Using Let’s Encrypt SSL Certificate with Auto-Renewal on WordPress Site Hosted on AWS Lightsail

KarlBoghossian.com Let's Encrypt AWS Lightsail

In this tutorial I will cover how you can use Let’s Encrypt with Certbot/Lego to generate a FREE SSL certificate that you can use on your personal website. Along with how to set it up to auto-renew. Please refer to my other tutorials on how to generate an SSL certificate manually after purchasing it from an authority.

If your site is hosted somewhere else and youโ€™d like to host it onto Lightsail, please follow my other tutorial here.

I will assume that you already have a Lightsail account on Amazon Web Services and you already have a WordPress site with a domain attached to it. If not, please follow this tutorial first.

First ensure you have a backup of your instance, just in case something goes wrong (I faced some issues the first time around, but the snapshot saved me ๐Ÿ˜…) โ€“ details in later sections in case you need to restore the snapshot.

STEP 1: Install Letโ€™s Encrypt Certbot and Lego

Visit your lightsail dashboard, then click on the “Connect using SSH” button to open terminal and SSH into the instance.

  • Type to navigate to cd tmp/
  • Enter this command to download the latest version of lego: curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
  • This will download that file onto the “tmp” director. Let’s install it (please note, you need to โš ๏ธ change the X Y Z to the version that was listed in the output of the command above. At the time of this writing, it was “…_v3.6.0_…“): tar xf lego_vX.Y.Z_linux_amd64.tar.gz
  • Execute those commands to create a directory and move lego there: sudo mkdir -p /opt/bitnami/letsencrypt and sudo mv lego /opt/bitnami/letsencrypt/lego

๐Ÿ Up until this point, you should have installed lego.

STEP 2: Generate a Let’s Encrypt Certificate

  • Stop your current instance: sudo /opt/bitnami/ctlscript.sh stop
  • Request a new certificate for your domain, with and without “www” (โš ๏ธ change the current email address and domain to your own): sudo /opt/bitnami/letsencrypt/lego --tls --email="me@karlboghossian.com" --domains="karlboghossian.com" --domains="www.karlboghossian.com" --path="/opt/bitnami/letsencrypt" run
  • This will prompt you to access terms, just hit “Y” and ENTER to proceed.

๐Ÿ This should have already created the certificates under /opt/bitnami/letsencrypt/certificates/. Now we need to configure the server to use them.

STEP 3: Configure the Web Server to Use The Created Let’s Encrypt Certificate

That step will create symbolic links to the certificates in the letsencrypt/ directory for the server.key and server.crt. As well backing up the current files to append .old so that we can restore them if needed. โš ๏ธ Make sure you change the lines that reference my personal site to your own domain.

  • sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
  • sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
  • sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
  • sudo ln -sf /opt/bitnami/letsencrypt/certificates/karlboghossian.com.key /opt/bitnami/apache2/conf/server.key
  • sudo ln -sf /opt/bitnami/letsencrypt/certificates/karlboghossian.com.crt /opt/bitnami/apache2/conf/server.crt
  • sudo chown root:root /opt/bitnami/apache2/conf/server*
  • sudo chmod 600 /opt/bitnami/apache2/conf/server*

๐Ÿ Now type ls -la /opt/bitnami/apache2/conf to see the symlinks that were created and where everything points.

STEP 4: Test Your Site

  • First you want to restart your server: sudo /opt/bitnami/ctlscript.sh start
  • Visit “https://karlboghossian.com” to validate your site is loading.
  • In case it doesn’t, I faced some issues the first time around (before I wrote this tutorial) where I had to restore my instance from AWS Lightsail dashboard.
  • If you need to do so:
    • Click on the Snapshots under your instance in Lightsail dashboard.
    • Then click the “…” button and “Create from Snapshot” option.
    • Don’t worry, this is the only way to restore the snapshot by creating a new one, then updating your static IP to point to the new one (as if nothing happened).
    • After the new instance is up and running.
    • Click on the Static IP for the original instance, that should show you the instance it’s attached to (i.e.: the original one)
    • Click on detach.
    • Click and select the new instance.
    • Click attach.

