Issuing an SSL Certificate for WordPress on AWS Lightsail
In this tutorial I will go over how to issue an SSL certificate for your WordPress site that is hosted on AWS Lightsail. If your site is hosted somewhere else and you'd like to host it onto Lightsail, please follow my other tutorial here.
I will assume that you already have a Lightsail account on Amazon Web Services and you already have a WordPress site with a domain attached to it. If not, please follow this tutorial first.
The steps below will be mostly executed on the SSH Browser for your AWS Lightsail instance.
STEP 1: Generating the Private Key and CSR
In order to generate an SSL certificate, you need to have a .csr file to give to the SSL certificate authority aka "CA" (e.g.: Comodo, etc.). To generate that CSR file, you need to do it on the machine (SSH into it).
Open the SSH Browser for that Lightsail instance.
Issue that command in the SSH browser: sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 2048Now using that private key we just created above, let's generate the certificate CSR file: sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
When asked about Country, State, etc, fill in whatever you think is correct.
Regarding the "Common Name", enter your domain (e.g.: "example.com")
Back up your private key in a safe location as such: sudo openssl rsa -des3 -in /opt/bitnami/apache2/conf/server.key -out privkey.pem
When asked for a passcode enter something you can remember.
That file will end up in the root director: /home/bitnami/privkey.pem
Issue the following command so that it doesn't require a passcode every time: sudo openssl rsa -in privkey.pem -out /opt/bitnami/apache2/conf/server.key
This will update the server.key file with your real instance credentials (RSA).
🏁 Up until this point, you should have a server.key and cert.csr on your lightsail instance. This step will not be repeated in the future when the time comes to renew the SSL certificate in 2 years or so.
STEP 2: Requesting the SSL Certificate from the Certificate Authority
Now that you have those files created in STEP 1 on your lightsail instance, you will need to access them to provide them to the issuing authority.
I usually buy my certificates from ssls.com, they have affordable ones for like $7 for 2 years kinda thing.
If you already had an SSL certificate that you previously purchased, you need to follow their user interface options to re-issue it.
They will prompt you to provide the CSR file for your server that will be hosting that SSL certificate.
Ignore that command they provide, as we already issued our CSR on the lightsail instance in STEP 1.
Let's view the content of that CSR file we generated earlier. On the SSH Browser, type: vi /opt/bitnami/apache2/conf/cert.csr
Copy the content of the certificate in its entirety (including the "-----" at the beginning and end.)
Paste it in the box on ssls.com
They will validate that it's for the right domain, and allow you to proceed.
Follow the on-screen instructions to verify that you own that domain. I usually pick the option to send me the email to "admin@example.com".
Once you receive the email, click and validate it by following their instructions.
They will be sending another email with the SSL certificate, in a zip file, as well as in text format.
Download the files you received, rename them as follows:
From example_com.ca-bundle to server-ca.crt
From example_com.crt to server.crt
🏁 At this point you have your SSL certificate ready on your local machine. It's time to upload them on the Lightsail AWS instance.
STEP 3: Uploading the SSL Certificate to Lightsail AWS Instance
As usual, you want to execute the following on the SSH Browser of your Lightsail instance.
First, stop the running services (apache): sudo /opt/bitnami/ctlscript.sh stop
Assign the domain and wildcard environment variables:
DOMAIN=example.com
WILDCARD=*.$DOMAIN
Double-check that the changes took effect: echo $DOMAIN && echo $WILDCARD. That should show your domain.
Rename the existing files that came from initially deploying the WordPress plain site when the Lightsail instance was first created:
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
ℹ️ You don't need to rename the server.key as we created a new one in STEP 1 for our newly created instance.
If you got a Certificate Authority (CA) bundle (I was getting this from ssls.com)
Locate the apache configuration file: vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf
Add the following lines below the SSLCertificateKeyFile:
If your apache version is < 2.4.8 (mine was 2.4.39), then add this: SSLCertificateChainFile "/opt/bitnami/apache2/conf/server-ca.crt"
Otherwise if >= 2.4.8: SSLCACertificateFile "/opt/bitnami/apache2/conf/server-ca.crt"
ℹ️ To edit the file, hit i on your keyboard.
ℹ️ To check which apache version: apachectl -V
Save changes.
ℹ️ Hit ESC key on your keyboard, then type :wq then ENTER to save changes. Otherwise type :q to discard any changes you've made.
