Install SSL on a WordPress Lightsail Instance

1 – Get a WordPress instance running on Lightsail.

2 – Forward the domain to the instance’s public IP. For example, for the domain this usually this means an A DNS record for and CNAME DNS record for to

3 – Verify that the website is accessible via HTTP and HTTPS. You’ll get a warning about the HTTPS certificate.

4 – SSH into the instance.

5 – Create a temporary directory:

mkdir tmp
cd tmp

6 – Install certbot:

chmod a+x certbot-auto

7 – Create a .well-known directory in the WordPress htdocs directory:

sudo mkdir /opt/bitnami/apps/wordpress/htdocs/.well-known

8 – Make .well-known folder writable:

sudo chown -R bitnami:daemon /opt/bitnami/apps/wordpress/htdocs/.well-known

9 – Create a .htaccess file in that directory:

touch /opt/bitnami/apps/wordpress/htdocs/.well-known/.htaccess

10 – Add the following contents to the .htaccess file, to make the .well-known directory accessible:

# Override overly protective .htaccess in webroot
RewriteEngine On
Satisfy Any

11 – You can edit the file through FTP (recommended) or by using nano or vi, e.g.:

nano /opt/bitnami/apps/wordpress/htdocs/.well-known/.htaccess

12 – Run certbot. Make sure you configure everything as expected and input a real email address when required:

./certbot-auto certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs/ -d -d

13 – Of course, change to the name of your domain.

14 – If all executes as expected, you’ll see a message congratulating you for successfully acquiring the certificates you required.

15 – Next, edit the Apache configuration file

sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf

16 – Comment out (by adding a # in the beginning of the line) the following lines:

#SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

17 – Add the following lines below:

# Let's Encrypt
SSLCertificateFile "/etc/letsencrypt/live/"
SSLCertificateKeyFile "/etc/letsencrypt/live/"
SSLCACertificateFile "/etc/letsencrypt/live/"

18 – Of course, change to the name of the domain.

19 – Restart Apache:

sudo /opt/bitnami/ restart apache

You should see the following output:

Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ : httpd stopped
Syntax OK
/opt/bitnami/apache2/scripts/ : httpd started at port 80
Monitored apache

You can check to see whether the correct certificate appears when you access the website at

Note that Let’s Encrypt certificates expire after 90 days. We can manually renew the certificates every 90 by running these lines:

cd tmp ./certbot-auto renew

Or by setting up a cronjob that will auto renew the certificate for us.

Lehi Vidigal
Lehi Vidigal