Lets Encrypt
- Let's Encrypt Configuration for MediaWiki
This article details the configuration of Let's Encrypt for secure HTTPS access to your MediaWiki installation. Using HTTPS is crucial for protecting user data, improving search engine ranking, and complying with modern web security standards. This guide assumes you have a functional MediaWiki 1.40 installation and root or sudo access to your server. It covers the core concepts and a typical Apache2 configuration. Other web servers (Nginx, IIS) will have similar, but distinct, procedures. Refer to the Let's Encrypt documentation for specific instructions for your web server. Please review the Manual:Configuration settings before proceeding.
Prerequisites
Before you begin, ensure you have the following:
- A registered domain name pointing to your server's public IP address. You may need to configure your DNS records for this.
- A web server (e.g., Apache2, Nginx) properly configured to serve your MediaWiki installation.
- Root or sudo access to your server.
- The `certbot` client installed. Installation instructions can be found at [1](https://certbot.eff.org/).
Installing Certbot
Certbot is the recommended tool for obtaining and managing Let's Encrypt certificates. The installation process varies depending on your operating system. Here's an example for Debian/Ubuntu:
```bash sudo apt update sudo apt install certbot python3-certbot-apache ```
For other operating systems, consult the Certbot documentation.
Obtaining a Certificate
Once Certbot is installed, you can obtain a certificate using the following command (assuming you are using Apache2 and have already configured a VirtualHost for your MediaWiki site):
```bash sudo certbot --apache -d yourdomain.com -d www.yourdomain.com ```
Replace `yourdomain.com` with your actual domain name. The `-d` flag allows you to specify multiple domains or subdomains for a single certificate. Certbot will automatically configure your Apache VirtualHost to use the certificate.
Apache Configuration Details
Certbot modifies your Apache configuration files to include the necessary SSL directives. Here's a typical example of the changes made to your VirtualHost configuration (usually found in `/etc/apache2/sites-available/`):
| Directive | Description |
|---|---|
| `Listen 443 ssl` | Enables HTTPS listening on port 443. |
| `SSLEngine on` | Enables SSL/TLS encryption. |
| `SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem` | Specifies the path to the full certificate chain. |
| `SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem` | Specifies the path to the private key. |
| `SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem` | Specifies the path to the certificate chain (optional, but recommended). |
After making these changes (or letting Certbot do it for you), remember to restart Apache:
```bash sudo systemctl restart apache2 ```
MediaWiki Configuration
After configuring your web server, you need to tell MediaWiki to use HTTPS. This is done in the `LocalSettings.php` file. Add or modify the following line:
```php $wgServerProtocol = 'https'; ```
This setting instructs MediaWiki to generate URLs using the HTTPS protocol. Also, ensure `$wgSitename` is set correctly to your domain name as defined in your web server configuration. See Manual:Configuration settings for more information on these settings.
Certificate Renewal
Let's Encrypt certificates are valid for 90 days. Certbot provides a mechanism for automatically renewing certificates. You can set up a cron job or systemd timer to run the following command regularly:
```bash sudo certbot renew ```
Certbot will automatically renew any certificates that are nearing expiration.
Troubleshooting
| Problem | Possible Solution |
|---|---|
| Browser shows a security warning | Verify your domain name is correct in the certificate and your web server configuration. Ensure the certificate is valid (not expired). Check for mixed content issues (see below). |
| Mixed content errors (some resources loaded over HTTP) | Ensure all resources (images, CSS, JavaScript) are loaded over HTTPS. Update the `$wgServer` and `$wgScriptPath` variables in `LocalSettings.php` if necessary. Use relative URLs whenever possible. |
| Certbot fails to obtain a certificate | Verify your domain name is properly pointed to your server's IP address. Check your firewall settings to ensure port 80 and 443 are open. Ensure there are no conflicting web server configurations. |
Advanced Configuration
For more complex configurations, such as wildcard certificates or staging environments, refer to the Certbot documentation: [2](https://certbot.eff.org/docs/). Consider using a reverse proxy for enhanced security and performance. Regularly review your server logs for any SSL-related errors.
Technical Specifications
| Specification | Value |
|---|---|
| Certificate Authority | Let's Encrypt |
| Certificate Type | Domain Validation (DV) |
| Key Algorithm | RSA 2048-bit (recommended) or ECDSA |
| Validity Period | 90 days (automatic renewal recommended) |
| Protocol Support | TLS 1.2 and higher (recommended) |
Further Resources
- Manual:Upgrading
- Manual:Configuration settings
- Help:HTTPS
- Let's Encrypt Documentation: [3](https://letsencrypt.org/)
- Certbot Documentation: [4](https://certbot.eff.org/)
- Security
- Server security
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️