How do I install a standard Let's Encrypt SSL certificate in a Lightsail instance that doesn't use a Bitnami stack?

Resolution

Note: Before you install the standard Let's Encrypt SSL certificate in your Lightsail instance that doesn't use a Bitnami stack, install the Certbot package.

The domain must point directly to the Lightsail instance, through a load balancer, or through the distribution. For the certificate verification to complete, the website URL must not return errors from the load balancer or distribution in the web browser.

To install the standard Let's Encrypt SSL certificate, complete the following steps:

1. Run the command for your Linux distribution to stop the web service that runs in your instance:
   Apache, such as Amazon Linux2 or CentOS

   sudo service httpd stop

   Apache, such as Ubuntu or Debian

   sudo service apache2 stop

   NGINX

   sudo service nginx stop

2. Run the following command to install the SSL certificate:

   sudo certbot certonly --standalone -d example.com -d www.example.com

   Note: Replace www.example.com with your domain name.
   After Certbot generates the SSL certificate, you receive the message Successfully received certificate. The certificate and key file locations are also provided. Copy these file locations to a text file to use in step 5.

3. Run the command for your Linux distribution to start the web service:
   Apache, such as Amazon Linux 2 or CentOS

   sudo service httpd start

   Apache, such as Ubuntu or Debian

   sudo service apache2 start

   NGINX

   sudo service nginx start

4. Set up automatic certificate renewal.
   If you used snapd to install the Certbot package, then the renewal is automatically configured in systemd timers or cronjobs. However, before you run the Certbot command, you must stop the web service. To stop the web service and then start it again, you must automate the stop and start process. To set up the automation, run the following commands:

   sudo sh -c 'printf "#!/bin/sh\n service apache2 stop \n" > /etc/letsencrypt/renewal-hooks/pre/webservice.sh'
   sudo sh -c 'printf "#!/bin/sh\n service apache2 start \n" > /etc/letsencrypt/renewal-hooks/post/webservice.sh'
   sudo chmod 755 /etc/letsencrypt/renewal-hooks/*/webservice.sh

   Note: Replace service apache2 with your web service and the start and stop commands that are specific to your web service.
   If the Linux distribution is Amazon Linux 2 or FreeBSD, then you can't use snapd to install the Certbot package. To manually configure the renewal, run the following command:

   echo "30 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --pre-hook 'service apache2 stop' --post-hook 'service apache2 start'" | sudo tee -a /etc/crontab > /dev/null

   Note: Replace service apache2 with your web service and the stop and start commands that are specific to your web service.

5. Configure your web server to use the standard Let's Encrypt SSL certificate, and set up HTTPS redirection.
   Note: The configuration depends on the web server setup that you have in your instance. To configure your web server, refer to the official documentation for your web service.

Related information

How do I install a Let's Encrypt SSL certificate in a Bitnami stack that's hosted on Lightsail?

How do I install a wildcard Let's Encrypt SSL certificate in a Bitnami stack that's hosted on Lightsail?

How do I install a wildcard Let's Encrypt SSL certificate in Amazon Lightsail?