WordPress with self-signed SSL certificate/key

Leave a Comment / SSL, Wordpress

I have a lot of small sites that I don’t need (or want to pay for) a signed SSL certificate. In these cases I can accept the browser warnings (which will likely only be seen by me) and any inherent risk associated with self-signing. To generate the necessary files I run the following command on a Linux box (tested with CentOS 7):

openssl req -x509 -newkey rsa:2048 -keyout www.domain.com.key.pem -out www.domain.com.cert.pem -days XXX -nodes -subj '/CN=www.domain.com'

(Replace “www.domain.com” with the fully-qualified domain name of the website).

Copy www.domain.com.cert.pem and www.domain.com.key.pem to the web server and modify your apache/httpd settings to refer to these files. A typical setup might involve changes like this to /etc/httpd/conf/httpd.conf:

<VirtualHost *:80>
  ServerName www.domain.com
  ...
</VirtualHost>
<VirtualHost *:443>
  ServerName www.domain.com
  ...
  <IfModule mod_ssl.c>
    SSLEngine on
    ...
SSLCertificateFile /pathtofiles/www.domain.com.cert.pem
 SSLCertificateKeyFile /pathtofiles/www.domain.com.key.pem
 </IfModule>
</VirtualHost>

And restart httpd of course:

/bin/systemctl restart  httpd.service

Finally, you probably want to force WordPress to use SSL when you login (because you’ll probably forget to manually use https each time; which would send your password in clear-text over the network). To do this, add the following line to wp-config.php:

define('FORCE_SSL_ADMIN', true);

Note again, you’ll get all the browser warnings about using an untrusted certificate. User assumes all risks!

A more complete httpd.conf example

The following httpd.conf example uses a more typical/complete config. In this example, root domain (e.g. domain.com) is redirected to www subdomain (e.g. www.domain.com) and SSL versions are limited to avoid recent SSL vulnerabilities.

<VirtualHost *:80>
  ServerName www.domain.com
  ServerAlias domain.com
  DocumentRoot /var/www/domain.com/web
  ErrorLog /var/www/domain.com/log/error.log
  RewriteEngine on
  RewriteCond %{HTTP_HOST} !^www\.
  RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
  ServerAdmin cj@domain.com
  <Directory "/var/www/domain.com/web">
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>
<VirtualHost *:443>
  ServerName www.domain.com
  ServerAlias domain.com
  DocumentRoot /var/www/domain.com/web
  ErrorLog /var/www/domain.com/log/error.log
  RewriteEngine on
  RewriteCond %{HTTP_HOST} !^www\.
  RewriteCond %{HTTPS}s ^on(s)|
  RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
  ServerAdmin cj@domain.com
  <Directory "/var/www/domain.com/web">
    AllowOverride All
    Require all granted
  </Directory>
  <IfModule mod_ssl.c>
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLCertificateFile /var/www/domain.com/ssl/www.domain.com.cert.pem
    SSLCertificateKeyFile /var/www/domain.com/ssl/www.domain.com.key.pem
  </IfModule>
</VirtualHost>

Leave a Comment