AWS Lightsail and Let's Encrypt SSL Certificate

Matthias Suttner

Matthias Suttner, August 21, 2019

AWS Lightsail and Let's Encrypt SSL Certificate

Reading time: 4 minutes

Create and install a Let's Encrypt SSL certificate for your WordPress installation

Introduction to SSL and certificates

First of all: SSL stands for "Secure Sockets Layer" and ensures that the communication of data is encrypted. You can find a lot of information about SSL in the search engines, so we won't go into it here. The reason for an SSL certificate is simply that your website is accessible via https and that is very important in this day and age for user security reasons. Likewise, it is essential for the SEO optimization of your website.

Let's Encrypt helps us with this, as it is a free, automated and open certificate authority and we get an SSL certificate through it.

This article will walk you through the process of creating a Let's Encrypt certificate for your domain on the one hand, and the installation and configuration for your WordPress website on AWS Lightsail on the other.

Requirements for SSL setup

This article assumes the following:

  • You have installed your WordPress website on an AWS Lightsail instance and it is accessible via a public domain
  • Of course, this assumes that you have your own domain and that it points to the public IP of your WordPress website.
  • You have the required credentials for your AWS Lightsail instance

Procedure for SSL certificate

First of all: There are different and sometimes easier ways to make your website accessible via https. However, the following approach has always worked for us, which is why we want to show you exactly this approach in the article. If you have any comments or suggestions for improvement, please comment below and we will get back to you as soon as possible!

Step 1 - Installing the Lego client

The Lego client simplifies the process of SSL certificate creation and requires the following steps:

cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i - 
tar xf lego_vA.B.C_linux_amd64.tar.gz
sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego

At the time of writing, it was the following version: lego_v3.0.2_linux_amd64.tar.gz

With these steps, the client is downloaded to a temporary folder, extracted, and moved to the appropriate folder.

Step 2: Create the Let's Encrypt certificate for your domain

With the following steps you will create your certificate for your domains.

  • Disable all Bitnami services:
sudo /opt/bitnami/ctlscript.sh stop
  • Request a new certificate for your domain - with and without the www prefix. ATTENTION: Please remember to replace the DOMAIN and EMAIL ADDRESS placeholder with your data:
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" run
On our side this results in the following code:
sudo /opt/bitnami/letsencrypt/lego --tls --email="info@goldenwebage.de" --domains="goldenwebage.de" --domains="www.goldenwebage.de" --path="/opt/bitnami/letsencrypt" run
  • Approval of the terms of service

Once the certificate is created, it can be seen in the following folder: /opt/bitnami/letsencrypt/certificates.

Step 3: Configuring your web server with the Let's Encrypt certificate

In the next step you inform the web server about the new certificate.

  • Link the new SSL certificate and the key file to the right places on your web server (depending on the configuration of the server). Again, please remember to replace the DOMAIN placeholder with your actual domain. TIP: You can find out the current configuration with the following command: sudo /opt/bitnami/ctlscript.sh status.
Web server - Apache:
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*
Web server - NGINX
sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old
sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old
sudo mv /opt/bitnami/nginx/conf/server.csr /opt/bitnami/nginx/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/nginx/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/server.crt
sudo chown root:root /opt/bitnami/nginx/conf/server*
sudo chmod 600 /opt/bitnami/nginx/conf/server*
  • Starting all Bitnami services
sudo /opt/bitnami/ctlscript.sh start

Step 4: Test the entire configuration

If you have done all the previous steps, you can test by opening your website in a browser with https, e.g. https://DOMAIN (also replace the DOMAIN placeholder with your correct domain).

Firstly, your website should be accessible this way and secondly, there is now a lock icon next to the address bar in your browser. Double-click on it to find all the details about the Let's Encrypt certificate.

Step 5: Renew SSL certificate

A Let's Encrypt certificate is only valid for 90 days at a time, which is why it must be renewed regularly. To do this, log back into an AWS Lightsail deployment and run the following code to renew your certificate (you will need to replace both placeholders with your values again):

sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start
Specifically, the second command on our website looks like this:
sudo /opt/bitnami/letsencrypt/lego --tls --email="info@goldenwebage.de" --domains="goldenwebage.de" --domains="www.goldenwebage.de" --path="/opt/bitnami/letsencrypt" renew --days 90

To avoid having to perform this step manually every 90 days, you can also set up a cronjob for this. The cronjob ensures that the commands are executed automatically at regular intervals. The setup of the cronjob is done with the following steps:

  • Create a script, which then contains and executes the commands
sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
  • Paste the following content into the script (placeholders must be replaced with your values again)
#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache
  • Then you have to make sure that the script can be executed by the system:
sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
  • Then open the Crontab editor to be able to set up the cronjob:
sudo crontab -e
  • Last but not least, write the following line in the file to make the system run the script automatically on a regular basis:
0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

With this article you have now created your SSL certificate, configured it on your website and ensured with the cronjob that it is renewed automatically on a regular basis. So that your WordPress blog is always accessible via the secure https URL in the future, there are still two tasks for you:

  • Switching your WordPress website to SSL in the admin area
  • Replacing your http links with the https links in the WordPress database
  • Forwarding via the htaccess to your https://www.DOMAIN

We hope that we could help you with the article and that your website is now accessible with encryption.

Golden greetings,
Matthias and your team from Golden Web Age

Related links:
Lego documentation: https://github.com/go-acme/lego/blob/master/README.md
Bitnami documentation: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/
AWS documentation: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress
Let's Encrypt documentation: https: //letsencrypt.org/docs/

Matthias Suttner

Matthias Suttner

Matthias is our BI & Tracking specialist. With his experience, he has been able to identify correlations in data many times and increase sales of various companies enormously.

Do you need support for a project?
Book a free initial consultation now