How do I install a wildcard Let's Encrypt SSL certificate in a Bitnami stack hosted on Amazon Lightsail?

Short description

The following resolution covers installing a wildcard Let's Encrypt SSL certificate for websites hosted in a Lightsail instance with a Bitnami stack. Examples of these instance blueprints include WordPress, LAMP, Magento, MEAN, and so on. If you have a different instance blueprint or want to install a standard certificate, see one of the following:

Standard Let's Encrypt certificates

To install a standard Let's Encrypt SSL certificate in a Lightsail instance without a Bitnami stack, see How do I install a standard Let's Encrypt SSL certificate in a Lightsail instance? This includes instances such as Amazon Linux 2 and Ubuntu.

To install a standard Let's Encrypt SSL certificate in a Lightsail instance with a Bitnami stack, see How do I install a Let's Encrypt SSL certificate in a Bitnami stack hosted on Amazon Lightsail? This includes instances such as WordPress, LAMP, and Magento.

Wildcard Let's Encrypt certificates (for example, *.example.com)

To install a wildcard Let's Encrypt certificate in a Lightsail instance without a Bitnami stack, see How do I install a wildcard Let's Encrypt SSL certificate in Amazon Lightsail? This includes instances such as Amazon Linux 2 and Ubuntu.

Resolution

The steps used to install a wildcard Let's Encrypt SSL certificate on a Bitnami hosted Lightsail instance depend on which DNS provider your domain uses. To determine which method to use, verify if your DNS provider is listed in DNS Providers in the Lego documentation. Then, select the appropriate method to use:

Method 1: Use the Lego tool provided by Bitnami If your domain uses one of the listed DNS providers.

Method 2: Use the Certbot package if your domain isn't using any of the listed DNS providers.

Note: The file paths mentioned in this article might change depending on whether your Bitnami stack uses native Linux system packages (Approach A), or if it is a self-contained installation (Approach B). To identify your Bitnami installation type, run the command following command:

test ! -f "/opt/bitnami/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."

Method 1

Along with bncert-tool, Bitnami stack provides the Lego tool. This tool supports the creation of wildcard SSL certificates, while bncert-tool does not.

Prerequisites and limitations

• The following steps cover installing the certificate in the server. You must manually complete additional steps, such as configuring the webserver to use the certificate and setting up HTTPS redirection.
• The domain must be using one of the DNS providers listed in DNS Providers in the Lego documentation.

Note: In the following example, the DNS provider is Amazon Route 53 or Amazon Lightsail.

1.    Create an AWS Identity and Access Management (IAM) user with programmatic access. For the minimum permissions required to be attached to the IAM user for Lego to complete the DNS challenge, see Policy in the Lego documentation.

2.    Run the following commands in the instance to open the file /root/.aws/credentials file in nano editor.

sudo mkdir /root/.aws
sudo nano /root/.aws/credentials

3.    Copy the following lines to the file. Then save the file by pressing ctrl+x, then press y and then ENTER.

In the following command, replace aws_access_key_id with the Access Key ID created in step 1. Replace a aws_secret_access_key with the Secret Access Key created in step 1.

[default]
aws_access_key_id = AKIA************E
aws_secret_access_key = 1yop**************************l

4.    If your Bitnami instance doesn't include the directory /opt/bitnami/letsencrypt/, then manually install the Lego client using the following commands:

cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i - -O lego.tar.gz
tar xf lego.tar.gz
sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego

5.    Create a Let's Encrypt certificate in the server. Replace EMAIL-ADDRESS with the email address where you want to receive further updates about your certificate. Replace DOMAIN with your domain name.

Route 53 name servers

sudo /opt/bitnami/letsencrypt/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="*.DOMAIN" --dns route53 --path="/opt/bitnami/letsencrypt" run

Lightsail name servers

sudo /opt/bitnami/letsencrypt/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="*.DOMAIN" --dns lightsail --path="/opt/bitnami/letsencrypt" run

After the SSL certificate generates successfully, you receive the message "Server responded with a certificate". The SSL certificate and private key generate in the following locations:

/opt/bitnami/letsencrypt/certificates/DOMAIN.crt

/opt/bitnami/letsencrypt/certificates/DOMAIN.key

6.    Link the SSL certificate and certificate key file to the locations that are currently being read by your web server:

Apache under Approach A

In the following example commands, replace the DOMAIN placeholder with your domain name.

sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo /opt/bitnami/ctlscript.sh restart apache

Apache under Approach B

In the following example commands, replace the DOMAIN placeholder with your domain name.

sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt
sudo /opt/bitnami/ctlscript.sh restart apache

