How do I install an SSL certificate on a Bitnami stack hosted on Amazon Lightsail?

Last updated: 2020-04-03

How do I install an SSL certificate on a Bitnami stack hosted on Amazon Lightsail?

Short Description

You can generate a free Let's Encrypt SSL certificate using the Lego client. For more information on Let's Encrypt and the Lego client, see the Let's Encrypt client and ACME library on the GitHub website.


Create a Lightsail instance

1.    Open the Lightsail console, and then select Create instance.

2.    Choose Linux for the platform, choose WordPress for the blueprint, and then choose Create instance.

3.    Create a static IP address and attach it to the instance. In the following example, is the static IP address.

4.    Create an Address (A) record and point it from the domain to the IP.

5.    Run a DNS lookup with the host command to confirm that the domain is mapped to the static IP:

$ host has address

6.    Enter your domain in a web browser and verify that it's accessible only through HTTP and not HTTPS.

Run the Bitnami HTTPS Configuration Tool

The Bitnami HTTPS Configuration Tool is included in the /opt/bitnami/letsencrypt/directory on Bitnami Stacks released after May 10th, 2019. The tool automatically performs the following procedures:

Configures HTTPS certificates on Bitnami stacks
Creates automatic certificate renewals
Sets up HTTP to HTTPS redirections

Run the following command to launch the Bitnami HTTPS Configuration Tool:

sudo /opt/bitnami/bncert-tool

For more information on using this tool or to download the tool, see Learn About The Bitnami HTTPS Configuration Tool on the Bitnami documentation website.

(Optional) Manually generate and configure Let's Encrypt certificates

If you don't have the Bitnami HTTPS Configuration tool installed or are missing the /opt/bitnami/letsencrypt/directory, you can manually generate and configure Let's Encrypt certificates.

For instructions on manually creating and configuring Let's Encrypt certificates, see Generate and Install a Let's Encrypt SSL Certificate for a Bitnami Application - Alternative Approach on the Bitnami Documentation website.

Note: Let's Encrypt SSL certificates are generated by the Lego client. Older Bitnami versions might not have the client installed. Verify if the Lego client is installed by searching the /opt/bitnami/letsencrypt/ directory:

ls -l /opt/bitnami/letsencrypt/
total 29244
-rwxr-xr-x 1 root root 29940480 Apr 18 18:42 lego
drwxr-xr-x 2 root root   4096 Apr 30 10:44 scripts

(Optional) Manually Configure HTTP to HTTPS redirection

To force HTTP to HTTPS redirection, edit the virtual host portion of the Apache configuration file. For Bitnami WordPress images, this file is located at /opt/bitnami/apache2/conf/bitnami/bitnami.conf.

1.    Edit the Apache configuration to include the following lines:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

The following is an example of the edited Apache configuration:

$ sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf
  DocumentRoot "/opt/bitnami/apache2/htdocs"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

2.    Restart the Bitnami services for the changes to take effect:

$ sudo /opt/bitnami/ restart
Syntax OK
/opt/bitnami/apache2/scripts/ : httpd stopped
/opt/bitnami/php/scripts/ : php-fpm stopped
/opt/bitnami/mysql/scripts/ : mysql stopped
/opt/bitnami/mysql/scripts/ : mysql  started at port 3306
/opt/bitnami/php/scripts/ : php-fpm started
Syntax OK
/opt/bitnami/apache2/scripts/ : httpd started at port 80

From the command line you can confirm that HTTP to HTTPS redirection is working by using the following command:

$ curl -Ilkv
* Rebuilt URL to:
*   Trying
* Connected to ( port 80 (#0)
> HEAD / HTTP/1.1
> Host:
> User-Agent: curl/7.53.1
> Accept: */*
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Thu, 20 Jun 2019 14:53:04 GMT
Date: Thu, 20 Jun 2019 14:53:04 GMT
< Server: Apache
Server: Apache
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< Location:
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
* Connection #0 to host left intact

Did this article help you?

Anything we could improve?

Need more help?