Files
ansible-lemp-wordpress/docs/ssl-setup.md
Sebastian Palencsar dffd8e3b76 feat: v2.5.0 - Complete Technology & Security Update
Features:
- PHP 8.4 support (from 8.3)
- WordPress 7.0 (auto-update via WP-CLI)
- Modern TLS 1.3 cipher suites (2026 best practices)
- Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive)
- Auto-update cron job for WordPress (weekly Minor updates)
- Debian 14 Forky support (testing)
- Ubuntu 25.04 support
- Python 3.12 in GitHub Actions

Security:
- Fail2Ban with SSH brute force protection (24h ban)
- WordPress wp-login.php protection (2h ban)
- Nginx bot scanner protection
- Recidive jail for repeat offenders (1 week ban)
- Modern TLS ciphers (AEAD only)
- HSTS 2 years for preload

Documentation:
- docs/autoupdate.md - WordPress auto-update guide
- docs/fail2ban.md - Fail2Ban configuration guide
- docs/troubleshooting.md - Updated with php_version variable

Breaking changes:
- PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
2026-05-04 19:37:27 +02:00

2.3 KiB
Executable File

SSL/HTTPS Setup Guide

This guide explains how to set up SSL certificates for your WordPress installation using the integrated SSL support.

Prerequisites

  • Domain name pointing to your server
  • Ports 80 and 443 open in firewall
  • Valid email address for Let's Encrypt

Method 1: Enable SSL in Inventory

Edit your inventory/production.yml:

wordpress_servers:
  hosts:
    your-domain.com:
      # ... other settings ...
      
      # SSL Configuration
      ssl_enabled: true                    # Enable SSL
      ssl_email: admin@your-domain.com     # Required for Let's Encrypt
      domain_name: your-domain.com         # Your domain

Deploy with SSL:

# Basic LEMP with SSL
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml

# Ultimate Performance with SSL  
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress-ultimate.yml

Method 2: Enable SSL via Command Line

# Enable SSL during deployment
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml \
  -e "ssl_enabled=true" \
  -e "ssl_email=admin@your-domain.com"

Manual SSL Setup

If you prefer manual setup or have your own certificates:

  1. Install Certbot:

    sudo apt update
    sudo apt install certbot python3-certbot-nginx
    
  2. Generate Certificate:

    sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
    
  3. Auto-renewal:

    sudo crontab -e
    # Add: 0 12 * * * /usr/bin/certbot renew --quiet
    

SSL Configuration

The SSL-enabled Nginx configuration includes:

  • HTTP to HTTPS redirect
  • Strong SSL ciphers
  • HSTS headers
  • OCSP stapling

Troubleshooting SSL

Certificate not found:

  • Verify domain DNS points to server
  • Check firewall allows ports 80/443
  • Ensure Nginx is running

Mixed content warnings:

  • Update WordPress site URL in database
  • Check for hardcoded HTTP links
  • Use SSL-aware plugins

Certificate renewal fails:

  • Check Nginx configuration syntax
  • Verify webroot path permissions
  • Review certbot logs: /var/log/letsencrypt/

Custom Certificates

To use your own SSL certificates:

  1. Copy certificates to /etc/ssl/certs/
  2. Update Nginx configuration
  3. Restart Nginx service

See templates/wordpress-ssl.nginx.j2 for the SSL template.