Change Domain of WordPress Site with SSL on RHEL/CentOS

in WordPress

RHEL/CentOS 7 w/ EPEL, Apache 2.4 Multi vHosts, PHP 5.6, MySQL 5.6/MarinaDB 10, WordPress 4.6, LetsEncrypt/Certbot 0.9.
May need modifications for configurations differ than above.

1. Change Site Address in wp-admin

https://$, login with admin credentials.
In Settings/General, change WordPress Address (URL), and Site Address (URL) to the new site/blog domain.

2. Change DNS Record

How to change DNS record is out of scope of this tutorial, see your domain providers instructions. One example:

3. Change Apache vHost Settings

sudo vi /etc/httpd/sites-available/$yoursite.conf
Change ServerName & ServerAlias for both http and https vHosts, make sure to include both $yourdomain and www.$yourdomain.
Save and quit, then sudo systemctl reload httpd

4. Get a new SSL Certificate

This step will be significantly different or may not even necessary if you are using a SSL provider other than Let’s Encrypt, if so, check with your SSL provider’s documents about this step.

sudo certbot certonly --webroot -w /var/www/$your_site_directory -d $yourdomain -d www.$yourdomain
Be aware of the rate limit of Let’s Encrypt, it’s 5 certs/week/domain at the time this article been written.

If this step fails,

Failed authorization procedure … Error: The client lacks sufficient authorization

– DNS record settings for both $yourdomain and www.$yourdomain
– File permission of /var/www/$your_site_diectory/.well-known/
– File permission of /var/www/$your_site_diectory/.well-known/acme-challenge if exsist.
– File permission of key files under /var/www/$your_site_diectory/.well-known/acme-challenge
to make sure user Apache:Apache(or the username whoever owns the Apache process if different) has the permission to read key files.

The key files said above is automatically generated by certbot, and will be deleted after the process, regardless success or fail. Thus, to monitor its permissions during the process, launch a separate ssh session, watch 'ls -al /var/www/$your_site_diectory/' will give you a 2~3 seconds window to observe what’s happening there.

5. Disable the old SSL Certificate

The best practice is too keep record all all certificate issued. Thus, we archive instead of delete old certificates.
sudo mv /etc/letsencrypt/live/$old /etc/letsencrypt/archive/live – If this is the 1st time doing this, create archive/live directory first.
sudo mv /etc/letsencrypt/renewal/$old /etc/letsencrypt/archive/renewal – If this is the 1st time doing this, create archive/renewal directory first.

6. Enable the new SSL Certificate

sudo vi /etc/httpd/sites-available/$yoursite.conf
SSLCertificateFile to /etc/letsencrypt/live/$yourdomain/cert.pem
SSLCertificateKeyFile to /etc/letsencrypt/live/$yourdomain/privkey.pem
SSLCertificateChainFile to /etc/letsencrypt/live/$yourdomain/chain.pem
Save & quit, then sudo systemctl reload httpd