Upload the renamed files we downloaded in STEP 2 and renamed them as server-ca.crt and server.crt to: /opt/bitnami/apache2/conf/
You can use an FTP application like "Cyberduck" to upload them.
To connect using Cyberduck:
Add a new connection.
Pick SFTP (SSH File Transfer Protocol) as the type.
Enter your static IP as the Server.
Username: bitnami
You will need to download the SSH credentials for your instance, you can find them in Lightsail, under that instance, security or something there, you can easily find it and download it. You should get a .pem file.
Skip the password and click SSH Private Key > select the downloaded .pem file.
At this point you should have on your instance under /opt/bitnami/apache2/conf/:
cert.csr: which you generated in the prev section and will not change in the future.
server.key: which you generated in the prev section and will not change in the future.
server.crt: which you downloaded from the certificate authority zip file and renamed as is.
server-ca.crt: which you also downloaded from the certificate authority zip file and renamed it.
Execute this command to allow them to be readable by the root user:
sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*
Ensure that the DOMAIN and WILDCARD are still set: echo $DOMAIN && echo $WILDCARD
If not, set them again by following the steps at the beginning of STEP 3 section.
Ensure that Port 443 is opened from the Lightsail console > Networking (HTTPS TCP 443)
Restart the apache server from the lightsail console.
After the instance has restarted, SSH into it using the browser.
Execute this command just in case the services didn't boot back up (won't hurt to just issue the command anyway): sudo /opt/bitnami/ctlscript.sh start
If for any reason you get "httpd could not be started". It means that the CSR/key and SSL certification don't match: AH02565: Certificate and private key localhost:443:0 from /opt/bitnami/apache2/conf/server.crt and /opt/bitnami/apache2/conf/server.key do not match
You can see that error above in your apache error_log file under /.../apache2/logs/ directory.
Going to www.example.com will not open the page. Your server is busted due to the SSL certificate causing issues.
You might have used the wrong server.key/cert.csr to generate the files on ssls.com (the certificate authority).
Repeat STEP 1 & 2 in the above sections.
🏁 Verify that your site loads file without warnings by going to "https://www.example.com/". For now just type the "https" with and without the "www" and that the lock is shown. You might need to wait a few mins for SSL propagation to occur.
STEP 4: Integrate the SSL Certificate into WordPress
In the earlier steps we issued the SSL certificate, uploaded it to our site which is all great. But WordPress doesn't know that you have an SSL, so it needs to update the permalinks to server everything with https.
To do that, you will need to install a plugin called "Really Simple SSL".
Before activating it, allow it to write to the wp-config.php file: sudo chmod 666 /opt/bitnami/apps/wordpress/htdocs/wp-config.php
Refresh the WordPress dashboard and navigate to plugins, find Really Simple SSL.
Activate it and make sure it shows the checkmarks:
Try navigating to your wp-config.php file to see if Really Simple SSL was able to inject its bits at the end of the file:
vi /opt/bitnami/apps/wordpress/htdocs/wp-config.php
Scroll to the bottom of the file. If you don't see the Really Simple SSL part, then add it manually and save your changes :wq:
//Begin Really Simple SSL session cookie settings
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);
//END Really Simple SSL cookie settingsYou might need to add the Really Simple SSL part manually in the .htaccess of your site:
Enter: vi /home/bitnami/apps/wordpress/htdocs/.htaccess
This is the content of my .htaccess:
# BEGIN WordPress
# The directives (lines) between `BEGIN WordPress` and `END WordPress` are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# BEGIN rlrssslReallySimpleSSL rsssl_version[3.3.4]
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
# END rlrssslReallySimpleSSLI also tried a couple of redirects to make the site automatically redirect from www to non-www but I couldn't get it to work.
🏁 Now verify that going to http://www.example.com automatically redirects to https://www.example.com. The same goes with http://example.com should auto redirect to https://example.com
Renewing the SSL Certificate Upon Expiration
Repeat STEP 2 & 3 only!
Here are some references I used for this post:
https://docs.bitnami.com/aws/apps/wordpress/administration/create-ssl-certificate-apache/
https://docs.bitnami.com/aws/apps/wordpress/administration/enable-https-ssl-apache/
Only used the last parts (Step 7, Step 8), not in between to get the certificate as I use an authority and not Let's Encrypt.
I hope this tutorial was extensive and helped you out, please share it with others and subscribe for more content, I would really appreciate it! 🍻
