Life and Code

The never-ending journey of learning and growth in software development

Architecture Devops

Setup Let’s Encrypt SSL Certificate on an AWS LightSail Server

Avatar photo By Jack Hui Feb 1, 2023 ,

Get Let’s Encrypt SSL Certificate

An SSL certificate plays a crucial role in the HTTPS protocol by providing details such as the domain name, owner’s name, public key (used for encrypting data), and validity dates. While paid SSL certificates from companies such as Symantec, Godaddy, and RapidSSL may be a suitable option for websites conducting financial transactions, a free SSL certificate from Let’s Encrypt can be sufficient for blogs that only collect user information through forms.

Using SSL Certificate with Certbot and Apache

The Certbot client provides an efficient and straightforward method for generating an SSL certificate without the need for multiple WordPress plugins. This can be accomplished through the Linux shell. Before proceeding, it’s important to ensure that all server packages are up-to-date by running the following command: 

sudo apt-get update.

Install CertBot

Using Certbot with the Bitnami WordPress Distribution on AWS LightSail Although the Bitnami WordPress distribution on LightSail comes with an SSL script, some users have reported difficulties with certificate renewal. For this reason, we recommend using Certbot. Before installing the Certbot client, it’s necessary to install Snap on the Bitnami instance. Use the following commands to accomplish this on your LightSail instance: 

sudo apt-get install snapd
sudo snap install core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Generate Certificate

With the Certbot client installed, you can now proceed to generate a certificate for your domain.

sudo certbot certonly --webroot -w /opt/bitnami/wordpress/ -d www.example.com -d example.com

Replace “DOMAIN” with your actual domain name when generating a certificate. If you require certificates for multiple domains, you can add them using the -d option. For more information on the Certbot client, visit their official page.

The generated certificate will be stored in the /etc/letsencrypt/live/DOMAIN directory, where DOMAIN is the first domain name specified in the command.

It’s important to include both the www and non-www versions of your domain in the certificate to avoid security errors for users who may not be redirected automatically by their browser.

If you’ve already obtained an SSL certificate and wish to include additional domains, simply run the above command again. The Certbot client will prompt you to expand the existing certificate and regenerate it by typing ‘E’.

Modify Apache using Let’s Encrypt SSL Certificate

After obtaining the SSL certificate using one of the methods mentioned above, you need to inform Apache of the certificate’s location.

By default, Apache stores the certificates at the following locations:

/opt/bitnami/apache2/conf/bitnami/certs/server.crt
/opt/bitnami/apache2/conf/bitnami/certs/server.key

One approach to enable the new SSL certificate is to simply copy it to the default locations and restart Apache. However, this requires you to repeat the process every time the certificate is renewed.

A more efficient method is to create symbolic links to your certificate files, allowing for seamless certificate renewal.

Before creating the symbolic links, it’s necessary to rename the existing certificate files to facilitate the process.

sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old

Create a symbolic link to the certs

sudo ln -sf /etc/letsencrypt/live/[DOMAIN]/fullchain.pem /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo ln -sf /etc/letsencrypt/live/[DOMAIN]/privkey.pem /opt/bitnami/apache2/conf/bitnami/certs/server.key

Restart the Apache

sudo /opt/bitnami/ctlscript.sh restart apache

Once Apache has been restarted, try accessing your blog using HTTPS to verify that there are no errors.

Enforcing HTTPS on Your Blog

After setting up the Let’s Encrypt SSL certificate and linking it to Apache, the next step is to redirect your blog to HTTPS instead of HTTP.

This involves two steps. Firstly, you need to modify the home URL of your blog by editing the wp-config.php file.

Edit the wp-config.php file and replace the following two lines, directing them towards HTTPS instead of HTTP.

define('WP_SITEURL', 'https://DOMAIN/');
define('WP_HOME', 'https://DOMAIN/');

Edit /opt/bitnami/apache2/conf/vhosts/wordpress.conf

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

Now all traffic will redirect to HTTPS

Renew The SSL Certificate

Run the below command to renew the SSL certificate

sudo certbot renew

Restart the Apache 

sudo /opt/bitnami/ctlscript.sh restart apache
Avatar photo

By Jack Hui

Related Post

AI & Big Data Architecture

Setup Hadoop and Spark Cluster

Avatar photoJack Hui Feb 4, 2023
Architecture

Install SMB CSI driver master version on a Kubernetes cluster

Avatar photoJack Hui Feb 1, 2023
Architecture Programming

Empowering MongoDB Storage with GridFS, Version Control, and FUSE for Binary Data Management

Avatar photoJack Hui Feb 1, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

AI & Big Data

How to use Scikit for Deep Learning

AI & Big Data Architecture

Setup Hadoop and Spark Cluster

Open Sources

The Pros and Cons of Clickhouse

Architecture

Install SMB CSI driver master version on a Kubernetes cluster