NGINX under Approach A

In the following example commands, replace the DOMAIN placeholder with your domain name.

sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/nginx/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt
sudo /opt/bitnami/ctlscript.sh restart nginx

NGINX under Approach B

In the following example commands, replace the DOMAIN placeholder with your domain name.

sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old
sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old
sudo mv /opt/bitnami/nginx/conf/server.csr /opt/bitnami/nginx/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/nginx/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/server.crt
sudo /opt/bitnami/ctlscript.sh restart nginx

7.    Set up automatic certificate renewal.

The Let’s Encrypt certificates are valid for 90 days. To automate certificate renewal so that the certificate automatically renews before it expires, do the following:

Run the following command to open the crontab editor:

sudo crontab -e -u bitnami

Add the following lines to the crontab file, and then save the file. Replace EMAIL-ADDRESS with your email address, DOMAIN with your domain name and DNS with your name server provider name (Route 53, Lightsail, and so on).

0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="EMAIL-ADDRESS" --domains="DOMAIN"  --domains="*.DOMAIN" --dns DNS renew >> /var/log/letsencrypt.log 2>&1 && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful

8.    Set up HTTPS redirection. For more information, see the following information on the Bitnami website:

• Force HTTPS redirection with Apache
• Force HTTPS redirection with NGINX

Method 2

Prerequisites and limitations

• The following steps cover installing the certificate in the server. You still must manually complete additional steps, such as configuring the webserver to use the certificate and setting up HTTPS redirection.
• Automatic certificate renewal isn't supported in this method.

Note: Before beginning the following steps, install Certbot. For installation instructions, see How do I install the Certbot package in my Lightsail instance for Let's Encrypt certificate installation?

For Bitnami-hosted instances, the Linux distribution is either Debian or Ubuntu. Run the following command to confirm which Linux distribution you have:

cat /etc/os-release | grep -i ^id

1.    This method requires adding TXT records in the domain's DNS provider. This process might take some time, so it's a best practice to run the commands in Linux GNU Screen to prevent the session from timing out. To start a Screen session, enter the following command:

screen -S letsencrypt

2.    Enter the following command to start Certbot in interactive mode. This command tells Certbot to use a manual authorization method with DNS challenges to verify domain ownership. Replace example.com with your domain name.

sudo certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com

3.    You receive a prompt to verify that you own the specified domain by adding TXT records to the DNS records for your domain. Let's Encrypt provides either a single or multiple TXT records that you must use for verification.

4.    When you see a TXT record in the screen, first add the provided record in your domain's DNS.
Important: Do not press enter until you confirm that the TXT record is propagated to internet DNS. Also, do not press CTRL+D because doing so will terminate the screen session.

5.    To confirm that the TXT record was propagated to internet DNS, look it up at DNS Text Lookup on MxToolbox. Enter the following text into the text box, and then choose TXT Lookup to run the check. Be sure to replace example.com with your domain.

_acme-challenge.example.com

6.    If your TXT records are propagated to the internet’s DNS, you see the TXT record value in the page. Then, go back to the screen and press ENTER.

7.    If you're removed from the shell, go back in using the command screen -r SESSIONID. Get the Session ID by running the command screen -ls.

8.    If the Certbot prompt asks you to add another TXT record, complete steps 4 -7 again.

9.    After the SSL certificate generates successfully, you receive the message "Successfully received certificate". The certificate and key file locations are also provided. Save these file locations to a notepad for use in the next step.

10.    Only the certificate installation and renewal setup is complete. You still must configure your web server to use this certificate and set up HTTPS redirection. Use one of the following sets of commands to configure your web server to use the certificate.

Apache under Approach A

In the following example commands, replace the DOMAIN placeholder with your domain name.

sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo /opt/bitnami/ctlscript.sh restart apache

Apache under Approach B

In the following example commands, replace the DOMAIN placeholder with your domain name.

sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
sudo /opt/bitnami/ctlscript.sh restart apache

NGINX under Approach A

In the following example commands, replace the DOMAIN placeholder with your domain name.

sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/nginx/conf/bitnami/certs/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/bitnami/certs/server.crt
sudo /opt/bitnami/ctlscript.sh restart nginx

NGINX under Approach B

In the following example commands, replace the DOMAIN placeholder with your domain name.

sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old
sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/nginx/conf/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/server.crt
sudo /opt/bitnami/ctlscript.sh restart nginx

8.    Set up HTTPS redirection. For more information, see the following information on the Bitnami website:

• Force HTTPS redirection with Apache
• Force HTTPS redirection with NGINX

---