This tutorial is a slightly modified version of the tutorial on Bitnami’s documentation site This tutorial will show you how to:
- Install LEGO (Let’s Encrypt client written in GO)
- Generate TLS/SSL Certificate with Lego
- Configure Apache to use the TLS/SSL Certificate
- Configure Apache to only use HTTPS
- Update wp-config.php
- Automate Certificate Renewal
Prerequisites
- A running Bitnami instance on AWS Ligthsail.
- A registered domain name configured properly for your Bitnami instance.
Step 1 – Install a TLS/SSL Certificate with Let’s Encrypt
Let’s Encrypt certificates are fetched via client software running on your server. The Lego client simplifies the process of Let’s Encrypt certificate generate. To use it, follow these steps:
First, change directories to the tmp directory.
cd /tmp
I think the git repository for Lego has moved from https://github.com/xenof/lego to https://github.com/go-acme/lego.
Copy the latest version of the LEGO client from github:
sudo curl -s https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
sudo curl -s https://api.github.com/repositories/37038121/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
Unpack the source code:
sudo tar xf lego_vX.Y.Z_linux_amd64.tar.gz
Move the source code into /usr/local/bin
sudo mv lego /usr/local/bin/lego
Step 2 – Generate a TLS/SSL Certificate with Let’s Encrypt
First, turn off apache (or nginx). The Lego client needs port 80 available to complete the request.
sudo /opt/bitnami/ctlscript.sh stop apache
You can now run the Lego client to generate your certificate and key. Replace EMAIL-ADDRESS and DOMAIN with your email address that you want to receive expiration notifications and the domain of your site.
sudo lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" run
sudo lego --http --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" run
Agree to the terms of service. A set of certificates will now be generated in the /etc/lego/certificates directory. This set includes the server certificate file DOMAIN.crt and the server certificate key file DOMAIN.key.
Step 3 – Configure Apache to use the TLS/SSL Certificate
This section differs from the bitnami tutorial. The bitnami tutorial has you replace the existing self-signed certificates.
Navigate to the bitnami configuration directory for apache.
cd /opt/bitnami/apache2/conf/bitnami
Open the bitnami.conf
file for editing.
sudo vi bitnami.conf
Change the SSLCertificateFile
and SSLCertificateKeyFile
directives to point to your newly generated certificates.
SSLCertificateFile "/etc/lego/certificates/DOMAIN.crt"
SSLCertificateKeyFile "/etc/lego/certificates/DOMAIN.key"
Start apache.
sudo /opt/bitnami/ctlscript.sh start apache
Step 4 – Force HTTPS
Add the following to the top of the /opt/bitnami/apps/wordpress/conf/httpd-prefix.conf file:
sudo vi /opt/bitnami/apps/wordpress/conf/httpd-prefix.conf
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
Restart apache.
sudo /opt/bitnami/ctlscript.sh restart apache
Step 5 – Update wp-config.php
Make sure you update WP_SITEURL
and WP_HOME
in /opt/bitnami/apps/wordpress/htdocs/wp-config.php
define('WP_SITEURL', 'https://example.com/');
define('WP_HOME', 'https://example.com/');
Step 6 – Automate Certificate Renewal
To automatically renew your certificates before they expire, write a script to perform the tasks required to renew the certificate and schedule a cron job to run the script periodically.
First using your favorite editor, create a script renew-certificate.sh
in the /etc/lego
directory.
sudo vi /etc/lego/renew-certificate.sh
Add the following lines to your file. Again, make sure to replace DOMAIN and EMAIL-ADDRESS.
#!/bin/bash
sudo /opt/bitnami/ctlscript.sh stop apache
sudo /usr/local/bin/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew
sudo /opt/bitnami/ctlscript.sh start apache
#!/bin/bash
sudo /opt/bitnami/ctlscript.sh stop apache
sudo /usr/local/bin/lego --http --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew
sudo /opt/bitnami/ctlscript.sh start apache
This script will stop apache
, run the Lego client with the renew command, and then start apache again.
Make the script executable
sudo chmod +x /etc/lego/renew-certificate.sh
Execute the following command to open the crontab editor.
sudo crontab -e
A cron job allows you to run a certain command a set time. Add the following lines to the crontab file and save it.
0 2 1 * * /etc/lego/renew-certificate.sh 2> /dev/null
This cron job will run on the first day of every month at 2:00 AM.