๐Ÿ At this point, if you visit karlboghossian.com, you should see the site loading just like before (of course without SSL/https).

STEP 5: Configuring Proper Redirects / Update WordPress to use SSL

You might notice that Chrome will say that itโ€™s not fully secure, or even Safari wonโ€™t display the lock yet. Letโ€™s fix that!

  • First you need to update the access file for wp-config.php file: sudo chmod 666 /opt/bitnami/apps/wordpress/htdocs/wp-config.php
  • Go to your wordpress admin dashboard for your site.
  • Navigate to Plugins > Add New
  • Search for “Really Simple SSL!” > Install > Activate
  • It will alert you to make a backup, feel free to do it (I didnโ€™t).
  • Under the Settings for that plugin, thereโ€™s a toggle for 301 redirect. If you enable it, it might say that it doesnโ€™t have write access to htaccess.conf, so you can either add the block of code they provided, or just make it fully writable (chmod 666 that file), and toggle the switch back ON and save.
  • Then revert the permission for htaccess.conf to chmod 644.
  • Revert the wp-config.php file back: sudo chmod 644 /opt/bitnami/apps/wordpress/htdocs/wp-config.php

๐Ÿ Visit your site as is (without https://) and it should automatically redirect. If it doesnโ€™t, it could be because you tried to http:// earlier and your browser cached your preference. Notice that if you click anywhere on your site, you might see the https:// automatically added. Just try with another browser or another device. Eventually your browser will start to go there automatically.

STEP 6: Final Touch Ups

I did have to go through the site real quick and republish a few pages. I noticed the logo initially was missing (it couldn’t load the image). And some other blog posts had an image missing. I simply edited the blog post that was missing the image, and clicked the image > deselected > selected that same image > publish.

๐Ÿ At this point your site should be loading fine with images and everything working. Last step is to deal with renewals, as you know the Let’s Encrypt certificates are valid for 90 days only.

Renewing the Certificate

The Let’s Encrypt certificates usually have a 90 days lifespan. So they have to be renewed every 3 months. There are two methods to renew the certificate, either manually or automate it using a cron job.

OPTION 1: Manually Every 2-3 Months

Execute the following command (of course update the email and domain to your own): sudo /opt/bitnami/letsencrypt/lego --tls --email="me@karlboghossian.com" --domains="karlboghossian.com" --domains="www.karlboghossian.com" --path="/opt/bitnami/letsencrypt" renew --days 90

OPTION 2: Automatically Renew Certificates Before They Expire

That’s the better approach as it doesn’t require you to do anything on the long run.

  • Create a script at /opt/bitnami/letsencrypt/scripts/renew-certificate.sh: sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
  • Enter the following in the file that was just created (of course make sure to update the email/domains to your corresponding info):
!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="me@karlboghossian.com" --domains="karlboghossian.com" --domains="www.karlboghossian.com" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache
  • Exit the editor (Ctrl + X), then save changes, hit ENTER.
  • Basically, the steps are to stop the apache server, execute the manual renew command in the section above, then start the server again it again.
  • Knowing that you created the symbolic links above in STEP 3, any generated certificate will end up under letsencrypt directory, which will automatically be pointed at by the link.

Now we need to create a cron job that will execute that script periodically.

  • Make the script executable: sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
  • Execute the following to open the crontab editor: sudo crontab -e
    • If it asks which editor to use, I picked the nano option 2.
  • Scroll to the end of the file and add the following, which will run on the 1st day of every month: 0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

NOTE: If renewing multiple domains, remember to update the /opt/bitnami/letsencrypt/renew-certificate.sh script to include the additional domain name(s) in the lego command.

๐Ÿ Congratulations! You setup a cron job that will run periodically and renew your certificate ๐Ÿคฉ.

References

I hope this tutorial was extensive and helped you out, please share it with others and subscribe for more content, I would really appreciate it! ๐Ÿป

5

Leave a Reply

Your email address will not be published. Required fields are marked *