SSL on NGINX with WordPress

Serving websites using the transport layer security (TLS) protocol has several benefits aside from security, and getting HTTPS on NGINX can take as little as 5 minutes.

In addition to offering your users an increased level of security, there are also several other advantages including increased SEO ranking from Google and deeper user trust and confidence in your service.

If you don’t know how to ssh into your server, this article is not for you.

This tutorial is given under the assumption that you’re comfortable using the command line, have sudo/administrator access to your web server, and are running NGINX on an Ubuntu or Debian server, and have a WordPress website you would like to server over HTTPS. This tutorial can be used as a reference for servers that aren’t using WordPress, as the WordPress-specific information is contained within WordPress configuration files and settings.

1. Purchase an SSLMate certificate

First you’ll need to sign up for SSLMate — you can use another service, but the SSLmate part of this tutorial obviously won’t apply. When you sign up for the service initially you’ll add your credit card, but you don’t actually purchase a certificate right off the bat — you do that via the command line, which is pretty neat if you ask me.

2. APT Repo + Install Certificate

Next you’re going to want to add the SSLmate to your sources.list so you can apt-get install the package. They have a page with options to select different servers and you’ll want to visit there if you’re using a server other than Ubuntu 14.04 which is what I’ll be referencing in this example.

The `sudo` prefix in the above commands can be removed if they are run as root user. The SSL mate packages should now be on your server, allowing you to run the purchase command to by the certificate.

Replacing ‘HOSTNAME.com’ with your website’s name (I used ‘tucsonlabs.com’):

sslmate buy HOSTNAME.com

SSLmate will begin the purchase process, which involves a sending you a confirmation email. It might seem like your server is hanging after you’ve confirmed the purchase, but be patient and your certs should download. When it’s finished you should have 4 files that look something like this:

www.HOSTNAME.com.chain.crt	www.HOSTNAME.com.crt
www.HOSTNAME.com.chained.crt	www.HOSTNAME.com.key

You’ll want to make a directory for these and move them there. SSLmate recommends using /etc/sslmate for NGINX.

sudo mkdir /etc/sslmate
sudo mv www.HOSTNAME.com.chain.crt	www.HOSTNAME.com.crt
www.HOSTNAME.com.chained.crt	www.HOSTNAME.com.key /etc/sslmate

3. Link Certificate / add server block

At this point you have your certificates, but your NGINX server is unaware of them and it’s probably only listening on port 80. To get SSL working, it’s necessary to add the location of the generated keys to a new server block set to listen on port 443. You can also add this to an existing server block, but it should be separate from your default that’s listening on port 80. Don’t nest this server block within another block — they need to be separate. My config files are located in /etc/nginx/sites-available/HOSTNAME.com — yours may be in a different location.

4. Restart NGINX and Verify HTTPS Work

Everything should be set up properly at this point. To test that it’s working restart NGINX.

`sudo service nginx restart`

You should be able to navigate to https://HOSTNAME.com. If you get a sever error here, double check that NGINX restarted correctly and you’ll trouble shoot your errors.

The only thing left to do is add a 301 redirect and force WordPress to use SSL for the sign in and admin pages. At the bottom of your server configuration that’s listening on port 80 you’re going to add a 301 redirect:

5. Configure WordPress to use HTTPS

Sign into your website’s admin panel and navigate to settings, general. Change your WordPress Address and Site Address to use ‘https’ instead of ‘http’ and press save. Next open your website’s wp_config.php file add the following to force SSL on the sign in and admin pages.

define(‘FORCE_SSL_LOGIN’, true);
define(‘FORCE_SSL_ADMIN’, true);

Then restart NGINX server, and you should be set. You may have to search and replace post content for images with an http url to prevent a mixed-content warning from appearing.

6. You’re done, grab a beer!

To recap if you’re using Ubuntu or Debian and running NGNIX, it only takes 5 minutes to server your WordPress site over HTTPS using SSLmate. It’s easy, adds a higher level of trust to your service, offers your users an extra layer of security, and it can improve your website’s search engine ranking with Google.

Resources:

UPDATE: The ssl_certificate should be above the ssl_certificate_key.