HTTP/2, HTTPS, Let’s Encrypt and WordPress

#

TL;DR — HTTP/2 is awesome, but requires HTTPS, which is hard to setup. Let’s Encrypt and WordPress can make HTTPS setup simple and help achieve a faster web sooner.

My eyes are heavy, my head foggy. Kind of feels like I’m in a dream right now. A couple of hours ago I got home from Philadelphia, where I attended the WordPress Community Summit and the first annual WordCamp US over the past 7 days. And man, what a time.

There will be plenty of recap posts published this week, so instead, I thought I’d dig into one thing I got very excited about at the summit.

HTTP/2

Weeks ago I got really excited about HTTP/2 while researching it for
an episode of Apply Filters. (If you haven’t learned about HTTP/2 yet, I urge you to listen to that episode. I’m very proud of the work Pippin and I did on it.) I learned that adding support for HTTP/2 on your site gives it an instant performance boost. And if you already have HTTPS setup, enabling HTTP/2 is as easy as updating Nginx to version 1.9.6+ and adding http2 to the config file:

listen 443 ssl http2;

If you don’t have HTTPS setup, you have do that in order to get HTTP/2 as it is only supported over HTTPS.

HTTPS

Unfortunately setting up and managing HTTPS is currently a huge pain. You have to generate a CSR, go to a certificate vendor, verify that you’re the owner of your domain, buy a certificate, install it on the server and configure your web server to use it. Then every year you have to go through the first part of the process again, buying a certificate renewal, and replacing the certificate files on your server. It’s an annual annoyance that no one wants.

The process is also terribly broken as well. Ever have a certificate vendor send you your certificate pasted into the body of an email? I have. An email!

Let’s Encrypt

Enter Let’s Encrypt, which just went public beta last week. The goal of Let’s Encrypt is to offer free certificates and automate their issuance and renewal. It’s being developed by an organization backed by Mozilla, Facebook, Automattic and some other big companies.

Basically Let’s Encrypt offers an API where you can request a certificate and it sends one back. They have a command line client that you can install on your server easily enough:

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto

Then it’s a pretty straightforward command to get a certificate:

$ ./letsencrypt-auto certonly --webroot -w /var/www/example/public/ -d example.com -d www.example.com

Here we’re specifying our webroot folder so that it can place a file in there to verify domain ownership. Pretty neat. Certificate files end up in /etc/letsencrypt/live/example.com. So now you just need to update your server config with the necessary directives referring to those certificate files. Already soooo much easier than before. But what if it could be even easier. This is the part that I learned about at the summit and got excited about.

WordPress

Enter WordPress. As you probably already know, around 25% of the web runs on WordPress. When WordPress changes, the web changes. The impact is huge. And so, what better way to convert the web to HTTPS than to use WordPress. Specifically, a WordPress plugin.

Zack Tollman and John Blackbourn have been working on a Let’s Encrypt plugin for WordPress. The idea is that you would search for the plugin in your WordPress dashboard, one-click install it, and run an ultra simple WP-CLI command:

$ wp cert new

The above command assumes you’re in the webroot folder of your site. If you want to run the command from another folder you can provide the --path argument:

$ wp --path=/var/www/example/public/ cert new

The plugin will interact directly with the Let’s Encrypt API, so no need to download and install a command line tool. It hasn’t been decided yet, but I’m guessing it will follow the official Let’s Encrypt client and store certificate files in /etc/letsencrypt/live/example.com or at least encourage you to move them there.

I highly recommend checking out the GitHub repo and specifically the CONTRIBUTING.md file to learn how you can help out with development, testing, etc. At the time of publishing this article, the focus is building a PHP library to implement the ACME protocol and interact with the Let’s Encrypt API.

Automation

As I said before, one of the main goals of Let’s Encrypt is automating the renewal of certificates. In fact, Let’s Encrypt’s certificates are only good for a max of 90 days, then they expire. That’s a huge departure from the 12-month lifetime you get when you pay for a certificate.

The theory here is that having a short lifetime will annoy people who are doing it manually and encourage them automate renewal. I know it would be incredibly annoying to me if I had to manually renew my certificates every 90 days.

Fortunately automating renewals is as easy as generating a certificate the first time. Just run the same command and it will replace your current certificate files with the renewed ones. No need to update your web server configuration. And so, automating renewal will be just a matter of installing a cron that runs the command on a monthly basis:

0 0 1 * * wp --path=/var/www/example/public/ cert new

I want to reiterate that the WordPress plugin hasn’t been released yet and the command above is just an example of what it could be when it’s released.

Conclusion

HTTP/2 is the future of the web. Converting the HTTP web to HTTPS is the path to get there and so setting up HTTPS has to get a lot easier and ongoing maintenance almost eliminated. Fortunately with Let’s Encrypt, easy is now possible, and soon it will be even easier with the WordPress plugin. I’m really looking forward to a faster web.

About the Author

Brad Touesnard

As founder of Delicious Brains Inc, Brad has worn many hats. He now spends most of his time managing the product teams and growing the business. Before starting this company, Brad was a freelance web developer, specializing in front-end development.