After recently discovering Amazon’s Lightsail service and it’s simplicity when it comes to configuring and publishing WordPress instance I decided it would be wise to take it a step further and configure SSL.
Lightsail’s WordPress instance comes with self-signed SSL certificates. Basically this means that any attempt to access my website via HTTPS would generate a security warning.
After a bit of searching, I came across a handy little service called Certbot which will assist us in solving this issue. The best part is it’s a free, automated and open certificate authority. So this is what I will be using to secure my Lightsail instance running WordPress.
I went ahead and documented the process so that anyone can easily follow along in the future.
This guide assumes you’ve already setup a running instance of WordPress using Amazon’s Lightsail service. If not visit lightsail.aws.amazon.com
Forward your domain to the Lightsail instance public IP. To summarize, for the domain demosite.com this usually this means an A DNS record for demosite.com and CNAME DNS record for www.demosite.com to demosite.com
Verify that your website is accessible via HTTP and HTTPS. eg. http://demosite.com https://demosite.com
Use Amazon’s Lightsail service to Terminal into your instance.
Then create a temporary directory:
mkdir tmp cd tmp
Install Certbot as outlined here:
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
Create a .well-known directory in the WordPress htdocs directory:
Then create an .htaccess file in that directory:
Add the following contents to the .htaccess file, to make the .well-known directory accessible:
#override overly protective .htaccess RewriteEngine On Satisfy Any
Edit the file using nano:
Run Certbot. Input your desired email address when prompted:
./certbot-auto certonly --webroot -w /home/bitnami/apps/wordpress/htdocs/ -d demosite.com -d www.demosite.com
Make sure to change demosite.com to the name of your domain.
Assuming everything goes as planned, you’ll see a message congratulating you for successfully acquiring the certificates.
Now we will want to edit the Apache configuration file with the new certificate information.
sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf
Comment out the following lines:
#SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt" #SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
Simply add a # to the front of the lines to comment them out.
Add the following lines below the lines you just commented out and make sure to change demosite.com to your domain:
# Certbot certificates SSLCertificateFile "/etc/letsencrypt/live/demosite.com/fullchain.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/demosite.com/privkey.pem" SSLCACertificateFile "/etc/letsencrypt/live/demosite.com/fullchain.pem"
And to finish up let’s restart Apache:
sudo /opt/bitnami/ctlscript.sh restart apache
If everything goes to plan you will see the following output:
Unmonitored apache Syntax OK /opt/bitnami/apache2/scripts/ctl.sh : httpd stopped Syntax OK /opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80 Monitored apache
You can validate if the process was successful by visiting your website via HTTPS. For example: https://www.demosite.com
Keep in mind these free certificates expire after 90 days. As detailed here, you can manually renew the certificates every 90 days, or add a cron job that will automatically do this for you.
Next I will demonstrate how to add a cron job to your existing instance. – Stay tuned.