WPCloudDeploy does not officially support custom SSL certificates.
However, that does not mean you cannot add one to your site.
A typical use-case would be that you’ve accidentally exceeded the attempts to get a certificate from LetsEncrypt (the default on our SSL tab). Instead of waiting seven days to retry while your site remains without SSL, you might choose to install a custom certificate.
You can find suppliers of SSL certificates for under $10.00. For example https://cheapsslsecurity.com.
However, beware that upon checkout, many suppliers will set your period to 5 years or more. So your $10.00 certificate is suddenly $50.00. Since the use of a custom SSL certificate tends to be temporary, you really want to make sure you’re only paying for one year.
Typically, you first purchase a certificate and then you go through a workflow after checkout where you can use the certificate by specifying and validating your domain.
Most of these suppliers will then send you files specific to your web server. For example, you can specify that your webserver is NGINX and they’ll send you generic files as well as a single PEM file suitable for NGINX which will include all the intermediate certificates.
The provider of the certificate will typically have instructions for how to install the certificate on an NGINX server.
For WPCloudDeploy, the general flow is something like this:
# custom ssl cert. listen 443; ssl on; ssl_certificate /etc/ssl/filename.pem; ssl_certificate_key /etc/ssl/filename.key;
server { if ($host = www.yourdomain.com.com) { return 301 https://$host$request_uri; } if ($host = yourdomain..com) { return 301 https://$host$request_uri; } listen 80; listen [::]:80; server_name yourdomain.com www.yourdomain.com; return 404; }
There are going to be nuances depending on your SSL vendor and other factors such as security (eg: you might want to restrict the TLS protocols and CIPHERS used).
But the basic idea is that:
Now we should let WPCD know that a custom SSL certificate is installed. This will allow certain generated links to automatically use https:// instead of just http://.
Please do not attempt to do anything involving SSL inside WPCD until you remove your file edits. Otherwise, you might corrupt the configuration files and the web server will refuse to start!
We recommend that you add an APP GROUP as well as a LABEL to the site so that it’s obvious in your site list that the site is using a custom SSL certificate.
We have tested the most common operations with custom SSL certificates and they seem to work just fine. But because this involves customizations to our existing stack, free support is not available if something funky occurs.
If you have more than one site with custom SSL certificates you might want to consider placing them on their own VM.
The above are the minimum NGINX directives required to get SSL working. However, you might want to add in the following just below the ssl_certificate_key directive.
ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
Generally, these turn off insecure protocols.
By owning and managing your own servers, you’re able to things that are outside the feature scope of ‘standard’ software or SaaS services. This is an example of something that you can do even though it’s not officially supported inside WPCloudDeploy.