By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I install a wildcard Let's Encrypt SSL certificate in Amazon Lightsail?

6 minute read
0

I want to install a wildcard SSL certificate for my website in an Amazon Lightsail instance.

Short description

The following resolution covers the installation of a wildcard Let's Encrypt SSL certificate for websites hosted in a Lightsail instance without a Bitnami stack. Examples of these instance blueprints include Amazon Linux 2 or Ubuntu. If you have a different instance blueprint or want to install a standard certificate, see one of the following:

Resolution

Note: Before you start, install the Certbot tool. For installation instructions, see How do I install the Certbot package in my Lightsail instance for Let's Encrypt certificate installation?

The method to install a wildcard Let's Encrypt SSL certificate on your Lightsail instance depends on your domain's DNS provider. To start, verify whether your DNS provider appears in DNS Plugins on the Certbot website. The following methods explain how to install the certificate in the server. You must manually complete additional steps. For example, you must configure the server to use the certificate, and you must set up HTTPS redirection.

If your domain uses one of the listed DNS providers

In the following example, the DNS provider is Amazon Route 53. For instructions for other supported DNS providers, see DNS Plugins on the Certbot website.

  1. Create an AWS Identity and Access Management (IAM) user with programmatic access. For the minimum IAM user permissions required for Certbot to complete the DNS challenge, see certbot-dns-route-53 on the Certbot website.

  2. To open the /root/.aws/credentials file in nano editor, run the following commands:

    sudo mkdir /root/.aws
sudo nano /root/.aws/credentials

  3. Copy the following lines to the file:

    [default]
aws_access_key_id = AKIA************E
aws_secret_access_key = 1yop**************************l

    Note: Replace aws_access_key_id with the access key ID created in step 1.

  4. To save the file, press CtrlX, then Y, and finally press ENTER.

  5. Create a Let's Encrypt certificate in the server. If your domain uses Amazon Route 53 as the DNS provider, run the following command:

    sudo certbot certonly --dns-route53 -d example.com -d *.example.com

    Note: Replace example.com with your domain name.

  6. After Certbot generates the SSL certificate, you receive the message Successfully received certificate. The certificate and key file locations are also provided. Copy these file locations to a text file for use in step 8.

  7. Set up automatic certificate renewal.
    If the Certbot package is installed with snapd, then renewal is configured automatically in systemd timers or cronjobs.
    If the OS distribution is Amazon Linux 2 or FreeBSD, then the Certbot package isn't installed with snapd. To configure the renewal manually, run the following command:

    echo "30 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null

  8. You have now installed the certificate and set up renewal. However, you still must configure your web server to use this certificate, and you must also set up HTTPS redirection. Configuration depends on your instance's web server setup. Refer to your web service documentation for configuration instructions.

If your domain doesn't use one of the listed DNS providers

Note: This method doesn't support automatic certificate renewal.

In the following steps, you add TXT records in the domain's DNS provider. This process might take some time. It's a best practice to run commands in Linux GNU Screen to prevent the session from timing out.

  1. To start a Screen session, enter the following command:

    screen -S letsencrypt

  2. To start Certbot in interactive mode, enter the following command. This command tells Certbot to use a manual authorization method with DNS challenges to verify domain ownership.

    sudo certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com

    Note: Replace example.com with your domain name.

  3. Certbot prompts you to add TXT records to the DNS records for your domain. This action verifies that you own the specified domain. Let's Encrypt provides either a single or multiple TXT records to use for verification.

  4. When you see a TXT record onscreen, add the provided record to your domain's DNS. Note: Do not press ENTER until you confirm that the TXT record is propagated to the internet DNS. Do not press Ctrl + D because that action terminates the current screen session.

  5. To confirm the TXT record was propagated to the internet DNS, look it up at DNS Text Lookup on the MX Toolbox website. To run the check, enter the following text into the text box, and then choose TXT Lookup:

    _acme-challenge.example.com

    Note: Replace example.com with your domain name.

  6. If your TXT records are propagated to the internet DNS, you see the TXT record value on the page. Go back to the screen and press ENTER.
    Note: If you're removed from the shell, then use the command screen -r SESSIONID to get back in. To find the Session ID, run the screen -ls command.

  7. If the Certbot prompt asks you to add another TXT record, then repeat steps 4–6.

  8. After Certbot generates the SSL certificate, you receive the message Successfully received certificate. The certificate and key file locations are also provided. Copy these file locations to a text file for use in step 9.

  9. You have now installed the certificate and set up renewal. However, you still must configure your web server to use this certificate, and you must also set up HTTPS redirection. Configuration depends on your instance's web server setup. Refer to your web service documentation for configuration instructions.

Topics
Compute
Tags
Amazon Lightsail
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 4 days ago
No comments

Relevant content