So you have an awesome, affordable new VPS instance — maybe even a WordPress or Drupal installation — hosted on Amazon’s Lightsail. Setting up a Lightsail instance might be quick and easy, but moving it from HTTP to HTTPS isn’t as intuitive as you might expect. This is one of those instances where AWS stops holding your hand and expects you do to some real work of your own. But don’t worry, setting up HTTPS isn’t too tough and, thanks to Let’s Encrypt, it’s free.
SSL is pretty much a must-have feature at this point. A site is either secure or it isn’t, and even if you aren’t accepting credit card information or personal data, people still expect to see that little green lock when they are on your site. Furthermore, Google and other search engines want to see it as well, so it behooves all of us to adhere, even if it might not seem necessary to your site. If nothing else, it’s definitely within keeping of accepted best practices, so it’s a good use of 20-ish minutes.
This is a much more involved process than moving an S3 static site for HTTPS, so you’ll want a basic understanding of working in a console (CLI) and the normal BASH/Linux stuff that help with tasks like this. These things aren’t a dealbreaker, but they’ll help. The good news is that there is great community support for things like this and the procedure is standard enough that there shouldn’t be any surprises.
Note: We’ll be doing this task with Certbot (the Let’s Encrypt client), not the Amazon AWS Certificate Manager. There are lots of ways to move to SSL, but this is the easiest and plus it’s free.
For this article we’ll assume you’re using a Lightsail installation with Apache (probably, but not necessarily, running WordPress). This doesn’t have to be the case, but let’s just establish that for now and then you can bend the instructions to your specific needs. After all, this will be the most popular usage case.
First of all, login to AWS Lightsail and navigate to your instance. Now just hit the big orange button to “Connect using SSH.” This will establish a pop-up window (a terminal) with an SSH client right in your browser. This method is a bit cumbersome, but it’s easier than using PuTTY or Windows 10 SSH client.
In case you are new to the terminal, every
$ is a new command! Don’t copy and paste the whole paragraph and don’t copy and paste the
First of all, let’s make your your VPS’s packages are up-to-date so you have a good foundation to build upon.
$ sudo apt-get update
$ sudo apt-get autoclean
Certbot is simply the Let’s Encrypt client. There have been other ways to install free Let’s Crypt SSL certificates, even a WordPress installation, but those aren’t well support or active any longer. To install Certbot, you need a place to put it. That’s step one:
$ sudo mkdir /opt/bitnami/letsencrypt
$ cd /opt/bitnami/letsencrypt
Now install certbot and permission it to run:
$ sudo wget https://dl.eff.org/certbot-auto
$ sudo chmod a+x ./certbot-auto
Now, let’s run certbot:
$ sudo ./certbot-auto
The script will run for a few seconds. It might kick an error or two, but unless those actually break the installation process you don’t need to worry about them. You shouldn’t see anything if you are running a clean Lightsail VPS.
Now it’s time to actually generate your cert. The command looks like this but you will need to customize it!
$ sudo ./certbot-auto certonly --webroot -w /nas/content/live/cloudconfusing/ -d MySITE.com -d www.MySite.com
What you are doing here is generating the certificate for your site and your site with the “www” subdomain. If you don’t do a subdomain the original command will not be used as a wildcard (as in *.MySite.com). Certbot / Let’s Crypt just started supporting wildcard domains in March 2018, so it’s technically doable, but it’s an unnecessary complication for this guide.
At this point you have certificates generated and living in on your VPS. You’ll have one for each -d flag site you did in the command above.
Having SSL certificates is nice, but if Apache (your web server) doesn’t know about them they are pretty useless. Apache expects to see your certificate files here:
That’s fine, but that’s not where Certbot puts them. That means we can either move them from /etc/letsencrypt/live/MySite.com, or link them the file to the location. Linking is the right thing to do here because in 90 days you will need to update your certificates and if you move them today, you’ll have to move the next ones then. If you establish a symbolic link (aka a symlink or soft link) then you’ll only have to do it once.
Now you have to make two links, one for the .crt file and one for the .key file.
$ sudo ln -s /etc/letsencrypt/live/MySite.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt
$ sudo ln -s /etc/letsencrypt/live/MySite.com/privkey.pem /opt/bitnami/apache2/conf/server.key
ln -s creates a symbolic link (where ln would create a hard link). The soft link simply creates a pointer from one file to another, so your instance will look for, say, server.crt in the apache2/conf/ directory and it can actually live in the letsencrypt/live/MySite.com/ directory.
Note: New versions of Bitnami may already have a server.crt and server.key file in place in this directory! If that’s the case you can simply rename those ones if you want to use your newly created certificate. Just navigate to that directory and:
mv server.crt serverBAK.crt.
Now you just need to restart Apache and test out that your HTTPS is valid — both with and without the www. To restate Apache you just need to:
$ sudo /opt/bitnami/ctlscript.sh restart apache
The restart should take just a few seconds. Then you can visit your site at the https:// URL and see if it works. SSL certifications just take a minute or two to propagate so by the time you retrieve the URL everything should be established. If it doesn’t work, make sure you check your browser cache and confirm nothing wrong is saved there. You can’t always try another browser or private mode just to make sure you aren’t hitting an old SSL error or already-fetched invalidation.
If you want to troubleshoot your SSL certificate or just confirm that it’s working properly, two excellent resources are CRT.SH and SSL Labs.
In a gift-that-keeps-giving sort of way, you’ll need to renew your SSL certificate every 90 days. To do this you just need to navigate to the Bitnami directory:
$ cd /opt/bitnami/letsencrypt
and then run the renew command:
$ sudo ./certbot-auto renew
it’s a good idea to run
sudo certbot renew --dry-run to test out the procedure first, but it’s not necessary. Many people opt to setup a cron job to attempt to renew their SSL twice a day (at a random minute!), which Let’s Encrypt encourages but is not necessary. Make sure to restart Apache after an update!
That command might look something like this:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
And with that you’re done! Your VPS is fully setup with HTTPS, much to the liking of Google and your users.
Sal May 13th, 2018
Posted In: AWS
Tags: Apache, Certbot, HTTPS, Lightsail, Security