In our previous post, we explained how to resolve the SSL not trusted / root certificate expired issue for WordPress users and WP Encryption plugin users. Whereas, this guide is focused towards anyone using Let’s Encrypt SSL on their website using Apache, Nginx, Bitnami, Lightsail, Certbot or any server/platform.

Fixing root certificate expired issue on shared hosting platforms

If you are using SSL provided by AutoSSL or your shared hosting platform, all you need to do is just re-install the SSL certificate or re-run the autossl to fix the issue, hoping that almost all hosting platforms have updated the root certificate on their platform already. If that doesn’t resolve your issue, you could manually generate new SSL certificate and install it manually on your hosting platform with new active intermediate certificate (cabundle) provided at the bottom of this post.

If you manually generated Let’s Encrypt SSL certificate using WP Encryption WordPress plugin or with any other service which helps generate free Let’s Encrypt SSL certificate, simply re-installing the existing certificate & private key with the new intermediate certificate provided at the bottom of this post would resolve the issue. If you have updated to latest release v5.7.1 of WP Encryption plugin, the new intermediate certificate is already updated so you could easily re-generate fresh SSL certificate with correct root / intermediate or you could easily download / copy the new intermediate certificate to use from the “Download SSL Certificates” page of WP Encryption.

Fixing root certificate expired issue on AWS, Digital Ocean, Self managed server

Websites hosted on self managed servers with Apache, Nginx or Bitnami needs to follow a slightly different suit. Please modify your Apache / Nginx server config file via SSH console, check for file path of SSLCACertificateFile in case of Apache (which points to your intermediate certificate file) and ssl_certificate in case of Nginx (which points to a concatenated certificate + intermediate cert file).

Apache Server:-

Please update your intermediate cert file content with the new intermediate cert provided at the bottom of this article, save the file and restart apache server to fix the HTTPS issue.

Nginx Server:-

You will notice 2 cert blocks within your ssl_certificate file and you only need to replace the bottom one with the new intermediate cert provided at the bottom of this article. Once after updating, please save the server config file and restart nginx server once to fix the HTTPS issue.

Finally, the new rise of this SSL issue only requires updating of your intermediate certificate and you don’t really need to worry about your active certificate or key file.

Let’s Encrypt Active Intermediate Certificate to Use:

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

The post Fix Let’s Encrypt “R3” Root Certificate Expired or SSL Not Trusted Issue appeared first on WP Encryption.

1. Login to your SSH console

If you have Nginx server running on cloud platforms like AWS or Digital Ocean, you might be able to login via SSH using Launch Console option. Otherwise, you can login using SSH key file or password via terminal.

2. Upload SSL certificates to secure folder and merge certs

Download crt, key & ca bundle files via WP Encryption plugin interface, rename them as certificate.crt, private.pem, cabundle.crt accordingly for easier identification and upload them onto a secure folder of your choice. Let’s assume you uploaded them to /etc/ssl/ directory.

cd /etc/ssl/ and merge certificate.crt and cabundle.crt files using below SSH command

cat certificate.crt cabundle.crt >> cert.crt

3. Update Nginx virtual host with correct SSL paths

cd /etc/nginx/sites-enabled/ directory and modify the default file using nano editor. If you don’t find any file here, copy the default file from /etc/nginx/sites-available/ to /etc/nginx/sites-enabled/ using cp command.

Now you need to find lines similar to below:

server {

    listen 443 ssl;    
    
    ssl_certificate        /etc/ssl/certificate.crt; 
    ssl_certificate_key    /etc/ssl/private.key;

ssl_certificate and ssl_certificate_key are the only 2 lines we need to update here. Update these 2 lines with correct paths of merged cert file and key file,

ssl_certificate /etc/ssl/cert.crt;
ssl_certificate_key /etc/ssl/private.pem

Finally, save the config changes.

4. Restart Nginx server for SSL changes to take effect

Nginx server can be restarted using below SSH command

sudo service nginx restart

Once after successful restart, your HTTPs site should be working perfectly!.

The post How to install SSL for WordPress on Nginx server appeared first on WP Encryption.

1. Login to your SSH console

If you have Apache server running on cloud platforms like AWS or Digital Ocean, you might be able to login via SSH using Launch Console option. Otherwise, you can login using SSH key file or password via terminal.

2. Determine your Apache server version

If you are sure about having httpd or apache2 server, please proceed to next step.

Running the below SSH commands will help you identify whether you have httpd or apache2 server.

sudo systemctl is-enabled httpd

sudo systemctl is-enabled apache2

One of these will respond with enabled. Please follow below steps based on which server type is enabled.

