Install SSL on a WordPress Lightsail Instance

By January 29, 2020 February 1st, 2020 articles

1-Get a WordPress instance running on Lightsail.

2-Forward the domain to the instance’s public IP. For example, for the domain example.com this usually this means an A DNS record for example.com and CNAME DNS record for www.example.com to example.com.

3-Verify that the website is accessible via HTTP and HTTPS. You’ll get a warning about the HTTPS certificate.

4-SSH into the instance.

5-Create a temporary directory:

mkdir tmp
cd tmp

6-Install certbot:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

7-Create a .well-known directory in the WordPress htdocs directory:

sudo mkdir /opt/bitnami/apps/wordpress/htdocs/.well-known

8-Make .well-known folder writable:

sudo chown -R bitnami:daemon /opt/bitnami/apps/wordpress/htdocs/.well-known

9-Create a .htaccess file in that directory:

touch /opt/bitnami/apps/wordpress/htdocs/.well-known/.htaccess

10-Add the following contents to the .htaccess file, to make the .well-known directory accessible:

#
# Override overly protective .htaccess in webroot
#
RewriteEngine On
Satisfy Any

11-You can edit the file through FTP (recommended) or by using nano or vi, e.g.: 

nano /opt/bitnami/apps/wordpress/htdocs/.well-known/.htaccess

12-Run certbot. Make sure you configure everything as expected and input a real email address when required:

./certbot-auto certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs/ -d example.com -d www.example.com

13-Of course, change example.com to the name of your domain.

14-If all executes as expected, you’ll see a message congratulating you for successfully acquiring the certificates you required.

15-Next, edit the Apache configuration file

sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf

16-Comment out (by adding a # in the beginning of the line) the following lines:

#SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

17-Add the following lines below:

# Let's Encrypt
SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
SSLCACertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"

18-Of course, change example.com to the name of the domain.

19-Restart Apache:

sudo /opt/bitnami/ctlscript.sh restart apache

You should see the following output:

Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache

You can check to see whether the correct certificate appears when you access the website at https://www.example.com

Note that Let’s Encrypt certificates expire after 90 days. We can manually renew the certificates every 90 by running these lines:

cd tmp ./certbot-auto renew

Or by setting up a cronjob that will auto renew the certificate for us.