1 – Get a WordPress instance running on Lightsail.
2 – Forward the domain to the instance’s public IP. For example, for the domain example.com this usually this means an A DNS record for example.com and CNAME DNS record for www.example.com to example.com.
3 – Verify that the website is accessible via HTTP and HTTPS. You’ll get a warning about the HTTPS certificate.
4 – SSH into the instance.
5 – Create a temporary directory:
mkdir tmp
cd tmp
6 – Install certbot:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
7 – Create a .well-known directory in the WordPress htdocs directory:
sudo mkdir /opt/bitnami/apps/wordpress/htdocs/.well-known
8 – Make .well-known folder writable:
sudo chown -R bitnami:daemon /opt/bitnami/apps/wordpress/htdocs/.well-known
9 – Create a .htaccess file in that directory:
touch /opt/bitnami/apps/wordpress/htdocs/.well-known/.htaccess
10 – Add the following contents to the .htaccess file, to make the .well-known directory accessible:
#
# Override overly protective .htaccess in webroot
#
RewriteEngine On
Satisfy Any
11 – You can edit the file through FTP (recommended) or by using nano or vi, e.g.:
nano /opt/bitnami/apps/wordpress/htdocs/.well-known/.htaccess
12 – Run certbot. Make sure you configure everything as expected and input a real email address when required:
./certbot-auto certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs/ -d example.com -d www.example.com
13 – Of course, change example.com to the name of your domain.
14 – If all executes as expected, you’ll see a message congratulating you for successfully acquiring the certificates you required.
15 – Next, edit the Apache configuration file
sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf
16 – Comment out (by adding a # in the beginning of the line) the following lines:
#SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
17 – Add the following lines below:
# Let's Encrypt
SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
SSLCACertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"
18 – Of course, change example.com to the name of the domain.
19 – Restart Apache:
sudo /opt/bitnami/ctlscript.sh restart apache
You should see the following output:
Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache
You can check to see whether the correct certificate appears when you access the website at https://www.example.com
Note that Let’s Encrypt certificates expire after 90 days. We can manually renew the certificates every 90 by running these lines:
cd tmp ./certbot-auto renew
Or by setting up a cronjob that will auto renew the certificate for us.