Going secure with Bitnami, Apache2, and WordPress (Linux)

It’s very confusing! In fact I’d describe the current state of documentation and articles around this as a right clusterfuck.

Lies, it’s all lies. The articles out there make it out to be hyper-complex – it ain’t, it’s VERY simple, but there are zero articles which point out this path – the articles (which shall not be named), all point in the direction of the LEGO stack (Let’s Encrypt), which whilst free is a pain in the arse to understand without even trying to comprehend actually doing it.

Go spend £10ish a year on an SSL cert with one of the cheaper SSL certificate providers, you’ll thank yourself, and it’ll be simple!

Why go SSL, especially for a simple site? Not everyone is a tech expert – if they see a warning in their browser that your site isn’t secure, they’ll more than likely go navigate away. If you have any user interaction on the site, it is a security hole – especially when logging in – nobody wants to transmit passwords in plain text!

There is a break here, as this is a long article – not everyone will want to scroll through this thing 🙂

Before going further I will state that the prerequisites for this article are having an active Bitnami WordPress stack, and SSH access to the server in question. Some of the more specialised WordPress hosting companies out there will be able to provide SSL for your site without you getting your hands dirty, however if you require your own server, here’s how to do it…

Go buy an SSL Certificate – just go Google Cheap SSL, and go buy. More than likely if you’re reading this you’ll be after a single site standard certificate – these are (Good news) usually the cheapest…

When you buy the certificate, you’ll need to download / save three files. Sometimes the txt is just displayed on screen, just paste it in to your favourite txt editor and save.

  1. The Private Key. This is a txt file which is usually generated at the time you purchase your SSL certificate. This can be generated and used ahead of time, but to be honest, it won’t make much of a difference.
  2. The Public Key for your site. (aka your certificate, sometimes called “server certificate”) Again, a txt file which is generated at the time of purchase (Or made available after payment and verification of your domain ownership (Performed by multiple methods including e-mail).
  3. The (Intermediate) Certificate Chain. Simple text file – this is required to provide verification details of your SSL certificate. Your SSL Certificate provider will have this available for you to download. Sometimes this comes in the format of a .pem file for linux servers.

Rename the files as below, for ease of understanding and use:

  • Private Key – ssl_private.key
  • Public Key – ssl_public.crt
  • Intermediate Certificate Chain – ssl_intermediate.crt

Upload these to your server, you can choose the location, in the example below I’ve chosen /opt/bitnami/apache2/conf

Modify (You can use your favourite linux txt editor for this) /opt/bitnami/apache2/conf/bitnami/bitnami.conf to include the following three lines:

SSLCertificateFile “/opt/bitnami/apache2/conf/ssl_public.crt”
SSLCertificateKeyFile “/opt/bitnami/apache2/conf/ssl_private.key”
SSLCertificateChainFile “/opt/bitnami/apache2/conf/ssl_intermediate.crt”

Set the ownership of the files to root:root with the command (Example):
sudo chown root:root /opt/bitnami/apache2/conf/ssl_intermediate.crtrepeat for all three files

Set the permissions of the files to 600 with the command (Example):
sudo chmod 600 /opt/bitnami/apache2/conf/ssl_intermediate.crtrepeat for all three files

When done restart Apache with the command: sudo /opt/bitnami/ctlscript.sh restart apache

If it doesn’t restart, go undo the changes to the .conf file, and issue the restart command again. Google solutions. (Always good to have a backout plan, and shouldn’t really need to be said – BACKUP BACKUP BACKUP – BEFORE any changes!)

When done, either go install one of the Force SSL plugins for WordPress, or if you’re feeling frisky, go fuck with .htaccess to make everything SSL friendly.

You can also perform a search and replace on your posts (Using Addon “Better Search Replace”) to replace http:// with https://.

When done, your site should be secure, displaying the shiny padlock symbol in the browser. If you’re testing with Chrome – CLOSE your tab and open another, otherwise the site won’t update.

If you get a message about insecure or mixed content, you can press F12 in Chrome, go to the security tab, refresh your site, and have a look at what content is insecure, allowing you to eliminate it – hint – some addons don’t do secure, so you might need to find some alternatives.

In Summary:

  • Go buy cheap certificate
  • Download and save the files, renaming as specified
  • Upload to your server (WinSCP can be used for this, and will import your PuTTY connections)
  • Set the file ownerships and permissions as specified
  • Modify the .conf file as specified
  • Restart Apache
  • Install a Force SSL addon, or perform fuckery with .htaccess (Go Google that shit)
  • Perform a search & replace on your posts etc with the Better Search Replace addon
  • Relax, that wasn’t hard! 🙂

A note regarding text editors: Sometimes you just need something simple (My favourite is joe), however JED is VERY simple and like the old DOS EDIT. Jed can be downloaded and installed inside most linux environments via sudo apt-get install jed. The command to launch jed is: jed <filename>

And before someone goes and fucks something up, this advice is provided for people to use at their own risk – I accept no responsibility or liability for any fuckery or breakages arising from this article, or anything here! Mind saying that, if you’re brave enough to go make the leap from standard WP hosting to having your own server, you’ll be well familiar with the fuckery which can arise! 🙂