Post Image

1 – Get a WordPress instance running on Lightsail.

2 – Forward the domain to the instance’s public IP. For example, for the domain example.com this usually this means an A DNS record for example.com and CNAME DNS record for www.example.com to example.com.

3 – Verify that the website is accessible via HTTP and HTTPS. You’ll get a warning about the HTTPS certificate.

4 – SSH into the instance.

5 – Create a temporary directory:

mkdir tmp
cd tmp

6 – Install certbot:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

7 – Create a .well-known directory in the WordPress htdocs directory:

sudo mkdir /opt/bitnami/apps/wordpress/htdocs/.well-known

8 – Make .well-known folder writable:

sudo chown -R bitnami:daemon /opt/bitnami/apps/wordpress/htdocs/.well-known

9 – Create a .htaccess file in that directory:

touch /opt/bitnami/apps/wordpress/htdocs/.well-known/.htaccess

10 – Add the following contents to the .htaccess file, to make the .well-known directory accessible:

#
# Override overly protective .htaccess in webroot
#
RewriteEngine On
Satisfy Any

11 – You can edit the file through FTP (recommended) or by using nano or vi, e.g.:

nano /opt/bitnami/apps/wordpress/htdocs/.well-known/.htaccess

12 – Run certbot. Make sure you configure everything as expected and input a real email address when required:

./certbot-auto certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs/ -d example.com -d www.example.com

13 – Of course, change example.com to the name of your domain.

14 – If all executes as expected, you’ll see a message congratulating you for successfully acquiring the certificates you required.

15 – Next, edit the Apache configuration file

sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf

16 – Comment out (by adding a # in the beginning of the line) the following lines:

#SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

17 – Add the following lines below:

# Let's Encrypt
SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
SSLCACertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"

18 – Of course, change example.com to the name of the domain.

19 – Restart Apache:

sudo /opt/bitnami/ctlscript.sh restart apache

You should see the following output:

Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache

You can check to see whether the correct certificate appears when you access the website at https://www.example.com

Note that Let’s Encrypt certificates expire after 90 days. We can manually renew the certificates every 90 by running these lines:

cd tmp ./certbot-auto renew

Or by setting up a cronjob that will auto renew the certificate for us.