin didn’t see the newly installed certificate right away. However, after a system reboot all was good. Type:
sudo reboot now

And when it came back online, I had an active certificate for the plugin to use. Winning! The longest part of this was waiting for the certificate to generate via the command line. Other than that, it’s dead simple. Now I see:

I hope this was useful. If so, share it. If you have any questions please let me know.

Categories: Raspberry Pi

ryan

A father of five and husband of one. This is my personal site. Cheers!

Leave a Reply

%d bloggers like this: