IMMENSE.LY

IT’S THAT BIG

Wordpress with TLS

When I got Wordpress working for the site, I ended up modifying the base container to make Let’s Encrypt work.  Originally I was thinking I would just set up a reverse proxy in front of it to do the TLS termination and then pass everything unencrypted between the Wordpress container and the secure web container. It turns out that the default configuration for Wordpress has a php routine which attempts to figure out whether SSL is enabled or not, so a reverse proxy won’t actually work unless the connection between the front-end to the Wordpress container is also encrypted.  That defeats the purpose though, since we’d have to also modify the Wordpress container and set up our own self-signed certs. Anyway, for the site I did end up modifying the Wordpress container, but I also figured I’d fix things to make it so other people could use a reverse-proxy.  I need to bug some people on the team here at Docker to get the fix reviewed/accepted, but you can find the change here. One last thing about Let’s Encrypt.  It’s a pretty awesome service, but the certs it issues expire every three months.  Unless you automate some way of refreshing the certs, you’re going to be in for a rude awakening every 90 days or so.  I ended up using certbot (EFF’s Let’s Encrypt service) and shoving a script into cron.daily which checks for a new cert and then if there is one, brings the website down and replaces it.  It looks kinda like this:

$ /usr/local/letsencrypt/certbot-auto renew --pre-hook "docker-compose -f /path/to/docker-compose.yaml stop" --post-hook="docker-compose -f /path/to/docker-compose.yaml up -d"

It seems to work, but 90 days haven’t come up yet. In theory it will replace the certs if it’s close to the 90 day cutoff, so I should probably check to see if it worked in mid-August.