Using Let’s Encrypt certificates with WordPress on Amazon Lightsail

Today, I set up a WordPress instance on Amazon Lightsail. It’s a nifty little service, that allows you to very easily launch and manage a virtual private server with AWS. You can find more information about Lightsail here. Helpfully, this same article also guides you in launching a WordPress instance.

Lightsail’s WordPress instance comes with automatically-generated dummy (self-signed) SSL/TLS certificates. That means that when I try to access my website using HTTPS, I get a certificate warning. Not great.

Luckily, there’s a great complementing service called Let’s Encrypt which can help solve this issue. Let’s Encrypt is a free, automated and open certificate authority. We’ll use it to generate valid certificates for our new WordPress instance.

Follow these instructions:

  1. Get your WordPress instance running on Lightsail.
  2. Forward your domain to the instance’s public IP. For example, for the domain example.com this usually this means an A DNS record for example.com and CNAME DNS record for www.example.com to example.com.
  3. Verify that your website is accessible via HTTP and HTTPS. You’ll get a warning about the HTTPS certificate.
  4. SSH into your instance.
  5. Create a temporary directory:
    mkdir tmp
    cd tmp
  6. Install certbot as explained here:
    wget https://dl.eff.org/certbot-auto
    chmod a+x certbot-auto
  7. Create a .well-known directory in the WordPress htdocs directory:
    mkdir /home/bitnami/apps/wordpress/htdocs/.well-known
  8. Create a .htaccess file in that directory:
    touch /home/bitnami/apps/wordpress/htdocs/.well-known/.htaccess
  9. Add the following contents to the .htaccess file, to make the .well-known directory accessible:
    #
    # Override overly protective .htaccess in webroot
    #
    RewriteEngine On
    Satisfy Any

    You can edit the file using nano or vi, e.g.:

    vi /home/bitnami/apps/wordpress/htdocs/.well-known/.htaccess
  10. Run certbot. Make sure you configure everything as expected and input a real email address when required:
    ./certbot-auto certonly --webroot -w /home/bitnami/apps/wordpress/htdocs/ -d example.com -d www.example.com

    Of course, change example.com to the name of your domain.

  11. If all executes as expected, you’ll see a message congratulating you for successfully acquiring the certificates you required.
  12. Next, edit the Apache configuration file, as explained here:
    sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf

    Comment out (by adding a # in the beginning of the line) the following lines:

    #SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
    #SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

    Add the following lines below:

    # Let's Encrypt
    SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
    SSLCACertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"

    Of course, change example.com to the name of your domain.

  13. Finally, restart Apache:
    sudo /opt/bitnami/ctlscript.sh restart apache

    You should see the following output:

    Unmonitored apache
    Syntax OK
    /opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
    Syntax OK
    /opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
    Monitored apache
  14. Done! You can check to see whether the correct certificate appears when you access our website at http://www.example.com

Note that Let’s Encrypt certificates expire after 90 days. As explained here, you can either manually renew the certificates every 90 or so days (simply by executing steps 10 and 13), or add a Cronjob that automatically does this for you. 

27 thoughts on “Using Let’s Encrypt certificates with WordPress on Amazon Lightsail

  1. Hey!

    Thanks for posting this, your guide is wonderfully newb friendly and actually got the job done for me. I really appreciate it :)

  2. Hey number 10 command is cut off! Can you repost? Great tutorial and so far everything is working great! thanks

  3. This is the best tutorial on installing Letsencrypt on wordpress. I’ve installed letsencrypt on about five installs and I’m sorry I didn’t bookmark your page the first time. Thank you.

  4. Thanks. One thing to correct. I had error when restarting Aphache. If you include ‘www’ in step 10, you also have to include it in step 12.

  5. This was very very useful to me. I had hung up on the standard instructions and this provided the missing pieces. Worked perfectly and now I believe I fully understand the process. Many thanks.

  6. Pingback: Instalar un certificado SSL de Let’s Encrypt en Debian 7 (Wheezy) con Apache 2.2 – Jesús Amieiro

  7. This is a great tutorial! For Lightsail’s WordPress installation, they recommend a plugin that retrieves and saves the certificate automatically. It also renews it automatically — cool!

    The paths are different, but it’s fairly easy to figure out. Thank you for a very helpful tutorial. The path to the vhost config file is correct. I spent hours trying to find it.

  8. Awesome walk through for adding the cert to Lightsail. I looked at the cron job and couldn’t get it :/ anyway you could update the post with that?

  9. Installation went great and now the Blog loads with the https:// but in Chrome it still does not show it is secure and the green lock does not show in the URL when I load my page, suggestions?

  10. Thanks, that works perfect. Now I like to know how to renew the certificate automatically.

    Thanks a lot!.
    Regards, Juan.

  11. I am confused on where I should create the tmp folder. I made my WordPress site with AWS Lightsail using the Bitnami application they have.

    When I SSH into my server, I see apps, bitnami_application_password, htdocs and stack.

    Where should I create the tmp folder?

  12. Thanks for this share :)

    i have small issue, when i access my domain with https:// its saying “Your connection to this site is not fully secure”

    so what i should do? i have bitnami wordpress instant on Amazon Lightsail.

  13. The certbot page you link is not compatible with the setup from this blog. Try another cron!

Leave a Reply

Your email address will not be published. Required fields are marked *