How do I install a wildcard Let's Encrypt SSL certificate in Amazon Lightsail?

Last updated: 2021-10-20

How do I install a wildcard SSL certificate for my website in an Amazon Lightsail instance?

Short description

The following resolution covers installing a wildcard Let's Encrypt SSL certificate for websites hosted in a Lightsail instance that doesn't use a Bitnami stack. Examples of these instance blueprints include Amazon Linux 2, Ubuntu, and so on. If you have a different instance blueprint or want to install a standard certificate, see one of the following:

Standard Let's Encrypt certificates

For information on installing a standard Let's Encrypt SSL certificate (not a wildcard) in a Lightsail instance that doesn't use a Bitnami stack, such as Amazon Linux 2, Ubuntu, and so on, see How do I install a standard Let's Encrypt SSL certificate in a Lightsail instance?

For information on installing a standard Let's Encrypt SSL certificate (not a wildcard) in a Lightsail instance with a Bitnami stack, such as WordPress, LAMP, Magento, and so on, see How do I install a standard Let's Encrypt SSL certificate in a Bitnami stack hosted on Amazon Lightsail?

Wildcard Let's Encrypt certificates (for example, *.example.com)

For information on installing a wildcard Let's Encrypt certificate in a Lightsail instance with a Bitnami stack, such as WordPress, Lamp, Magento, MEAN, and so on, see How do I install a wildcard Let's Encrypt SSL certificate in a Bitnami stack hosted on Amazon Lightsail?

Resolution

The steps used to install a wildcard Let's Encrypt SSL certificate on your Lightsail instance depend on which DNS provider your domain uses. To determine which method to use, verify if your DNS provider is listed in the Cerbot DNS list in DNS Plugins. Then, select the appropriate method to use:

Method 1: Use this method if your domain uses one of the listed DNS providers.

Method 2: Use this method if your domain is not using any of the listed DNS providers.

Method 1

Prerequisites and limitations

  • The following steps cover installing the certificate in the server. You must manually complete additional steps, such as configuring the webserver to use the certificate and setting up HTTPS redirection.
  • The domain must be using one of the DNS providers listed in the Certbot DNS List.

Note: This method requires the installation of the Certbot tool before beginning. For installation instructions, see How do I install the Certbot package in my Lightsail instance for Let's Encrypt installation?

In the following example, the DNS provider is Amazon Route 53. For instructions for other supported DNS providers, see DNS Plugins.

1.    Create an AWS Identify and Access Management (IAM) user with programmatic access. For the minimum permissions required to be attached to the IAM user for Certbot to complete the DNS challenge, see certbot-dns-route-53.

2.    Run the following commands in the instance to open the /root/.aws/credentials file in nano editor.

sudo mkdir /root/.aws
sudo nano /root/.aws/credentials

3.    Copy the following lines to the file. Then save the file by pressing ctrl+x, then y, and then ENTER.

In the following command, replace aws_access_key_id with the access key ID created in step 1. Replace aws_secret_access_key with the secret access key created in step 1.

[default]
aws_access_key_id = AKIA************E
aws_secret_access_key = 1yop**************************l

4.    Create a Let's Encrypt certificate in the server. Replace example.com with your domain name.

If your domains uses Amazon Route 53 as the DNS provider, run the following command:

sudo certbot certonly --dns-route53 -d example.com -d *.example.com

After the SSL certificate generates successfully, you receive the message "Successfully received certificate". The certificate and key file locations are also provided. Save these file locations to a notepad for use in step 6.

5.    Setup automatic certificate renewal.

If the Certbot package installed using snapd, then the renewal is configured automatically in systemd timers or cronjobs.

If the OS distribution is Amazon Linux 2 or FreeBSD, then the Certbot package isn't installed using snapd. In this case, you must configure the renewal manually by running the following command:

echo "30 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null

6.    Only the certificate installation and renewal setup is completed. You still must configure your web server to use this certificate and setup HTTPS redirection. This configuration varies and depends on the web server setup you have in your instance. Refer to the your web service documentation for instructions on completing these steps.

Method 2

Prerequisites and limitations

  • The following steps cover installing the certificate in the server. You must manually complete additional steps, such as configuring the webserver to use the certificate and setting up HTTPS redirection.
  • Automatic certificate renewal isn't supported in this method.

Note: This method requires the installation of the Certbot tool before beginning. For installation instructions, see How do I install the Certbot package in my Lightsail instance for Let's Encrypt installation?

1.    This method requires adding TXT records in the domain's DNS provider. This process might take some time, so it's a best practice to run the commands in Linux GNU Screen to prevent the session from timing out. To start a Screen session, enter the following command:

screen -S letsencrypt

2.    Enter the following command to start Certbot in interactive mode. This command tells Certbot to use a manual authorization method with DNS challenges to verify domain ownership. Replace example.com with your domain name.

sudo certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com

3.    You receive a prompt to verify that you own the specified domain by adding TXT records to the DNS records for your domain. Let's Encrypt provides either a single or multiple TXT records that you must use for verification.

4.    When you see a TXT record in the screen, first add the provided record in your domain's DNS. DO NOT PRESS ENTER until you confirm that the TXT record is propagated to internet DNS. Also, DO NOT PRESS CTRL+D as it will terminate the current screen session.

5.    To confirm the TXT record has been propagated to internet DNS, look it up at DNS Text Lookup. Enter the following text into the text box and choose TXT Lookup to run the check. Be sure to replace example.com with your domain.

_acme-challenge.example.com

6.    If your TXT records have propagated to the internet’s DNS, you see the TXT record value in the page. You can now go back to the screen and press ENTER.

Note: If you're removed from the shell, use the command screen -r SESSIONID to get back in. Get the Session ID by running the screen -ls command.

7.    If the Certbot prompt asks you to add another TXT record, complete steps 4 -7 again.

8.    After the SSL certificate generates successfully, you receive the message "Successfully received certificate". The certificate and key file locations are also provided. Save these file locations to a notepad for use in the next step.

9.    Only the certificate installation and renewal setup is completed. You still must configure your web server to use this certificate and setup HTTPS redirection. This configuration varies and depends on the web server setup you have in your instance. Refer to your web service documentation for instructions on completing these steps.


Did this article help?


Do you need billing or technical support?