How do I install a wildcard Let's Encrypt SSL certificate in a Bitnami stack that's hosted on Lightsail?

8 minute read

I want to install a wildcard SSL certificate for my website in an Amazon Lightsail instance with a Bitnami stack.

Short description

For information about how to install a different instance blueprint or a standard certificate, see the following AWS Knowledge Center articles:

How do I install a standard Let's Encrypt SSL certificate in a Lightsail instance? This solution includes instances such as, Amazon Linux 2 and Ubuntu.
How do I install a Let's Encrypt SSL certificate in a Bitnami stack that's hosted on Amazon Lightsail? This solution includes instances such as, WordPress, LAMP, and Magento.
How do I install a wildcard Let's Encrypt SSL certificate in Amazon Lightsail? This solution includes instances such as, Amazon Linux 2 and Ubuntu.

Resolution

The steps to install a wildcard Let's Encrypt SSL certificate on a Bitnami-hosted Lightsail instance depend on the DNS provider that your domain uses. Check if your DNS provider is listed in DNS providers on the Lego website. Then, select the appropriate method to use:

If your domain uses one of the listed DNS providers, then use the Lego tool that Bitnami provides.
If your domain doesn't use one of the listed DNS providers, then use the Certbot package.

Note: File paths can change depending on whether your Bitnami stack uses native Linux system packages (Approach A) or a self-contained installation (Approach B). The latest Bitnami WordPress blueprints are available only for Approach A.

To identify your Bitnami installation type, run the following command:

test ! -f "/opt/bitnami/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."

Lego tool

Bitnami provides the bncert-tool and the Lego tool. The Lego tool supports the creation of wildcard SSL certificates. The bncert-tool doesn't support the creation of wildcard SSL certificates.

Note: In the following example, the DNS providers is Amazon Route 53 and Amazon Lightsail.

To use the Lego tool to install a wildcard Let's Encrypt SSL certificate, complete the following steps:

Create an AWS Identity and Access Management (IAM) user with programmatic access. To determine the required IAM user permissions for Lego to complete the DNS challenge, see IAM policy examples on the Lego website.

To open the file /root/.aws/credentials file in the nano editor, run the following command:

sudo mkdir /root/.aws
sudo nano /root/.aws/credentials

Enter the following lines on the credentials file:

[default]
aws_access_key_id = AKIA************E
aws_secret_access_key = 1yop**************************l
region = us-east-1

Note: Replace aws_access_key_id and aws_secret_access_key with your values. Replace us-east-1 with the AWS Region of your Lightsail instance.

To save the file, press Ctrl + X, then y, and then Enter.

If your Bitnami instance doesn't include the /opt/bitnami/letsencrypt/ directory, then run the following command to manually install the Lego client:

cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i - -O lego.tar.gz
tar xzf lego.tar.gz
sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego

To create a wildcard Let's Encrypt certificate in the server, run the following command based on your server type:
Route 53 name servers:

sudo /opt/bitnami/letsencrypt/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="*.DOMAIN" --dns route53 --path="/opt/bitnami/letsencrypt" run

Lightsail name servers:

sudo DNS_ZONE=DOMAIN /opt/bitnami/letsencrypt/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="*.DOMAIN" --dns lightsail --path="/opt/bitnami/letsencrypt" run

Note: Replace EMAIL-ADDRESS with the email address that you want to receive certificate updates to. Replace DOMAIN with your domain name.
The SSL certificate and private key are generated in the following locations: /opt/bitnami/letsencrypt/certificates/DOMAIN.crt or /opt/bitnami/letsencrypt/certificates/DOMAIN.key.

To stop the Bitnami stack services, run the following command:

sudo /opt/bitnami/ctlscript.sh stop

Link the SSL certificate and certificate key file to the locations that your web server currently reads, based on your server and approach:
Apache, Approach A

sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt

Apache, Approach B

sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt

NGINX, Approach A

sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/nginx/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt

NGINX, Approach B

sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old
sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old
sudo mv /opt/bitnami/nginx/conf/server.csr /opt/bitnami/nginx/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/nginx/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/server.crt

Note: For the preceding commands, replace DOMAIN with your domain name.

To start the Bitnami stack services, run the following command:

sudo /opt/bitnami/ctlscript.sh start

To automate certificate renewal, run the following command to open the crontab editor:
```
sudo crontab -e -u bitnami
```
Note: Let's Encrypt certificates are valid for 90 days.

Enter the following line on the crontab file, and then save the file:
Apache

0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="EMAIL-ADDRESS" --domains="DOMAIN"  --domains="*.DOMAIN" --dns DNS renew >> /var/log/letsencrypt.log 2>&1 && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful

Nginx

0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="EMAIL-ADDRESS" --domains="DOMAIN"  --domains="*.DOMAIN" --dns DNS renew >> /var/log/letsencrypt.log 2>&1 && sudo /opt/bitnami/nginx/sbin/nginx -c /opt/bitnami/nginx/conf/nginx.conf -s reload

Note: Replace EMAIL-ADDRESS, DOMAIN, and DNS with your values.

