UPDATED: Using Let’s Encrypt to Secure WordPress on AWS Lightsail

This tutorial is a slightly modified version of the tutorial on Bitnami’s documentation site This tutorial will show you how to:

    1. Install LEGO (Let’s Encrypt client written in GO)
    2. Generate TLS/SSL Certificate with Lego
    3. Configure Apache to use the TLS/SSL Certificate
    4. Configure Apache to only use HTTPS
    5. Update wp-config.php
    6. Automate Certificate Renewal

Prerequisites

  1. A running Bitnami instance on AWS Ligthsail.
  2. A registered domain name configured properly for your Bitnami instance.

Step 1 – Install a TLS/SSL Certificate with Let’s Encrypt

Let’s Encrypt certificates are fetched via client software running on your server. The Lego client simplifies the process of Let’s Encrypt certificate generate. To use it, follow these steps:

First, change directories to the tmp directory.

cd /tmp

Copy the latest version of the LEGO client from github:

sudo curl -s https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -

Unpack the source code:

sudo tar xf lego_vX.Y.Z_linux_amd64.tar.gz

Move the source code into /usr/local/bin

sudo mv lego /usr/local/bin/lego

Step 2 – Generate a TLS/SSL Certificate with Let’s Encrypt

First, turn off apache (or nginx). The Lego client needs port 80 available to complete the request.

sudo /opt/bitnami/ctlscript.sh stop apache

You can now run the Lego client to generate your certificate and key. Replace EMAIL-ADDRESS and DOMAIN with your email address that you want to receive expiration notifications and the domain of your site.

sudo lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" run

Agree to the terms of service.  A set of certificates will now be generated in the /etc/lego/certificates directory. This set includes the server certificate file DOMAIN.crt and the server certificate key file DOMAIN.key.

Step 3 – Configure Apache to use the TLS/SSL Certificate

This section differs from the bitnami tutorial. The bitnami tutorial has you replace the existing self-signed certificates.

Navigate to the bitnami configuration directory for apache.

cd /opt/bitnami/apache2/conf/bitnami

Open the bitnami.conf file for editing.

sudo vi bitnami.conf

Change the SSLCertificateFile and SSLCertificateKeyFile directives to point to your newly generated certificates.

SSLCertificateFile "/etc/lego/certificates/DOMAIN.crt"
SSLCertificateKeyFile "/etc/lego/certificates/DOMAIN.key"

Start apache.

sudo /opt/bitnami/ctlscript.sh start apache

Step 4 – Force HTTPS

Add the following to the top of the /opt/bitnami/apps/wordpress/conf/httpd-prefix.conf file:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

Restart apache.

sudo /opt/bitnami/ctlscript.sh restart apache

Step 5 – Update wp-config.php

Make sure you update WP_SITEURL and WP_HOME in /opt/bitnami/apps/wordpress/htdocs/wp-config.php

define('WP_SITEURL', 'https://example.com/');
define('WP_HOME', 'https://example.com/');

Step 6 – Automate Certificate Renewal

To automatically renew your certificates before they expire, write a script to perform the tasks required to renew the certificate and schedule a cron job to run the script periodically.

First using your favorite editor, create a script renew-certificate.shin the /etc/lego directory.

sudo vi /etc/lego/renew-certificate.sh

Add the following lines to your file. Again, make sure to replace DOMAIN and EMAIL-ADDRESS.

#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /usr/local/bin/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew
sudo /opt/bitnami/ctlscript.sh start apache

This script will stop apache, run the Lego client with the renew command, and then start apache again.

Make the script executable

sudo chmod +x /etc/lego/renew-certificate.sh

Execute the following command to open the crontab editor.

sudo crontab -e

A cron job allows you to run a certain command a set time. Add the following lines to the crontab file and save it.

0 0 1 * * /etc/lego/renew-certificate.sh 2> /dev/null

This cron job will run on the first day of every month at midnight.

Using Let’s Encrypt to Secure WordPress on AWS Lightsail

Please see UPDATED: Using Let’s Encrypt to Secure WordPress on AWS Lightsail for an updated version of this tutorial.

This tutorial is a slightly modified version of the tutorial on Digitial Ocean, but is modified to work specifically with Bitnami on AWS Lightsail. This tutorial will show you how to:

  1. Install Let’s Encrypt
  2. Generate TLS/SSL Certificate with Let’s Encrypt
  3. Configure Apache to use the TLS/SSL Certificate
  4. Configure Apache to only use HTTPS
  5. Update wp-config.php

Prerequisites

  1. A running Bitnami instance on AWS Ligthsail.
  2. A registered domain name configured properly for your Bitnami instance.

Step 1 – Install a TLS/SSL Certificate with Let’s Encrypt

Let’s Encrypt certificates are fetched via client software running on your server. The official client is called Certbot, and its developers maintain their own Ubuntu software repository with up-to-date versions. Because Certbot is in such active development it’s worth using this repository to install a newer version than Ubuntu provides by default.

First, add the repository:

sudo add-apt-repository ppa:certbot/certbot

You’ll need to press ENTER to accept. Afterwards, update the package list to pick up the new repository’s package information:

sudo apt-get update

And finally, install Certbot from the new repository with apt-get:

sudo apt-get install python-certbot-apache

The certbot Let’s Encrypt client is now ready to use.

Step 2 – Generate a TLS/SSL Certificate with Let’s Encrypt

First run the command below where example.com is your domain name for your website.

sudo certbot certonly --manual -d example.com

You should see the following results. Press Y and enter to continue.

-------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------
(Y)es/(N)o: Y

Then you should see a similar result as below.

-------------------------------------------------------------------
Create a file containing just this data:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

And make it available on your web server at this URL:

http://example.com/.well-known/acme-challenge/MY-LONG-RANDOM-FILE-STRING

-------------------------------------------------------------------

Open another shell connection to your instance to complete the instructions.

sudo mkdir /opt/bitnami/apps/wordpress/htdocs/.well-known

sudo mkdir /opt/bitnami/apps/wordpress/htdocs/.well-known/acme-challenge

Create the requested file and add the data to it, replacing MY-LONG-RANDOM-FILE-STRING with the randomly generated string they gave you.

sudo vi /opt/bitnami/apps/wordpress/htdocs/.well-kown/MY-LONG-RANDOM-FILE-STRING

Once you have created that file with the data, go back to your original shell connection and press enter. Verify that the example.com directory exists in /etc/letsencrypt/live. To do this you need to be root.

sudo su

Change to the directory.

cd /etc/letsencrypt/live/

List the contents of the directory.

ls
[email protected]:/etc/letsencrypt/live# ls
example.com

Exit the super user mode.

exit

Your certificate should have been successfully generated.

Step 3 – Configure Apache to use the TLS/SSL Certificate

Navigate to the bitnami configuration directory for apache.

cd /opt/bitnami/apache2/conf/bitnami

Open the bitnami.conf file for editing.

vi bitnami.conf

Change the SSLCertificateFile and SSLCertificateKeyFile directives to point to your newly generated certificates.

SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"

Restart apache.

sudo /opt/bitnami/ctlscript.sh restart apache

Step 4 – Force HTTPS

Add the following to the top of the /opt/bitnami/apps/wordpress/conf/httpd-prefix.conf file:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

Restart apache.

sudo /opt/bitnami/ctlscript.sh restart apache

Step 5 – Update wp-config.php

Make sure you update WP_SITEURL and WP_HOME in /opt/bitnami/apps/wordpress/htdocs/wp-config.php

define('WP_SITEURL', 'https://example.com/');
define('WP_HOME', 'https://example.com/');