How to install & renew Let’s Encrypt SSL certificate on AWS

Category -

So, you have opted to host your WordPress blog/ website on Amazon Web Services (AWS)! Great! Now, the next thing that you should do is to install an SSL certificate on your EC2 instance to make your website secure. Here, I have discussed about how to install Let’s Encrypt SSL certificate on AWS EC2 instance, which is free to install and renew.

SSL certificates from Let’s Encrypt are valid only for 90 days. But, they can be easily renewed for no fee at all.

Before I begin, I want you to please note this below mentioned critical info –

  • This tutorial is only valid for those who have installed WordPress Certified by Bitnami and Automattic on AWS EC2.
  • All the commands that you will see here on this page are for this kind of EC2 instance only.
  • Server type – LAMP | Apache Web Server.

Note – You shouldn’t try this tutorial directly on your main website, as a single command or one wrong step could pull your entire website down! Try this tutorial first on some demo website.

Let's Encrypt Logo

Prerequisites

  1. You have successfully installed WordPress Certified by Bitnami and Automattic on AWS through 1-click Amazon Machine Image (AMI) as shown in this tutorial – How to install WordPress on AWS.
  2. You have assigned an Elastic IP to your instance as shown in the above linked tutorial.
  3. You have all the necessary credentials to login into your AWS EC2 Bitnami instance.
  4. You own a domain name and which you have connected to your new WordPress install.
  5. You know how to login into your EC2 instance through SSH (PuTTy) and SFTP (FileZilla). If not, then you can head back to the above linked tutorial and you can learn about the same from it.

Note: You can’t install Let’s Encrypt SSL certificate on an IP Address. A domain name is necessary do it. Make sure that you have modified the DNS records for your domain name correctly and it points to your WordPress install.

How to install Let’s Encrypt SSL Certificate on AWS?

Here we’ll be using the Lego client to simplify the process of generating Let’s Encrypt SSL certificate for us.

Note – Please be sure to replace the capital letter placeholders as per it is applicable on you.

STEP 1: Install the Lego client

Open PuTTy and log in to your server via SSH.

Run these commands one by one –

cd /tmp
curl -s https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -

You might be asked for a confirmation with Y for Yes and N for No. Type Y and hit enter (if asked).

After these commands are executed, at the end of the lines that you can see, you need to look for the version of Lego client that would look similar to this – v2.1.0_linux_amd64.

Now, you will need to modify the next command by replacing X.Y.Z. placeholder with the version of the Lego client that you have installed on your EC2 instance.

tar xf lego_vX.Y.Z_linux_amd64.tar.gz

Do not put any spaces and modify only the version part of this command and nothing else.

Next, run this command to move Lego into a different directory to make it usable.

sudo mv lego /usr/local/bin/lego

Now, Lego client is installed and all set to be used to generate and install Let’s Encrypt SSL certificate on AWS.

STEP 2: Generate a Let’s Encrypt SSL Certificate

First, we need to turn off all the Bitnami services:

sudo /opt/bitnami/ctlscript.sh stop

Now, we need to request for a new Certificate for our domain name.

Remember to replace the ‘Email-Address’ placeholder with your actual email id (you will also need it to renew the Let’s Encrypt SSL certificate later, so save it or keep it in mind). Also, replace the ‘Domain’ placeholders with your actual domain name (without http). In the first domain placeholder put the one that you use like example.com (if your primary website address is non-www) and in the 2nd put the other variation which you have redirected to your primary website address.

sudo lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/etc/lego" run

Keep a copy of this command safe with you after you modify it for your domain name. As you will need this information to renew the Let’s Encrypt SSL Certificate.

You will be asked to agree to the terms of service. Accept it to proceed.

Now, the certificate for your domain name has been generated and installed successfully and the certificate files are currently in the /etc/lego/certificates directory. Next, we need to make the server read it.

STEP 3: Configure the server to use the Let’s Encrypt SSL Certificate

We need to link the newly generated Let’s Encrypt SSL certificate correctly, so that our web server can read it. Perform these 3 commands one by one –

sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old

Again, you will have to modify the next commands. Replace the Domain placeholder with your actual domain name like example.com or www.example.com (put here the only one which you had put in the ‘first’ domain placeholder while generating the certificate). Do not use HTTP or any spaces while modifying these commands, otherwise, you will get an error. Also, do not remove .key or .crt. After modifying the commands they will look something like this – sudo ln -s /etc/lego/certificates/example.com.key /opt/bitnami/apache2/conf/server.key.

sudo ln -s /etc/lego/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key
sudo ln -s /etc/lego/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt

Next, we need to change the permissions to make the certificate files readable by the root user only. No need to modify anything in these 2 commands –

sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*

After this, we now need to start all the Bitnami services that we had turned off in the beginning –

sudo /opt/bitnami/ctlscript.sh start

Congratulations! The Let’s Encrypt SSL certificate is now installed on your server. Open your browser and enter your domain with HTTPS like https://EXAMPLE.com. You will be able to see a Green Lock icon and as you click on it, you will be able to see a message like shown in the image below.