3. Install SSL for Apache httpd server

Please run the below SSH command to install SSL module if not already installed:

sudo yum update -y

sudo yum install -y mod_ssl

If you have Linux 2, please run below command instead of above one

sudo yum install -y mod24_ssl

3a. Modify httpd config file with correct SSL paths

Now it’s time to correct the SSL cert, key and ca bundle paths in default config file. CD into /etc/httpd/conf.d/ and edit ssl.conf file

cd /etc/httpd/conf.d/

sudo nano ssl.conf

You need to look for SSLCertificateFile, SSLCertificateKeyFile & SSLCACertificateFile lines. Assuming your site is hosted / stored in /var/www/ directory and SSL certificates generated with WP Encryption WordPress plugin stored in keys directory, modify the 3 lines to look like this:

SSLCertificateFile /var/www/keys/certificate.crt
SSLCertificateKeyFile /var/www/keys/private.pem
SSLCACertificateFile /var/www/wp-content/plugins/wp-letsencrypt-ssl/cabundle/ca.crt

Save the file by pressing CTRL+O and exit editor with CTRL+X. CMD+O and CMD+X on Mac Terminal.

3b. Restart httpd server for SSL changes to take effect

Now we are done with the server config changes, it’s time to restart apache httpd server once for changes to take effect. Please run the below SSH commands to do so:

sudo systemctl restart httpd

OR

sudo service httpd restart

Your HTTPS site should be working perfectly now!.

4. Install SSL for Apache2 server

Enable SSL module using below command if not already enabled

sudo a2enmod ssl

cd /etc/apache2/ and check if sites-available & sites-enabled directory exists. if exists – cd into sites-available and you should find a config file like default-ssl.conf. Using the default file name, Please run the below command to enable it and then modify this file,

sudo a2ensite default-ssl.conf
sudo nano default-ssl.conf

If you don’t find sites-available & sites-enabled directory, You should probably modify apache2.conf file.

You need to look for SSLCertificateFile, SSLCertificateKeyFile & SSLCACertificateFile lines. Assuming your site is hosted / stored in /var/www/html/ directory and SSL certificates generated with WP Encryption WordPress plugin stored in keys directory, modify the 3 lines to look like this:

SSLCertificateFile /var/www/html/keys/certificate.crt
SSLCertificateKeyFile /var/www/html/keys/private.pem
SSLCACertificateFile /var/www/html/wp-content/plugins/wp-letsencrypt-ssl-pro/cabundle/ca.crt

Save the file by pressing CTRL+O and exit editor with CTRL+X. CMD+O and CMD+X on Mac Terminal.

4a. Restart Apache2 server for SSL changes to take effect

Now we are done with the server config changes, it’s time to restart apache2 server once for changes to take effect. Please run the below SSH commands to do so:

sudo systemctl restart apache2

OR

sudo service apache2 restart

Your HTTPS site should be working perfectly now!.

The post How to install SSL for WordPress on Apache server appeared first on WP Encryption.

Technical Requirements:

• Bitnami WordPress
• SSH / Command line access with root privileges

1. Generate free SSL certificate provided by Let’s Encrypt®

To keep this very simple, We will make use of a WordPress plugin “WP Encryption” to generate free SSL certificate in one click.

All you need to do is just install & activate the plugin on your WordPress Admin, navigate to WP Encryption page, enter your email address and click on Generate SSL Certificate button.

This process will request and retrieve free SSL certificate from Let’s Encrypt authority for your domain. SSL certificates provided by Let’s Encrypt authority will expire in 90 days and you will need to re-generate new certificates again using the same process before the expiry date. SSL certificates cost you several $$$ a year, You could upgrade to “WP Encryption Pro” to avail auto renew feature and lifetime SSL mechanism. The required certificate.crt and private.pem files will be generated and stored in keys/ folder inside your WordPress directory.

2. Configure Bitnami to use SSL certificates by Let’s Encrypt®

Assuming you are on a default setup of Bitnami / AWS Lightsail WordPress, You will need to configure the server config file to use SSL certificate and key from correct path. This is an one time process and you don’t ever need to do it again.

