How do I install a wildcard Let's Encrypt SSL certificate in a Bitnami stack that's hosted on Lightsail?

8 minute read
0

I want to install a wildcard SSL certificate for my website in an Amazon Lightsail instance with a Bitnami stack.

Short description

For information about how to install a different instance blueprint or a standard certificate, see the following AWS Knowledge Center articles:

Resolution

The steps to install a wildcard Let's Encrypt SSL certificate on a Bitnami-hosted Lightsail instance depend on the DNS provider that your domain uses. Check if your DNS provider is listed in DNS providers on the Lego website. Then, select the appropriate method to use:

  • If your domain uses one of the listed DNS providers, then use the Lego tool that Bitnami provides.
  • If your domain doesn't use one of the listed DNS providers, then use the Certbot package.

Note: File paths can change depending on whether your Bitnami stack uses native Linux system packages (Approach A) or a self-contained installation (Approach B). The latest Bitnami WordPress blueprints are available only for Approach A.

To identify your Bitnami installation type, run the following command:

test ! -f "/opt/bitnami/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."

Lego tool

Bitnami provides the bncert-tool and the Lego tool. The Lego tool supports the creation of wildcard SSL certificates. The bncert-tool doesn't support the creation of wildcard SSL certificates.

Note: In the following example, the DNS providers is Amazon Route 53 and Amazon Lightsail.

To use the Lego tool to install a wildcard Let's Encrypt SSL certificate, complete the following steps:

  1. Create an AWS Identity and Access Management (IAM) user with programmatic access. To determine the required IAM user permissions for Lego to complete the DNS challenge, see IAM policy examples on the Lego website.

  2. To open the file /root/.aws/credentials file in the nano editor, run the following command:

    sudo mkdir /root/.aws
    sudo nano /root/.aws/credentials
  3. Enter the following lines on the credentials file:

    [default]
    aws_access_key_id = AKIA************E
    aws_secret_access_key = 1yop**************************l
    region = us-east-1

    Note: Replace aws_access_key_id and aws_secret_access_key with your values. Replace us-east-1 with the AWS Region of your Lightsail instance.

  4. To save the file, press Ctrl + X, then y, and then Enter.

  5. If your Bitnami instance doesn't include the /opt/bitnami/letsencrypt/ directory, then run the following command to manually install the Lego client:

    cd /tmp
    curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i - -O lego.tar.gz
    tar xzf lego.tar.gz
    sudo mkdir -p /opt/bitnami/letsencrypt
    sudo mv lego /opt/bitnami/letsencrypt/lego
  6. To create a wildcard Let's Encrypt certificate in the server, run the following command based on your server type:
    Route 53 name servers:

    sudo /opt/bitnami/letsencrypt/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="*.DOMAIN" --dns route53 --path="/opt/bitnami/letsencrypt" run

    Lightsail name servers:

    sudo DNS_ZONE=DOMAIN /opt/bitnami/letsencrypt/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="*.DOMAIN" --dns lightsail --path="/opt/bitnami/letsencrypt" run

    Note: Replace EMAIL-ADDRESS with the email address that you want to receive certificate updates to. Replace DOMAIN with your domain name.
    The SSL certificate and private key are generated in the following locations: /opt/bitnami/letsencrypt/certificates/DOMAIN.crt or /opt/bitnami/letsencrypt/certificates/DOMAIN.key.

  7. To stop the Bitnami stack services, run the following command:

    sudo /opt/bitnami/ctlscript.sh stop
  8. Link the SSL certificate and certificate key file to the locations that your web server currently reads, based on your server and approach:
    Apache, Approach A

    sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
    sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt

    Apache, Approach B

    sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
    sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
    sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt

    NGINX, Approach A

    sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old
    sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/nginx/conf/bitnami/certs/server.key
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt

    NGINX, Approach B

    sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old
    sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old
    sudo mv /opt/bitnami/nginx/conf/server.csr /opt/bitnami/nginx/conf/server.csr.old
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/nginx/conf/server.key
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/server.crt

    Note: For the preceding commands, replace DOMAIN with your domain name.

  9. To start the Bitnami stack services, run the following command:

    sudo /opt/bitnami/ctlscript.sh start
  10. To automate certificate renewal, run the following command to open the crontab editor:

    sudo crontab -e -u bitnami

    Note: Let's Encrypt certificates are valid for 90 days.

  11. Enter the following line on the crontab file, and then save the file:
    Apache

    0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="EMAIL-ADDRESS" --domains="DOMAIN"  --domains="*.DOMAIN" --dns DNS renew >> /var/log/letsencrypt.log 2>&1 && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful

    Nginx

    0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="EMAIL-ADDRESS" --domains="DOMAIN"  --domains="*.DOMAIN" --dns DNS renew >> /var/log/letsencrypt.log 2>&1 && sudo /opt/bitnami/nginx/sbin/nginx -c /opt/bitnami/nginx/conf/nginx.conf -s reload

    Note: Replace EMAIL-ADDRESS, DOMAIN, and DNS with your values.