Let's Encrypt SSL Certificate on AWS EC2 Bitnami WordPress

STEP 4: Force HTTPS redirection on Apache

Next, we need to redirect all the HTTP requests to HTTPS and it can be done by adding the following lines inside the default VirtualHost directive of bitnami.conf file.

Note – Please save a copy of this bitnami.conf file somewhere safe first, so that you can restore it if anything goes wrong.

To do this, you will have to log in to your server through SFTP like FileZilla and then go to this directory –

/opt/bitnami/apache2/conf/bitnami/

Find the bitnami.conf file and open it to edit. Now, you will have to paste the below provided lines inside the VirtualHost directive –

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

It should look like this –

Force HTTPS redirection on Apache
Force HTTPS redirection on Apache

Save the file after you are done modifying it.

We need to restart our Apache web server to apply the changes –

sudo /opt/bitnami/ctlscript.sh restart

Now, all the HTTP requests will be redirected to HTTPS.

STEP 5: Edit wp-config.php to tell WordPress about new Website address (HTTPS)

The final step of installing Let’s Encrypt SSL certificate is to edit the wp-config.php file and updating the website address.

Login again into your server using SFTP and go to the home directory –

/opt/bitnami/apps/wordpress/htdocs/

Find wp-config.php file and open it to edit.

Find lines similar to these –

define('WP_SITEURL', 'http://DOMAIN/');
define('WP_HOME', 'http://DOMAIN/');

First of all save a copy of this file as well.

Now, all you need to do it is to paste your website address (with HTTPS) in place of ‘http://DOMAIN/’ and nothing else. Do it in both the lines and then save the file. Be sure that you paste the website address between the single inverted commas.

Again, we need to restart the Apache server to apply the changes –

sudo /opt/bitnami/ctlscript.sh restart

All Done! Now, your website will be loaded over HTTPS.

Go ahead and give it a check. Try to visit your website in the private window of your browser and put only the domain, for example – example.com (without HTTPS). This way, you will be able to check whether the HTTP requests now redirect to HTTPS or not.

Renew Let’s Encrypt SSL Certificate

As we all know that SSL certificates issued by Let’s Encrypt are valid only for 90 days and we need to renew them after or in between this time period. If you don’t renew it then your website visitors will get a warning message.

Again, before I begin to discuss about the renewal procedure, I would like to make this clear that this procedure is only valid for WordPress Certified by Bitnami and Automattic on AWS EC2 instance.

First step of the renewal procedure is to log in to your server via SSH and then to stop all the Bitnami services –

sudo /opt/bitnami/ctlscript.sh stop

Now, you will be required to modify the next command by replacing the email and domain placeholder with the actual info –

sudo lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/etc/lego" renew

Put the email address that you had used while generating the Let’s Encrypt SSL certificate. In the first domain placeholder, you are required to put the primary website address (in the exact fashion like you did while generating the certificate) like example.com or www.example.com (without http or https). Do not remove the double inverted commas and no need to modify anything else.

After this, we need to start all the Bitnami services again that we had turned off in the beginning of the renewal procedure –

sudo /opt/bitnami/ctlscript.sh start

Last thing is to check that whether the renewal was successful or not. For this, you need to reload your website and click on the ‘Lock’ button. Next, you need to click on the certificate. You will then be able to see the date on which the certificate was issued and the date of its expiry. The issued date would be exactly when you had generated or renewed the certificate. You will also be able to see the expiry date written right after after the date of issuance. It will look something like this (on Google Chrome) –

Let's Encrypt SSL Certificate Issued and Expiry date
Let’s Encrypt SSL Certificate Issuance and Expiry date of ReportingAll.com

I hope that you have found this tutorial informative and helpful in installing and renewing Let’s Encrypt SSL certificate on AWS. If in case, you need any help in doing the same then feel free to use the comment form below or you can also contact me through the contact page. I will try to get in touch with you as soon as possible.

Also, if you think that all this is too much for you to do and you might do something wrong while doing it then you can also hire me to do it for you! You can hire me on Fiverr or directly by contacting me via the contact page.

Do let us know, if we need to make any corrections in this tutorial, we will be very thankful to you. Keep visiting ReportingAll.com for more such tutorials on WordPress and others. Be sure to connect with us on social media so that you don’t miss any updates from us.

Rate this tutorial –
[Total: 9    Average: 5/5]
(User Ratings)

LATEST NEWS