Install Letsencrypt SSL to your Lightsail WordPress

2020 Updated

Update May 2020

Please use the Bitnami Tool for easy installation as provided below:


 sudo /opt/bitnami/bncert-tool  

Just follow the instructions and provide information as it follows. You can always use letsencrypt-auto renew to renew all the certificates or just use a certbot.

If the above does not work for you, then you can try the manual process as below.

What is an SSL Certificate? And why you need it.

With the ever-growing internet, cybercrime is increasing and so are the solutions to protect websites. In the past, Google has been encouraging website owners to use HTTPS protocol that ensures all the communication from your computer with the website is encrypted.

You may be thinking, alright my website is not asking for any information from the user and neither I am giving any downloads so, there is no communication going on. But you are wrong, here’s why you will need an SSL certificate even if you do not have an e-commerce website.

This July, Google has made the safety measures more severe. The new release of Chrome 68, all the sites that haven’t adopted HTTPS will be marked not secure by Google. The websites with HTTPS will continue to display a green mark on the website URL. Google also gives websites with HTTPS more priority and slight ranking boost. Here’s why SSL is important and what it does.

SSL (Secure Socket Layer) is evolving over the past 20 years. With SSL you can ensure sensitive information of your user will be transferred over a secure network. Many companies or small businesses do not adapt to SSL because of their cost. But it’s 2019 and SSL’s are quite cheap and even we will show you how you can get one for free.

An SSL will ensure:

  1. Trust for your customers.
  2. Safety of your domains and subdomains.
  3. SEO advantages.

SSL on LightSail AWS | Bitnami Stack

Well, you must have heard this. In the official documentation by Bitnami, they claim to have a worthless dummy certificate installed by default. But if you open your browser, most of the times you will get an error notification saying SSL Certificate Name Mismatch. This is annoying and not our goal.

So, let’s stick to our goal and get started.

Now you can get an SSL certificate for free from Let’s Encrypt. I will show you how to install an SSL certificate on this website the blog is on blog.brandviser.com.au

Connecting to your instance

Open LightSail by going to lightsail.aws.amazon.com or just log in to your AWS console on aws.amazon.com and search for LightSail in the search box.

After logging in successfully, you will be able to see all your instances. Now on the instance on which you wish to install an SSL certificate, click on the hamburger icon and then connect or simply click on the SSH icon  > _. This will SSH you into your LightSail instance.

Step 1: Install and Run Let’s Encrypt Certbot

There are a few different ways to install Let’s Encrypt. One of them is using certbot with apt-get but unfortunately didn’t execute well for me. So, here’s the method I use and should be easy for you as well.

In your SSH window, type in the following commands:


sudo apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

/home/bitnami/letsencrypt/letsencrypt-auto certonly -w /home/bitnami/apps/wordpress/htdocs -d yourdomain.com.au -d www.yourdomain.com.au


In the above code: -w gives the path to your HTTP root and the-d adds more domains to your certificate. I suggest to always add your domain as well as your domain with www in it.

The certbot will ask you for an authentication method, choose “Webroot” (option 2):


How would you like to authenticate with the ACME CA?

 — — — — — — — — — — — — — — — — — — — — — — — — —

1: Spin up a temporary webserver (standalone)

2: Place files in webroot directory (webroot)

Select the appropriate number [1–2] then [enter] (press ‘c’ to cancel): 2


The certbot will then create temporary links for validation on your server. Enter Questions such as your Country, email etc. After this it will proceed to Cleaning Challenges:


Obtaining a new certificate

Performing the following challenges:

http-01 challenge for yourdomain.com.au

http-01 challenge for www.yourdomain.com.au

Using the webroot path /home/bitnami/apps/wordpress/htdocs for all unmatched domains.

Waiting for verification…

Cleaning up challenges


After successfully validating, the certbot will erase all the temporary files created and will give you an Important Notes message with some useful information.


