SSL for AWS Lightsail Wordpress

In my previous blog article, I wrote about installing a Wordpress blog on AWS Lightsail.

In the official Bitnami documentation, they install a useless example.com dummy certificate by default. If you open your browser, you’ll probably get a message like:

SSL Certificate Name Mismatch

This clearly isn’t the end goal, so you’ll want to add your own SSL certificate. SSL certificates used to cost a small fortune, but now you can get them for free with the help of Let’s Encrypt.

I’ll show you how to install Let’s Encrypt using my private blog unterwegs-in-suedostasien.de as an example (it’s a blog about a backpacking trip I took in Southeast Asia).

First, you should read my first article about how to connect to your instance.

Punnycode — use of Ü, Ä, and Ö with Let’s Encrypt

In addition to unterwegs-in-suedostasien.de, I own the domain unterwegs-in-südostasien.de (with the special character “ü” instead of “ue”). This special character needs some… special handling. By default, if you enter a non-ascii domain in Let’s Encrypt, you get an error message like this:

Non-ASCII domain names not supported. To issue for an Internationalized Domain Name, use Punycode.

Punycode is a special notation intended for international domain names. You can use a converter like punycoder.com to generate the correct punycode domain name.

Install and run Let’s Encrypt certbot

First, you need to install Let’s Encrypt. You’re supposed to be able to install the certbot with apt-get, but this didn’t work for me. I wound up following David Pascoe’s instructions.

Now, SSH to your instance (info on how to do this in my previous blog article).

Then type in the following commands:

sudo apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
/home/bitnami/letsencrypt/letsencrypt-auto certonly -w /home/bitnami/apps/wordpress/htdocs -d unterwegs-in-suedostasien.de -d www.unterwegs-in-suedostasien.de -d xn — unterwegs-in-sdostasien-ppc.de -d www.xn--unterwegs-in-sdostasien-ppc.de

The -w gives the path to your http root, and the -d adds one or more domain names to the certificate.

Of course, you need to choose your domain names and you should include the www and any other needed subdomains. Wildcards are not allowed with Let’s Encrypt (this may change as of January 2018).

When the certbot asks you for an authentication method, you should choose “webroot” (option 2):

How would you like to authenticate with the ACME CA?
 — — — — — — — — — — — — — — — — — — — — — — — — — 
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1–2] then [enter] (press ‘c’ to cancel): 2

The certbot will then create some temporary working links for validation on your web server (challenges):

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for unterwegs-in-suedostasien.de
http-01 challenge for www.unterwegs-in-suedostasien.de
http-01 challenge for xn — unterwegs-in-sdostasien-ppc.de
http-01 challenge for www.xn--unterwegs-in-sdostasien-ppc.de
Using the webroot path /home/bitnami/apps/wordpress/htdocs for all unmatched domains.
Waiting for verification…
Cleaning up challenges

After successful validation, the certbot will delete the temporary files and provide some useful information:

IMPORTANT NOTES:
 — Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/unterwegs-in-suedostasien.de/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/unterwegs-in-suedostasien.de/privkey.pem

This looks great. We should inform Apache!

sudo nano /home/bitnami/stack/apache2/conf/bitnami/bitnami.conf

This opens the Bitnami configuration file for the Apache. You’ll need to edit the following lines:

SSLCertificateFile "/etc/letsencrypt/live/unterwegs-in-suedostasien.de/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/unterwegs-in-suedostasien.de/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/unterwegs-in-suedostasien.de/fullchain.pem"

Save it and reload the server:

sudo /opt/bitnami/ctlscript.sh restart

Renew your certificates

Let’s Encrypt certificates are only valid for 90 days. It’s the kind of thing that’s easy to forget, so we recommend automating the process. Let’s update the SSL certificate on the first of every month:

sudo crontab -e

Choose your preferred editor and type the following:

0 3 * 1 * /home/bitnami/letsencrypt/letsencrypt-auto renew | sudo /opt/bitnami/ctlscript.sh restart

This will auto-renew the Let’s Encrypt certificate on the first of every month at 3:00am. It’s a good idea to run a manual check to ensure everything is working as it should.

Test your SSL

Check to make sure that you can open your domain with SSL. Pull it up in a browser and celebrate when the correct SSL certificate comes up:

You can also use third party tools to make sure the SSL is working.

Edit Wordpress settings to always use SSL

If everything works, we should make sure that SSL is always used. Open this file:

sudo nano /opt/bitnami/apps/wordpress/conf/httpd-prefix.conf

Add the following content to the top (making sure to use your own domain name):

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://www.unterwegs-in-suedostasien.de/$1 [R,L]

Once again, restart your HTTP server:

sudo /opt/bitnami/ctlscript.sh restart

You should now have free SSL on your Wordpress server!

Let me know if this tutorial worked for you or if things somehow went wrong. I’m always glad to help.

Thanks for your interest. Did I forget something important? Do you have a different opinion? I’m always glad to get feedback.

Follow me on Twitter for updates & more: @jensneuhaus — 🙌