Let’s Encrypt: A WordPress Site

I have been using Dreamhost for almost a decade now.  They are a wonderful hosting company made even better by the collaboration with Let’s Encrypt.  Let’s Encrypt is a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG).  Dreamhost set up a system that allows for a free and easy installation of a Let’s Encrypt certificate on their customer’s websites.  I literally had to push a button and the certificate began its registration process.  However, I did have a few problems getting my WordPress sites completely encrypted.

If you are having the same problem, use Chrome’s source code viewer to spot what is not encrypted on the page.  For me, it was the pictures I uploaded via WordPress and some embedded links that were not embedded with “https.”  This may be your issue as well.  I did two things and while they may not be the most effective way to implement this strategy, it “got r’ done

Go to “Settings” then “General” in your WordPress Dashboard.  Where it says “WordPress Address (URL)” and “Site Address (URL),” make sure to add the “s” in “https” to those entries and click save.  If that doesn’t magically fix your SSL/TLS encryption icon in your browser you can do what I did – manually change the url’s in your site.  This means changing the links in your pages, posts and embedded images.  Just add an “S”.  Now if you have a huge site, this is not going to be an effective way to do this, but you can narrow your focus to that one or two pages that really need to be encrypted – like your contact page, for example.  This worked on all my sites except this one.  What I had to do was re-upload all my media and add them to my pages, once again.  To reiterate, you have three steps:

  1. add the “S” in the general settings in your dashboard
  2. manually change the url’s in your links and embedded media
  3. re-upload all the media breaking the encryption (if you don’t have a lot, then this won’t take any time at all)

If you go to my books link in the menu, you will see the page is not entirely encrypted.  This is because, to do so, would require that I hand change each link in the book entry.  Not worth the time.

Now for a little theory behind what actually occurs when you SSL/TLS-enable a web site.  The following are the general steps taken by a client visiting your web site and the web server:

  1.  The client sends a request for a web page to the secure web site using https:// in the URL. This makes a connection to port 443 by default.
  2.  The server sends the public key to the client.
  3.  The client validates the certificate and ensures it has not expired or been revoked.
  4.  The client creates a random symmetric key (known as a session key) used to encrypt the web page content, and then encrypts the symmetric key with the public key obtained from the web server.
  5.  The encrypted information is sent to the web server. The web server decrypts and obtains the symmetric key (session key). The web server uses the symmetric key to encrypt information between the client and the server.

Happy encrypting