IMPORTANT NOTES:

 — Congratulations! Your certificate and chain have been saved at:

 /etc/letsencrypt/live/yourdomain.com.au/fullchain.pem

 Your key file has been saved at:

 /etc/letsencrypt/live/yourdomain.com.au/privkey.pem


Step 2: Inform Apache

Copt the following code:


sudo nano /home/bitnami/stack/apache2/conf/bitnami/bitnami.conf


This will prompt the Bitnami Configuration file and you will have to edit the following lines.


SSLCertificateFile “/etc/letsencrypt/live/yourdomain.com.au/cert.pem”

SSLCertificateKeyFile “/etc/letsencrypt/live/yourdomain.com.au/privkey.pem”

SSLCertificateChainFile “/etc/letsencrypt/live/yourdomain.com.au/fullchain.pem”


Save it by pressing CMD X or CTL X and press enter

Step 3: Reload the Apache Server


sudo /opt/bitnami/ctlscript.sh restart


Step 4: Renew Certificates

 

By default, Let’s Encrypt Certificates are valid for 90 days. 90 days can be quick, and you can easily forget to renew it.  So, I recommend automating the process.

Update SSL Certificate on the 1st of every month:


sudo crontab -e


Now it will ask you to select an editor. Select your preferred one and type the following:


0 5 * * 1  /home/bitnami/letsencrypt/letsencrypt-auto renew | sudo /opt/bitnami/ctlscript.sh restart


This automation will renew the Let’s Encrypt Certificate on the 1st of every month at 2:00 am. I suggest you to still manually check in the following month for security.

Step 5: Testing your SSL

 

Check whether your webpage is prompting with the SSL or not. This will make you so happy.  A very good 3rd party took to check this is SSLLABS. It will show you the overall rating. If you get an ‘A’ then you are good to go.

STEP 6: Update WordPress to always use SSL

This step is to make sure WordPress uses SSL everytime someone visits the website.

Open the file:


sudo nano /opt/bitnami/apps/wordpress/conf/httpd-prefix.conf


Add the following on the top:


RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^/(.*) https://www.yourdomain.com.au/$1 [R,L]


Step 7: Restart your server


sudo /opt/bitnami/ctlscript.sh restart


Now you should have encrypted your site on your LightSail instance.

Please let me know, if this was helpful. Follow our YouTube Channel Brandviser Australia for more tutorials.

 

 

Our Recent Writings

shivam sagar

shivam sagar

Shiv has been working at Brandviser Melbourne as a lead web solution and marketing consultant.

41 Comments

  • Avatar Justin says:

    I just follow you everyone step
    But I had a problem with when I ran the script, below:

    /home/bitnami/letsencrypt/certbot-auto certonly -w /home/bitnami/apps/wordpress/htdocs -d jsshun-daily.com -d http://www.jsshun-daily.com

    and response

    equesting to rerun /home/bitnami/letsencrypt/certbot-auto with root privileges…
    Non-ASCII domain names not supported. To issue for an Internationalized Domain Name, use Punycode.

    I try to so hard and fix it
    but I don’t know what happens.
    can you help me? thank you

  • Avatar Joey says:

    Thank a lot! This saved me a lot of time after looking at other Bitnami articles those were not even helpful.

  • Avatar Sunny says:

    remote: Counting objects: 100% (11/11), done.
    remote: Compressing objects: 100% (9/9), done.
    remote: Total 64318 (delta 3), reused 7 (delta 2), pack-reused 64307
    Receiving objects: 100% (64318/64318), 21.25 MiB | 2.86 MiB/s, done.
    Resolving deltas: 100% (47017/47017), done.
    Checking connectivity… done.
    root@ip-172-26-14-155:~# cd letsencrypt/
    root@ip-172-26-14-155:~/letsencrypt# /home/bitnami/letsencrypt/letsencrypt-a
    uto certonly -w /home/bitnami/apps/wordpress/htdocs -d mydomain.com -d
    http://www.mydomain.com
    bash: /home/bitnami/letsencrypt/letsencrypt-auto: No such file or directory

    showing this error to me no such file or directory

  • Avatar Nasim says:

    Hi Shivam… I Have Successfully Install The SSL Certificate.. Through This Process
    https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress
    But I Having A Problem in RENEWING It.. Can Plz Help Me Out

  • shivam sagar shivam sagar says:

    You need to use Auto Cerbot to renew the certificates automatically. Check the last part in the article or visit the video link to have a look.