  12. Set up HTTPS redirection. For more information, see Force HTTPS redirection with Apache and Force HTTPS redirection with NGINX on the Bitnami website.

Certbot package

Prerequisites:

  • Install Certbot.
  • Determine your Linux distribution. For Bitnami-hosted instances, the Linux distribution is either Debian or Ubuntu. Run the following command to confirm your Linux distribution:
    cat /etc/os-release | grep -i ^id
    Note: This method doesn't support automatic certificate renewal.

To use the Certbot package to install a wildcard Let's Encrypt SSL certificate, complete the following steps:

  1. Start a Linux GNU Screen session. Because it takes time to add TXT records in the domain's DNS provider, the session can time out. It's a best practice to run the commands in Linux GNU Screen so that the session doesn't time out. To start a screen session, run the following command:

    screen -S letsencrypt
  2. To start Certbot interactive mode, run the following command:

    sudo certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com

    Note: Replace example.com with your value.
    If you receive an error response, such as "bash: certbot: command not found", then you might need to add /bin/snap to your PATH environment variable. First, enter "exit" and press Enter. Or, press Ctrl + D to exit from the screen session. Then, edit /etc/environment, and add /snap/bin in the list. Restart your system. To confirm that there's no longer an error, run the following command:

    $ certbot -h
  3. Copy the TXT records that Let’s Encrypt provides. Let's Encrypt provides either a single or multiple TXT records that you must use for verification.

  4. Add the provided record in your domain's DNS.
    Important: Don't press Enter until you confirm that the TXT record is propagated to the internet DNS. Also, don't press Ctrl + D because this action terminates the screen session.

  5. To confirm that the record was propagated, look up the TXT record at DNS text lookup on the MxToolbox website:

    _acme-challenge.example.com

    Note: Replace example.com with your value.
    If your TXT records are propagated, then you see the TXT record value on the page. Return to the previous screen, and press Enter.

  6. If you're removed from the shell, then run the following command to return to the shell:

    Screen -r SESSIONID

    Note: Run the screen -ls command to get the session ID.

  7. (Optional) If you're prompted, repeat the preceding steps to add another TXT record.
    Note: If you use Route 53 for your DNS provider, then enter one TXT value per row. Edit the TXT record, and then in a new row, add the TXT value that certbot provides.

  8. Save the file locations of the SSL certificate and key file. After the SSL certificate is generated, you receive the message "Successfully received certificate".

  9. To configure your web server to use the certificate, run the following commands based on your server and approach:
    Apache, Approach A

    sudo /opt/bitnami/ctlscript.sh stop
    sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
    sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
    sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/bitnami/certs/server.key
    sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/bitnami/certs/server.crt
    sudo /opt/bitnami/ctlscript.sh start

    Apache, Approach B

    sudo /opt/bitnami/ctlscript.sh stop
    sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
    sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
    sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key
    sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
    sudo /opt/bitnami/ctlscript.sh start

    NGINX, Approach A

    sudo /opt/bitnami/ctlscript.sh stop
    sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old
    sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old
    sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/nginx/conf/bitnami/certs/server.key
    sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/bitnami/certs/server.crt
    sudo /opt/bitnami/ctlscript.sh start

    NGINX, Approach B

    sudo /opt/bitnami/ctlscript.sh stop
    sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old
    sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old
    sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/nginx/conf/server.key
    sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/server.crt
    sudo /opt/bitnami/ctlscript.sh start

    Note: For the preceding commands, replace DOMAIN with your domain name.

  10. Set up HTTPS redirection. For more information, see Force HTTPS redirection with Apache and Force HTTPS redirection with NGINX on the Bitnami website.

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
4 Comments

Just a note - I needed to use the -xzf flag, instead of -xf as shown in the docs above, on my Lightsail WordPress Multisite Bitnami instance - otherwise the folder 'lego' was not created

Ref:

4.    If your Bitnami instance doesn't include the directory /opt/bitnami/letsencrypt/, then manually install the Lego client using the following commands:

cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i - -O lego.tar.gz

! this line !
tar xf lego.tar.gz


sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

Hi! I don't know if the lego lightsail integration changed but now you need to specify the domain name of the DNS zone. You can find more info in the aws docs and the lego docs and code: https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CreateDomainEntry.html#Lightsail-CreateDomainEntry-request-domainName https://go-acme.github.io/lego/dns/lightsail/ https://github.com/go-acme/lego/blob/master/providers/dns/lightsail/lightsail.go

If you don't provide the DNS_ZONE env var, it will fail with "Missing parameter domainName", so you can call the lego client like this:

sudo DNS_ZONE=domain.com /opt/bitnami/letsencrypt/lego  ...
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago