Docker Community Forums

Share and learn in the Docker community.

How to enable SSL for wordpress image

Hi guys,

I’m creating a simple website using the following images:

Everything works like a charm except when I want to navigate on HTTPS. Browsers return a NET::ERR_CERT_INVALID response saying that the generated certificate is not valid.

Here’s my docker-compose.yml:

version: '3'

services:
  wp:
    build:
      context: wordpress
    ports:
      - ${IP}:80:80 # change ip if required
      - ${IP}:443:443
    volumes:
      - ./config/php.conf.ini:/usr/local/etc/php/conf.d/conf.ini
      - ./wp-app:/var/www/html # Full wordpress project
      #- ./plugin-name/trunk/:/var/www/html/wp-content/plugins/plugin-name # Plugin development
      #- ./theme-name/trunk/:/var/www/html/wp-content/themes/theme-name # Theme development
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_NAME: "${DB_NAME}"
      WORDPRESS_DB_USER: root
      WORDPRESS_DB_PASSWORD: "${DB_ROOT_PASSWORD}"
    depends_on:
      - db
    links:
      - db

  wpcli:
    image: wordpress:cli
    volumes:
      - ./config/php.conf.ini:/usr/local/etc/php/conf.d/conf.ini
      - ./wp-app:/var/www/html
    depends_on:
      - db
      - wp

  pma:
    image: phpmyadmin/phpmyadmin
    environment:
      # https://docs.phpmyadmin.net/en/latest/setup.html#docker-environment-variables
      PMA_HOST: db
      PMA_PORT: 3306
      MYSQL_ROOT_PASSWORD: "${DB_ROOT_PASSWORD}"
    ports:
      - ${IP}:8081:80
    links:
      - db:db

  db:
    image: mysql:latest # https://hub.docker.com/_/mysql/ - or mariadb https://hub.docker.com/_/mariadb
    ports:
      - ${IP}:3306:3306 # change ip if required
    command: [
        '--default_authentication_plugin=mysql_native_password',
        '--character-set-server=utf8mb4',
        '--collation-server=utf8mb4_unicode_ci'
    ]
    volumes:
      - ./wp-data:/docker-entrypoint-initdb.d
      - db_data:/var/lib/mysql
    environment:
      MYSQL_DATABASE: "${DB_NAME}"
      MYSQL_ROOT_PASSWORD: "${DB_ROOT_PASSWORD}"

volumes:
  db_data:

Here’s my wordpress context:

FROM wordpress:latest
RUN apt-get update && \
apt-get install -y  --no-install-recommends ssl-cert && \
rm -r /var/lib/apt/lists/* && \
a2enmod ssl && \
a2ensite default-ssl

Here’s my website that does only work on HTTP and not in HTTPS: website

Thank u for help

This method is easier and is recommended for beginners.

First, you need to install and activate the Really Simple SSL plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit Settings » SSL page. The plugin will automatically detect your SSL certificate, and it will set up your WordPress site to use HTTPs.

SSL enabled on a WordPress website

The plugin will take care of everything including the mixed content errors. Here’s what the plugin does behind the scenes:

Check SSL certificate
Set WordPress to use https in URLs
Set up redirects from HTTP to HTTPs
Look for URLs in your content still loading from insecure HTTP sources and attempt to fix them.
Note: The plugin attempts to fix mixed content errors by using output buffering technique. It can have a negative performance impact because it’s replacing content on the site as the page is being loaded. This impact is only seen on first-page load, and it should be minimal if you are using a caching plugin.

While the plugin says you can keep SSL and safely deactivate the plugin, it’s not 100% true. You will have to leave the plugin active at all times because deactivating the plugin will bring back mixed content errors.

Method 2: Setup SSL/HTTPS in WordPress Manually
This method requires you to troubleshoot issues manually and edit WordPress files. However this is a permanent and more performance optimized solution. This is what we’re using on WPBeginner.

If you find this method difficult, then you can hire a WordPress developer or use the first method instead.

As part of this method, you may need to edit WordPress theme and code files. If you haven’t done this before, then see our guide on how to copy and paste code snippets in WordPress.

First, you need to visit Settings » General page. From here you need to update your WordPress and site URL address fields by replacing http with https.

Update WordPress URLs

Don’t forget to click on the ‘Save changes’ button to store your settings.

Once the settings are saved, WordPress will log you out, and you will be asked to re-login.

Next, you need to set up WordPress redirects from HTTP to HTTPS by adding the following code to your .htaccess file.

1
2
3
4
5

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If you are on nginx servers (most users are not), then you would need to add the following code to redirect from HTTP to HTTPS in your configuration file:

1
2
3
4
5
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
Don’t forget to replace example.com with your own domain name.

By following these steps, you will avoid the WordPress HTTPS not working error because WordPress will now load your entire website using https.

If you want to force SSL and HTTPS on your WordPress admin area or login pages, then you need to configure SSL in the wp-config.php file.

Simply add the following code above the “That’s all, stop editing!” line in your wp-config.php file:

1
define(‘FORCE_SSL_ADMIN’, true);
This line allows WordPress to force SSL / HTTPs in WordPress admin area. It also works on WordPress multisite networks.

Once you do this, your website is now fully setup to use SSL / HTTPS, but you will still encounter mixed content errors.

These errors are caused by sources (images, scripts, or stylesheets) that are still loading using the insecure HTTP protocol in the URLs. If that is the case, then you will not be able to see a secure padlock icon in your website’s address bar.

Not secure

Many modern browsers will automatically block unsafe scripts and resources. You may see a padlock icon but with a notification about it in your browser’s address bar.

Insecure content blocked

You can find out which content is served through insecure protocol by using the Inspect tool. The mixed content error will be displayed as a warning in the console with details for each mixed content item.

Mixed content errors displayed in browser console

You will notice that most URLs are images, iframes, and image galleries while some are scripts and stylesheets loaded by your WordPress plugins and themes.