  • HI men. Thanks a lot for your guide.
    I have a problem when run code
    when entering the command “cd letsencrypt” it asks for password. What will it be?

  • Avatar sara says:

    hi

    once I execute the command

    sudo nano /home/bitnami/stack/apache2/conf/bitnami/bitnami.conf

    i get like this only
    # Default Virtual Host configuration.

    <IfVersion
    NameVirtualHost *:80
    NameVirtualHost *:443

    DocumentRoot “/opt/bitnami/apache2/htdocs”

    Options Indexes FollowSymLinks
    AllowOverride All
    <IfVersion
    Order allow,deny
    Allow from all

    = 2.3 >
    Require all granted

    # Error Documents
    ErrorDocument 503 /503.html

    # Bitnami applications installed with a prefix URL (default)
    Include “/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf”
    [ Read 69 lines ]

    no SSL certificate installed
    how to do like your video demo, i am not getting that

  • Good day! Do you know if they make any plugins to assist with Search
    Engine Optimization? I’m trying to get my blog to rank for
    some targeted keywords but I’m not seeing very good gains.

    If you know of any please share. Cheers!

  • shivam sagar shivam sagar says:

    Hi,
    Yes there are many and the best one to use will be Yoast.

    If you require more information, please email to shiv@brandviser.com.au

  • Avatar ami says:

    sudo crontab -e
    no crontab for root – using an empty one
    888
    i have this mistake

  • Avatar Thibault says:

    Hi Shivam
    do you know why your certificate expired since 6 days on this webiste? It doesn’t inspire confidence to use your method then if there is a lag into the update? 😀

    • shivam sagar shivam sagar says:

      Hi Thibault,

      Thanks for your comment.

      We are sorry for the inconvenience caused. There was a server issue as we were moving the database and so does the certs. Hope there will be no problem in the future. You can believe in us. Once again! thank you for your feedback.

  • Avatar Sunny M says:

    Hello:

    There seems to be a problem at the very first step. “git clone https://github.com/letsencrypt/letsencrypt

    On October 10th, when I tried it, it seems this location is not correct.

  • Avatar Pradeep Palaka says:

    Hi,
    While am running Inform Apache
    sudo nano /home/bitnami/stack/apache2/conf/bitnami/bitnami.conf

    I got this error

    AH00526: Syntax error on line 49 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
    SSLCertificateFile: file ‘/opt/bitnami/apache2/\xe2\x80\x9c/etc/letsencrypt/live/asassociates.org.in/cert.pem\xe2\x80\x9d
    ‘ does not exist or is empty

    How do I fix this?

    • shivam sagar shivam sagar says:

      Hi,

      This issue is usually with the locations of key files and pem. Don’t worry, just close the terminal and start over again, override any setting previously set.

      Let us know if that works.

      Thank you!

  • Avatar mario says:

    Hey man!
    I get an error
    Syntax error on line 48 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
    SSLCertificateKeyFile: file ‘/letsencrypt/live/www.domain.com/privkey.pem’ does not exist or is empty

    But when I get the message ” Congratulations! Your certificate and chain have been saved at:”
    Is the same path so not sure what could be wrong.

