Repository files navigation

This plugin generates a single SAN SSL Certificate with all domains in a WordPress network from CLI usingLet's Encrypt.

Network subdomains and domains fromWordPress MU Domain Mapping can be optionally included (see Create the certificate).

This plugin does NOT provide a web interface likeWP Encrypt does, for many reasons :

• wp-encrypt does that just fine, but :
• giving write access to your SSL certificates from web is NOT recommended
• generating a large SAN (100+ domains) from web may not work (timeout)
• after generating your SAN certificate you need to reload your web server, this can't/shouldn't be done from web
• CLI is required to setup and renew your SSL certificate, so why not using it for generating it ?

WARNING : If you have any existing SSL Let's encrypt certificate on your server, this plugin will remove them !If you plan to use multiple Let's encrypt certificates on your server, we recommend NOT to use this plugin for now.

• Certbot (Let's Encrypt client)

cd /usr/local/bin/wget https://dl.eff.org/certbot-autochmod a+x certbot-autocertbot-auto register --agree-tos

• WP CLI

cd /usr/local/bin/wget -O wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.pharchmod a+x wp

• Download wp-cli-letsencrypt to wp-content/plugins
• Enable plugin for network

For Let's Encrypt to deliver your certificate, you need to setup a challenge URL in your web server :Add the following location block to your nginx vhost (nano /etc/nginx/sites-enabled/yourdomain) :

server {  ...  # allow let's encrypt acme challenge  location ^~ /.well-known/acme-challenge/ {    allow all;  }  ...}

And reload nginx (service nginx reload)

The following command has to be executed once after install and each time after creating a new website on your WP network,in order to create or update your SAN SSL certificate :

cd /path/to/website && wp --allow-root letsencrypt && service nginx reload

By default the certificate won't include network subdomains and domains from wp_domain_mapping.Run the help command if you want to list available options :

cd /path/to/website && wp --allow-root help letsencrypt

Add this command line to your crontab (crontab -e) :

0 0 * * * /usr/local/bin/certbot-auto renew --post-hook "service nginx reload"

Each day at midnight Certbot will check, renew your certificate and restart nginx ONLY if needed (~ each 3 month).

Add the SSL directives to your nginx vhost (nano /etc/nginx/sites-enabled/yourdomain) :

server {  listen 80;  listen 443 ssl;  ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem;  ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem;  ...}

And reload nginx (service nginx reload)

That's it ! Now to switch all your websites to HTTPS, you have to change the blog URLin WordPress and your theme, or just use a plugin likeReally Simple SSL that will do the job for you.

You can also followtutorials to optimize you ssl config.