Solution 1

Create a symbolic link from existing / current SSL certificate to new SSL certificates generated & stored by WP Encryption plugin. You can do so by connecting via SSH / Command line to your server and run the below SSH commands,

For Latest Bitnami:

If you are using latest bitnami instance where your WordPress site files are located in /opt/bitnami/wordpress/ folder,

cd /opt/bitnami/apache/conf/bitnami/certs

sudo ln -sf /opt/bitnami/wordpress/keys/certificate.crt server.crt

sudo ln -sf /opt/bitnami/wordpress/keys/private.pem server.key

sudo /opt/bitnami/ctlscript.sh restart apache

For Older Bitnami:

If you are using older bitnami instance where your WordPress site files are located in /opt/bitnami/apps/wordpress/htdocs/ folder, please use below commands instead of above,

cd /opt/bitnami/apache2/conf

sudo ln -sf /opt/bitnami/apps/wordpress/htdocs/keys/certificate.crt server.crt

sudo ln -sf /opt/bitnami/apps/wordpress/htdocs/keys/private.pem server.key

sudo /opt/bitnami/ctlscript.sh restart apache

Finally, Open your site with https:// protocol and check if valid certificate exists as below. If so, you are all set so please skip solution 2.

Solution 2

If the above symlink method fail, We will need to modify WordPress hosts config to use SSL certificates from correct path. Please login via SSH / Command line and follow the below procedure:

Latest Bitnami:

cd /opt/bitnami/apache2/conf/vhosts/

sudo nano wordpress-https-vhost.conf

Older Bitnami:

cd /opt/bitnami/apps/wordpress/conf/

sudo nano httpd-vhosts.conf

You will find a VirtualHost block similar to below

<VirtualHost *:443>
    ServerName yourserverdomain.com
    ServerAlias *.yourserverdomain.com
    DocumentRoot "/opt/bitnami/apps/wordpress/htdocs"

    SSLEngine on

  SSLCertificateFile "/opt/bitnami/apps/wordpress/conf/certs/new_server.crt"
  SSLCertificateKeyFile "/opt/bitnami/apps/wordpress/conf/certs/new_server.key"

    Include "/opt/bitnami/apps/wordpress/conf/httpd-app.conf"
</VirtualHost>

All you need to modify here are the SSLCertificateFile and SSLCertificateKeyFile lines as below

Latest Bitnami:

SSLCertificateFile "/opt/bitnami/wordpress/keys/certificate.crt"

SSLCertificateKeyFile "/opt/bitnami/wordpress/keys/private.pem"

Older Bitnami:

SSLCertificateFile "/opt/bitnami/apps/wordpress/htdocs/keys/certificate.crt"

SSLCertificateKeyFile "/opt/bitnami/apps/wordpress/htdocs/keys/private.pem"

After making these changes, press CTRL + O to save the changes and CTRL + X to exit the file editor. Now We will need to include this httpd-vhosts config file in main config file of Bitnami, please run below commands

NOTE: Skip to restart command below if you are on Latest Bitnami server.

cd /opt/bitnami/apache2/conf/bitnami/

sudo nano bitnami-apps-vhosts.conf

This will open Bitnami vhosts file editor, at the very bottom of the file add the below line in a new line

Include "/opt/bitnami/apps/wordpress/conf/httpd-vhosts.conf"

After making these changes, press CTRL + O to save the changes and CTRL + X to exit the file editor. Lastly, restart Bitnami for changes to take effect using below command

sudo /opt/bitnami/ctlscript.sh restart

Either one of the above two solutions would definitely succeed with the SSL setup for your Bitnami WordPress. Once after you see a valid SSL certificate accessing the https:// version of your site, please change the site & admin url to https:// via Settings -> General of WP-Admin and also enable “Force HTTPS” feature of WP Encryption plugin interface if you notice any mixed content warning in browser console.

3. Resolving Intermediate Cert (CA) issue in Bitnami WordPress

Facebook share debugger and SSLLabs might show your SSL intermediate certificate is missing. Please follow the below commands to resolve the issue:

Latest Bitnami:

cd /opt/bitnami/apache2/conf/bitnami
sudo nano bitnami-ssl.conf

Older Bitnami:

cd /opt/bitnami/apache2/conf/bitnami
sudo nano bitnami.conf

Add below line just after SSLCertificateKeyFile line

Latest Bitnami:

SSLCACertificateFile "/opt/bitnami/wordpress/keys/cabundle.crt"

Older Bitnami:

SSLCACertificateFile "/opt/bitnami/apps/wordpress/htdocs/keys/cabundle.crt"

After making these changes, press CTRL + O to save the changes and CTRL + X to exit the file editor. Lastly, restart Bitnami Apache for changes to take effect using below command

sudo /opt/bitnami/ctlscript.sh restart apache

The post How to Install SSL for AWS Lightsail Bitnami WordPress appeared first on WP Encryption.