Lets encrypt with lighttpd and wordpress
I am trying to implement let's encrypt with certbot and I am using lighttpd on CentOS 6
So this is my full conf file for my host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/mysite.com/web.pem"
ssl.ca-file = "/etc/letsencrypt/live/mysite.com/chain.pem"
server.name = "mysite.com"
server.document-root = "/home/mysite/public_html"
server.errorlog = "/var/log/lighttpd/mysite.com_error.log"
accesslog.filename = "/var/log/lighttpd/mysite.com_access.log"
ssl.cipher-list = "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-CHACHA20-POLY1305 AES128+EECDH:AES128+EDH:!aNULL:!eNULL"
ssl.honor-cipher-order = "enable"
ssl.disable-client-renegotiation = "enable"
ssl.use-sslv2= "disable"
ssl.use-sslv3 = "disable"
}
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ "^(www.)?mysite.com$" {
server_name = "mysite.com"
server.document-root = "/home/mysite/public_html"
accesslog.filename = "/home/mysite/logs/access.log"
fastcgi.server = ( ".php" =>
( "localhost" =>
(
"socket" => "/var/run/lighttpd/php-fpm.socket.mysite"
)
)
)
url.rewrite-once = (
# Exclude some directories from rewriting
"^/(\.well-known|wp-admin|wp-includes|wp-content|phpmyadmin)/(.*)" => "$0",
# Exclude .php files at root from rewriting
"^/(.*.php)" => "$0",
# Handle search correctly
"^/(.*)?(?s=)(.*)$" => "/search/$3",
# Handle permalinks and feeds
"^/(.*)$" => "/index.php/$1",
"^/?$" => "/index.php",
)
alias.url = ("/phpmyadmin" => "/usr/share/phpmyadmin/")
}
}
So first problem I am having is that when i try to go to https:// mysite.com i get content without images and style so that is a url-rewrite problem but i don't see that https is enabled. Is still get warning from browser that my site is not secure.
Second issue is when i add url.redirect = (".*" => "https://%0$0") i get too many redirect ERROR.
So I am puzzled. I think problem might be with rewrites, but it's odd that i don't even have https enabled.
P.S. And yes I got success message from certbot before all this.
THE SOLUTION was just to install WP plugin that would turn all my http links to images and styles to https and now it's working. @mrkoopie answer helped me think about the solution in that way so I am accepting it.
Solution 1:
The good news is that your server is configured correct if you don't have a certificate error upon accessing the website via HTTPS. The bad news is that your website is configured incorrectly.
What is happening is that the HTML content is loaded over HTTPS. So far, so good and secure. But what goes wrong is that the objects that your HTML content is referring to, such as images, css and js, are referred with HTTP instead of HTTPS. This is bad, as browser won't download any non-encrypted file when the HTML code is loaded over HTTPS.
To resolve this make sure that your website refers to every file with HTTPS. In WordPress this can be done easily, however you did not provide what system you are using and for each system this is different.
So why is loading objects over HTTP bad when the HTML code is loaded over HTTPS? Well, the fact that you use HTTPS means that you want to load your content securely. The main objective is that nobody can alter or view the content. If you load any object over HTTP, it is vulnerable for malicious injections and anyone can see what content is being loaded (assuming that they can get your traffic). As this reduces the security by a lot, browsers simply ignore any object that is referred by HTTP when the HTML content is loaded via HTTPS. Configuring your server to redirect http traffic to https won't work as the browser will not attempt to load the objects anyways.
Hope this helps.