Set up HTTPS redirection. For more information, see Force HTTPS redirection with Apache and Force HTTPS redirection with NGINX on the Bitnami website.

Certbot package

Prerequisites:

Install Certbot.
Determine your Linux distribution. For Bitnami-hosted instances, the Linux distribution is either Debian or Ubuntu. Run the following command to confirm your Linux distribution:
```
cat /etc/os-release | grep -i ^id
```
Note: This method doesn't support automatic certificate renewal.

To use the Certbot package to install a wildcard Let's Encrypt SSL certificate, complete the following steps:

Start a Linux GNU Screen session. Because it takes time to add TXT records in the domain's DNS provider, the session can time out. It's a best practice to run the commands in Linux GNU Screen so that the session doesn't time out. To start a screen session, run the following command:
```
screen -S letsencrypt
```
To start Certbot interactive mode, run the following command:
```
sudo certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com
```
Note: Replace example.com with your value.
If you receive an error response, such as "bash: certbot: command not found", then you might need to add /bin/snap to your PATH environment variable. First, enter "exit" and press Enter. Or, press Ctrl + D to exit from the screen session. Then, edit /etc/environment, and add /snap/bin in the list. Restart your system. To confirm that there's no longer an error, run the following command:
```
$ certbot -h
```
Copy the TXT records that Let’s Encrypt provides. Let's Encrypt provides either a single or multiple TXT records that you must use for verification.
Add the provided record in your domain's DNS.
Important: Don't press Enter until you confirm that the TXT record is propagated to the internet DNS. Also, don't press Ctrl + D because this action terminates the screen session.
To confirm that the record was propagated, look up the TXT record at DNS text lookup on the MxToolbox website:
```
_acme-challenge.example.com
```
Note: Replace example.com with your value.
If your TXT records are propagated, then you see the TXT record value on the page. Return to the previous screen, and press Enter.
If you're removed from the shell, then run the following command to return to the shell:
```
Screen -r SESSIONID
```
Note: Run the screen -ls command to get the session ID.
(Optional) If you're prompted, repeat the preceding steps to add another TXT record.
Note: If you use Route 53 for your DNS provider, then enter one TXT value per row. Edit the TXT record, and then in a new row, add the TXT value that certbot provides.
Save the file locations of the SSL certificate and key file. After the SSL certificate is generated, you receive the message "Successfully received certificate".

To configure your web server to use the certificate, run the following commands based on your server and approach:
Apache, Approach A

sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo /opt/bitnami/ctlscript.sh start

Apache, Approach B

sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
sudo /opt/bitnami/ctlscript.sh start

NGINX, Approach A

sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/nginx/conf/bitnami/certs/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/bitnami/certs/server.crt
sudo /opt/bitnami/ctlscript.sh start

NGINX, Approach B

sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old
sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/nginx/conf/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/server.crt
sudo /opt/bitnami/ctlscript.sh start

Note: For the preceding commands, replace DOMAIN with your domain name.

Set up HTTPS redirection. For more information, see Force HTTPS redirection with Apache and Force HTTPS redirection with NGINX on the Bitnami website.

Topics

Compute

Relevant content

If SSL Certificate is installed via Let's Encrypt with Bitnami, are other SSL Plugin (like Really Simple SSL) necessary?
AWS-User-1467383
asked 3 years ago
I am unable to install an SSL certificate on my lightsail WordPress instance
Brand44
asked 2 years ago
Still Seeing "Your Connection is Not Private" Despite Let’s Encrypt Certificate on Bitnami WordPress (Lightsail)
Marcos
asked a month ago
AWS Lightsail Drupal Certified by Bitnami with multisites and SSL by Let's Encrypt
dcm0229
asked 2 years ago
Renew Let's Encrypt SSL Lightsail Subdomain
Waniel
asked a year ago
How do I install a Let's Encrypt SSL certificate in a Bitnami stack that's hosted on Lightsail?
AWS OFFICIALUpdated a year ago
How do I install a standard Let's Encrypt SSL certificate in a Lightsail instance that doesn't use a Bitnami stack?
AWS OFFICIALUpdated a year ago
How do I install a wildcard Let's Encrypt SSL certificate in Amazon Lightsail?
AWS OFFICIALUpdated a year ago
How do I renew a Let's Encrypt SSL certificate in a Bitnami stack hosted on a Lightsail instance?
AWS OFFICIALUpdated a year ago
How To Install TextGen WebUI on AWS
EXPERT
rsindreu
published 2 years ago