AWS Lightsail and Let's Encrypt SSL Certificate
Create and install a Let's Encrypt SSL certificate for your WordPress installation
Introduction to SSL and certificates
First of all: SSL stands for "Secure Sockets Layer" and ensures that the communication of data is encrypted. You can find a lot of information about SSL in the search engines, so we won't go into it here. The reason for an SSL certificate is simply that your website is accessible via https and that is very important in this day and age for user security reasons. Likewise, it is essential for the SEO optimization of your website.
Let's Encrypt helps us with this, as it is a free, automated and open certificate authority and we get an SSL certificate through it.
This article will walk you through the process of creating a Let's Encrypt certificate for your domain on the one hand, and the installation and configuration for your WordPress website on AWS Lightsail on the other.
Requirements for SSL setup
This article assumes the following:
- You have installed your WordPress website on an AWS Lightsail instance and it is accessible via a public domain
- Of course, this assumes that you have your own domain and that it points to the public IP of your WordPress website.
- You have the required credentials for your AWS Lightsail instance
Procedure for SSL certificate
First of all: There are different and sometimes easier ways to make your website accessible via https. However, the following approach has always worked for us, which is why we want to show you exactly this approach in the article. If you have any comments or suggestions for improvement, please comment below and we will get back to you as soon as possible!
Step 1 - Installing the Lego client
The Lego client simplifies the process of SSL certificate creation and requires the following steps:
- Logging into the AWS Lightsail instance console - https://lightsail.aws.amazon.com/ls/webapp/home/instances
- Run the following code to install the client (ATTENTION: the A.B.C is a placeholder and should be replaced with the latest version on the website):
cd /tmp curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i - tar xf lego_vA.B.C_linux_amd64.tar.gz sudo mkdir -p /opt/bitnami/letsencrypt sudo mv lego /opt/bitnami/letsencrypt/lego
At the time of writing, it was the following version: lego_v3.0.2_linux_amd64.tar.gz
With these steps, the client is downloaded to a temporary folder, extracted, and moved to the appropriate folder.
Step 2: Create the Let's Encrypt certificate for your domain
With the following steps you will create your certificate for your domains.
- Disable all Bitnami services:
sudo /opt/bitnami/ctlscript.sh stop
- Request a new certificate for your domain - with and without the www prefix. ATTENTION: Please remember to replace the DOMAIN and EMAIL ADDRESS placeholder with your data:
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" runOn our side this results in the following code:
sudo /opt/bitnami/letsencrypt/lego --tls --email="info@goldenwebage.de" --domains="goldenwebage.de" --domains="www.goldenwebage.de" --path="/opt/bitnami/letsencrypt" run
- Approval of the terms of service
Once the certificate is created, it can be seen in the following folder: /opt/bitnami/letsencrypt/certificates.
Step 3: Configuring your web server with the Let's Encrypt certificate
In the next step you inform the web server about the new certificate.
- Link the new SSL certificate and the key file to the right places on your web server (depending on the configuration of the server). Again, please remember to replace the DOMAIN placeholder with your actual domain. TIP: You can find out the current configuration with the following command: sudo /opt/bitnami/ctlscript.sh status.
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt sudo chown root:root /opt/bitnami/apache2/conf/server* sudo chmod 600 /opt/bitnami/apache2/conf/server*Web server - NGINX
sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old sudo mv /opt/bitnami/nginx/conf/server.csr /opt/bitnami/nginx/conf/server.csr.old sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/nginx/conf/server.key sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/server.crt sudo chown root:root /opt/bitnami/nginx/conf/server* sudo chmod 600 /opt/bitnami/nginx/conf/server*
- Starting all Bitnami services
sudo /opt/bitnami/ctlscript.sh start
Step 4: Test the entire configuration
If you have done all the previous steps, you can test by opening your website in a browser with https, e.g. https://DOMAIN (also replace the DOMAIN placeholder with your correct domain).
Firstly, your website should be accessible this way and secondly, there is now a lock icon next to the address bar in your browser. Double-click on it to find all the details about the Let's Encrypt certificate.
Step 5: Renew SSL certificate
A Let's Encrypt certificate is only valid for 90 days at a time, which is why it must be renewed regularly. To do this, log back into an AWS Lightsail deployment and run the following code to renew your certificate (you will need to replace both placeholders with your values again):
sudo /opt/bitnami/ctlscript.sh stop sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90 sudo /opt/bitnami/ctlscript.sh startSpecifically, the second command on our website looks like this:
sudo /opt/bitnami/letsencrypt/lego --tls --email="info@goldenwebage.de" --domains="goldenwebage.de" --domains="www.goldenwebage.de" --path="/opt/bitnami/letsencrypt" renew --days 90
To avoid having to perform this step manually every 90 days, you can also set up a cronjob for this. The cronjob ensures that the commands are executed automatically at regular intervals. The setup of the cronjob is done with the following steps:
- Create a script, which then contains and executes the commands
sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
- Paste the following content into the script (placeholders must be replaced with your values again)
#!/bin/bash sudo /opt/bitnami/ctlscript.sh stop apache sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90 sudo /opt/bitnami/ctlscript.sh start apache
- Then you have to make sure that the script can be executed by the system:
sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
- Then open the Crontab editor to be able to set up the cronjob:
sudo crontab -e
- Last but not least, write the following line in the file to make the system run the script automatically on a regular basis:
0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null
With this article you have now created your SSL certificate, configured it on your website and ensured with the cronjob that it is renewed automatically on a regular basis. So that your WordPress blog is always accessible via the secure https URL in the future, there are still two tasks for you:
- Switching your WordPress website to SSL in the admin area
- Replacing your http links with the https links in the WordPress database
- Forwarding via the htaccess to your https://www.DOMAIN
We hope that we could help you with the article and that your website is now accessible with encryption.
Golden greetings,
Matthias and your team from Golden Web Age
Related links:
Lego documentation: https://github.com/go-acme/lego/blob/master/README.md
Bitnami documentation: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/
AWS documentation: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress
Let's Encrypt documentation: https: //letsencrypt.org/docs/