After recently discovering Amazon’s Lightsail service and it’s simplicity when it comes to configuring and publishing WordPress instance I decided it would be wise to take it a step further and configure SSL.

Lightsail’s WordPress instance comes with self-signed SSL certificates. Basically this means that any attempt to access my website via HTTPS would generate a security warning.

After a bit of searching, I came across a handy little service called Certbot which will assist us in solving this issue. The best part is it’s a free, automated and open certificate authority. So this is what I will be using to secure my Lightsail instance running WordPress.

I went ahead and documented the process so that anyone can easily follow along in the future.

Lets Begin!

This guide assumes you’ve already setup a running instance of WordPress using Amazon’s Lightsail service. If not visit lightsail.aws.amazon.com

Forward your domain to the Lightsail instance public IP. To summarize, for the domain demosite.com this usually this means an A DNS record for demosite.com and CNAME DNS record for www.demosite.com to demosite.com

Verify that your website is accessible via HTTP and HTTPS. eg. http://demosite.com https://demosite.com

Use Amazon’s Lightsail service to Terminal into your instance.

Then create a temporary directory:

mkdir tmp
cd tmp

Install Certbot as outlined here:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Create a .well-known directory in the WordPress htdocs directory:

mkdir /home/bitnami/apps/wordpress/htdocs/.well-known

Then create an .htaccess file in that directory:

touch /home/bitnami/apps/wordpress/htdocs/.well-known/.htaccess

Add the following contents to the .htaccess file, to make the .well-known directory accessible:

#override overly protective .htaccess

RewriteEngine On
Satisfy Any

Edit the file using nano:

nano /home/bitnami/apps/wordpress/htdocs/.well-known/.htaccess

Run Certbot. Input your desired email address when prompted:

./certbot-auto certonly --webroot -w /home/bitnami/apps/wordpress/htdocs/ -d demosite.com -d www.demosite.com

Make sure to change demosite.com to the name of your domain.

Assuming everything goes as planned, you’ll see a message congratulating you for successfully acquiring the certificates.

Now we will want to edit the Apache configuration file with the new certificate information.

sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf

Comment out the following lines:

#SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

Simply add a # to the front of the lines to comment them out.

Add the following lines below the lines you just commented out and make sure to change demosite.com to your domain:

# Certbot certificates
SSLCertificateFile "/etc/letsencrypt/live/demosite.com/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/demosite.com/privkey.pem"
SSLCACertificateFile "/etc/letsencrypt/live/demosite.com/fullchain.pem"

And to finish up let’s restart Apache:

sudo /opt/bitnami/ctlscript.sh restart apache

If everything goes to plan you will see the following output:

Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache

You can validate if the process was successful by visiting your website via HTTPS. For example: https://www.demosite.com

Keep in mind these free certificates expire after 90 days. As detailed here, you can manually renew the certificates every 90 days, or add a cron job that will automatically do this for you.

Next I will demonstrate how to add a cron job to your existing instance. – Stay tuned.

2
Leave a Reply

avatar
1 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
Chance SchraederNick Petrakis Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Nick Petrakis
Guest
Nick Petrakis

Nice writeup when will you do the one about the cron job??