By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Setup Workflow: Cannot create SSL certificate for lightsail-wp instance

0

I've spun up a new lightsail-wp instance, and am trying to go through the setup workflow.

  • It's been assigned a static IP
  • The domain registrar is Namesilo
  • DNS is managed by Cloudflare I've tried getting SSL certificate emission to work several different ways:
  1. Using the workflow, which produces an IP resolution error (due to Cloudflare proxying).
  2. Generating a certificate using DNS-01 challenge using python3-certbot-dns-cloudflare. This worked, but installed an additional Apache service that conflicts with the Wordpress installation.
  3. Using a Cloudflare Origin CA certificate. I managed to get it to work by installing the certificate myself and redirecting the config files to it, but it broke my website in all sorts of different and inconsistent ways. Sometimes it crashed the apache, php and database, sometimes the website didn't serve CSS, broken images on the admin panel, etc.
  4. Back to step one, which should be the most painless option. I've paused cloudflare for now, and confirmed with a DNS checker tool that the domain is resolving to the instance static IP. However, I'm still getting the following error: 2 DNS records do not match instance IPs. Did not find IPv6 match for 2 domain(s). Verify the values for your DNS records are correct. After you change DNS record values, you must wait for the DNS cache to expire before you can try again..

I also created an SSL certificate in the AWS Account > Certificates through adding a CNAME record to my DNS, but I'm not sure how to import it to my lightsail instance, or if it's even compatible.

My DNS records contain the following:

  1. Two A records for my domain example.com. One is pointing to the instance IP (confirmed through DNS checker), and the other one to a Cloudflare IP.
  2. Two www records for my domain example.com. One is pointing to the instance IP (confirmed through DNS checker), and the other one to a Cloudflare IP.
  3. Two AAAA records for my domain example.com. One is pointing to the instance IPv6 address (confirmed through DNS checker), and the other one to a Cloudflare IPv6 address.
  4. Two AAAA records for my domain example.com. One is pointing to the instance IPv6 address (confirmed through DNS checker), and the other one to a Cloudflare IPv6 address.
  5. One CNAME record, used for verifying the AWS SSL certificate described above.
  6. Three CNAME records for Amazon SES validation.
  7. MX records for email forwarding (non-AWS).
  8. One _dmarc record for Amazon SES validation.
  9. One TXT record for my domain example.com for email forwarding (non-AWS)

Is there a bncert-tool equivalent that does DNS-01 challenges through an API instead of IP resolution validation? I have waited overnight after pausing Cloudflare on the domain, which should (and has) propagated very quickly. Is this a DNS cache issue on AWS end or am I doing something wrong?

  • tcq
    a year ago

    The workflow never worked. I guess it's something to accept as a price to pay for Cloudflare's proxying services. What ended up working was generating it using Lego, as follows:

    export CLOUDFLARE_EMAIL='your_email@provider.com' export CLOUDFLARE_API_KEY='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

    cd /opt/bitnami/letsencrypt ./lego --email your_email@provider.com --dns cloudflare --domains="example.com" --domains="www.example.com" renew cd /opt/bitnami/apache/conf/bitnami/certs sudo cp /opt/bitnami/letsencrypt/.lego/certificates/example.com.crt server.crt sudo cp /opt/bitnami/letsencrypt/.lego/certificates/example.com.key server.key sudo /opt/bitnami/ctlscript.sh restart apache

    Site is now working flawlessly, no caching errors or slowdown with Cloudflare enabled. Wrapped it up with the Really Simple SSL Wordpress plugin.

Topics
ComputeNetworking & Content DeliverySecurity, Identity, & ComplianceEnd User Computing
Tags
Amazon LightsailNetworking & Content DeliveryAWS Certificate ManagerAWS Support Automation Workflows
Language
English
tcq
asked a year ago982 views
2 Answers
2
Accepted Answer

Using the workflow, which produces an IP resolution error (due to Cloudflare proxying).

Lightsail's secure WordPress workflow is designed to work with Let's Encrypt certificates installed directly on the instance. This won't work with Cloudflare.

Perhaps the Use Let’s Encrypt SSL certificates with your Lightsail WordPress instance can provide hints that apply to your situation (specifically ensuring you have SSL configured correctly in WordPress so all your images are served securely as well).

When using a CDN like Cloudflare, make sure you're configuring the cache settings correctly. With Lightsail distributions there is a preset for WordPress instances that caches nothing except wp-includes/ and wp-content – you likely need a similar configuration with Cloudflare.

Typically you would only have one DNS record per sub-domain/apex. Having one record pointing to Lightsail and another to Cloudflare could be one source of issues. If you plan you use Cloudflare as your DNS provider, point your registrar to Cloudflare and your Cloudflare admin to a Lightsail instance with a static IP address attached (IPv6 addresses remain with the instance between start/stop as long as you keep IPv6 enabled).

AWS
MODERATOR
Gabriel - AWS
answered a year ago
profile picture
EXPERT
Oleksii Bebych
reviewed a year ago
  • tcq
    a year ago

    Shouldn't the workflow work, at least for debugging purposes, when Cloudflare has been paused for a given site? Perhaps it hasn't due to the extra records that came by default with the Cloudflare service that I never removed. I'll clean up my DNS records.

    I appreciate the heads up regarding the preset for WP caching. I had been managing it manually, with mixed results (disabled it entirely in Cloudflare for the admin panel using their cache rules, behavior was still iffy, most likely due to a wonky SSL installation).

    I will take a deeper look at that guide, thanks! I had seen a very similar one that relied exclusively on comparing the DNS record IP with the instance's public IP, so I most likely opened it and dismissed it at some point.

0

I have been having a similar issue and from what I have found out you have to attach the certificate to a load balancer and then attach that load balancer to an instance. Stand alone instances do not seem to support HTTPS. As for how to attach an existing certificate, I have no idea. Ive been trying to figure that out all day and haven't had much luck with creating a new one through lightsail either.

Vince
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content