  • Thanks, but I am getting stuck here always. I have checked everything many times (even deleted and restarted tutorial about 3 times) and I always get the same reply when I restart the web server. I believe it is appending /etc/letsencrypt… to /opt/bitnami.. . I made sure to modify the bitnami.conf as per your tutorial. I get this reply after entering sudo /opt/bitnami/ctlscript.sh restart:

    bitnami@ip-172-26-9-249:~/letsencrypt$ sudo /opt/bitnami/ctlscript.sh restart
    AH00526: Syntax error on line 46 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
    SSLCertificateFile: file ‘/opt/bitnami/apache2/\xe2\x80\x9c/etc/letsencrypt/live/gobrillia
    nt.com/cert.pem\xe2\x80\x9d’ does not exist or is empty
    apache config test fails, aborting
    /opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
    /opt/bitnami/mysql/scripts/ctl.sh : mysql stopped
    /opt/bitnami/mysql/scripts/ctl.sh : mysql started at port 3306
    /opt/bitnami/php/scripts/ctl.sh : php-fpm started
    AH00526: Syntax error on line 46 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
    SSLCertificateFile: file ‘/opt/bitnami/apache2/\xe2\x80\x9c/etc/letsencrypt/live/gobrillia
    nt.com/cert.pem\xe2\x80\x9d’ does not exist or is empty
    apache config test fails, aborting

  • Avatar emmanuel says:

    Hi sir,
    I followed your procedures meticulously and this was the result i got at my restart:

    SSLCertificateFile: file ‘/opt/bitnami/apache2/\xe2\x80\x9c/etc/letsencrypt/live/yddi.org/
    cert.pem’ does not exist or is empty

  • Avatar Slim says:

    Hi.
    I got a certificate rating of “B” does this affect the performance of the SSL certificate installed?

    • shivam sagar shivam sagar says:

      What is your website url ?
      Anyhow it does not impact the website for its functions but is always good to get ‘A’ cert.

      You can always issue another certificate and try again.

      Let me know if this helps.

  • Avatar Rajat Ranjan says:

    Hi Shivam,
    while following tutorial on terminal window, copy pasting was not working properly, so before i edit first step i could not fully remove example domain name
    that is “-d yourdomain.com.au”, now it’s giving me problem. neither i can remove letsencrypt folder nor delete the wrong domain name that i entered.
    what should i do?

    • shivam sagar shivam sagar says:

      Hi Rajat,
      Just go through the process again with your domain name. It should override the existing one in most cases. Let me know if this helps or this answers your query.

  • Avatar Aaron says:

    Worked perfectly, thank you!

  • Avatar Cristian says:

    Hi Shivam, thanks for the guide,
    It worked very well, but now I installed a second website in a subfolder.
    I followed this guide and everything seems ok.
    https://community.bitnami.com/t/help-setting-up-apache2-virtual-host-config-for-bitnami-wordpress-for-two-sites-not-multisite/67427/8

    Then I repeat the steps here, but not everythign is working good.
    In https://www.ssllabs.com/ under
    Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI

    I receive a MISMATCH error because is showing the main domain website url.
    Is there anything more than I modify inside apache/bitnami configuration?
    Thanks in advance

    CS

    • shivam sagar shivam sagar says:

      Hi Cristian,

      I believe there is a mismatch error due to two different folders. The ssl cert is always looking for your primary domain, hence a mismatch.

      You have to check your directories and also you can reinstall all the certifications and add your new domain as a wildcard.

  • Avatar seth says:

    Perhaps it is time for the tutorial author to perform a cold run of the steps spinning up a new lightsail instance?

  • Avatar Yose says:

    Hi Shivam,

    Great article.
    I got this error when trying no renew
    “`
    Cert is due for renewal, auto-renewing…
    Plugins selected: Authenticator webroot, Installer None
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for origin.puncaks.com
    http-01 challenge for puncaks.com
    http-01 challenge for http://www.puncaks.com
    Cleaning up challenges
    Attempting to renew cert (www.puncaks.com-0001) from /etc/letsencrypt/renewal/www.puncaks.com-0001.conf produced an unexpected error: Missing command line flag or config entry for this setting:
    Input the webroot for origin.puncaks.com:. Skipping.
    “`
    Can you help me solve it?
    Thanks

  • Avatar shams says:

    It works for me! Thank you for saving my day.

Leave a Reply

 

Keep it simple

Brandviser

343 Little Collins St.

Melbourne 3000

 

E: info@brandviser.com.au

Copyright 2020