For information about how to install a different instance blueprint or a standard certificate, see the following AWS Knowledge Center articles:
The steps to install a wildcard Let's Encrypt SSL certificate on a Bitnami-hosted Lightsail instance depend on the DNS provider that your domain uses. Check if your DNS provider is listed in DNS providers on the Lego website. Then, select the appropriate method to use:
Bitnami provides the bncert-tool and the Lego tool. The Lego tool supports the creation of wildcard SSL certificates. The bncert-tool doesn't support the creation of wildcard SSL certificates.
To use the Lego tool to install a wildcard Let's Encrypt SSL certificate, complete the following steps:
-
Create an AWS Identity and Access Management (IAM) user with programmatic access. To determine the required IAM user permissions for Lego to complete the DNS challenge, see IAM policy examples on the Lego website.
-
To open the file /root/.aws/credentials file in the nano editor, run the following command:
sudo mkdir /root/.aws
sudo nano /root/.aws/credentials
-
Enter the following lines on the credentials file:
[default]
aws_access_key_id = AKIA************E
aws_secret_access_key = 1yop**************************l
region = us-east-1
Note: Replace aws_access_key_id and aws_secret_access_key with your values. Replace us-east-1 with the AWS Region of your Lightsail instance.
-
To save the file, press Ctrl + X, then y, and then Enter.
-
If your Bitnami instance doesn't include the /opt/bitnami/letsencrypt/ directory, then run the following command to manually install the Lego client:
cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i - -O lego.tar.gz
tar xzf lego.tar.gz
sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego
-
To create a wildcard Let's Encrypt certificate in the server, run the following command based on your server type:
Route 53 name servers:
sudo /opt/bitnami/letsencrypt/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="*.DOMAIN" --dns route53 --path="/opt/bitnami/letsencrypt" run
Lightsail name servers:
sudo DNS_ZONE=DOMAIN /opt/bitnami/letsencrypt/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="*.DOMAIN" --dns lightsail --path="/opt/bitnami/letsencrypt" run
Note: Replace EMAIL-ADDRESS with the email address that you want to receive certificate updates to. Replace DOMAIN with your domain name.
The SSL certificate and private key are generated in the following locations: /opt/bitnami/letsencrypt/certificates/DOMAIN.crt or /opt/bitnami/letsencrypt/certificates/DOMAIN.key.
-
To stop the Bitnami stack services, run the following command:
sudo /opt/bitnami/ctlscript.sh stop
-
Link the SSL certificate and certificate key file to the locations that your web server currently reads, based on your server and approach:
Apache, Approach A
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt
Apache, Approach B
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt
NGINX, Approach A
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/nginx/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt
NGINX, Approach B
sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old
sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old
sudo mv /opt/bitnami/nginx/conf/server.csr /opt/bitnami/nginx/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/nginx/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/server.crt
Note: For the preceding commands, replace DOMAIN with your domain name.
-
To start the Bitnami stack services, run the following command:
sudo /opt/bitnami/ctlscript.sh start
-
To automate certificate renewal, run the following command to open the crontab editor:
sudo crontab -e -u bitnami
Note: Let's Encrypt certificates are valid for 90 days.
-
Enter the following line on the crontab file, and then save the file:
Apache
0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="*.DOMAIN" --dns DNS renew >> /var/log/letsencrypt.log 2>&1 && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful
Nginx
0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="*.DOMAIN" --dns DNS renew >> /var/log/letsencrypt.log 2>&1 && sudo /opt/bitnami/nginx/sbin/nginx -c /opt/bitnami/nginx/conf/nginx.conf -s reload
Note: Replace EMAIL-ADDRESS, DOMAIN, and DNS with your values.
-
Set up HTTPS redirection. For more information, see Force HTTPS redirection with Apache and Force HTTPS redirection with NGINX on the Bitnami website.
To use the Certbot package to install a wildcard Let's Encrypt SSL certificate, complete the following steps:
-
Start a Linux GNU Screen session. Because it takes time to add TXT records in the domain's DNS provider, the session can time out. It's a best practice to run the commands in Linux GNU Screen so that the session doesn't time out. To start a screen session, run the following command:
screen -S letsencrypt
-
To start Certbot interactive mode, run the following command:
sudo certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com
Note: Replace example.com with your value.
If you receive an error response, such as "bash: certbot: command not found", then you might need to add /bin/snap to your PATH environment variable. First, enter "exit" and press Enter. Or, press Ctrl + D to exit from the screen session. Then, edit /etc/environment, and add /snap/bin in the list. Restart your system. To confirm that there's no longer an error, run the following command:
$ certbot -h
-
Copy the TXT records that Let’s Encrypt provides. Let's Encrypt provides either a single or multiple TXT records that you must use for verification.
-
Add the provided record in your domain's DNS.
Important: Don't press Enter until you confirm that the TXT record is propagated to the internet DNS. Also, don't press Ctrl + D because this action terminates the screen session.
-
To confirm that the record was propagated, look up the TXT record at DNS text lookup on the MxToolbox website:
_acme-challenge.example.com
Note: Replace example.com with your value.
If your TXT records are propagated, then you see the TXT record value on the page. Return to the previous screen, and press Enter.
-
If you're removed from the shell, then run the following command to return to the shell:
Screen -r SESSIONID
Note: Run the screen -ls command to get the session ID.
-
(Optional) If you're prompted, repeat the preceding steps to add another TXT record.
Note: If you use Route 53 for your DNS provider, then enter one TXT value per row. Edit the TXT record, and then in a new row, add the TXT value that certbot provides.
-
Save the file locations of the SSL certificate and key file. After the SSL certificate is generated, you receive the message "Successfully received certificate".
-
To configure your web server to use the certificate, run the following commands based on your server and approach:
Apache, Approach A
sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo /opt/bitnami/ctlscript.sh start
Apache, Approach B
sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
sudo /opt/bitnami/ctlscript.sh start
NGINX, Approach A
sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/nginx/conf/bitnami/certs/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/bitnami/certs/server.crt
sudo /opt/bitnami/ctlscript.sh start
NGINX, Approach B
sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old
sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old
sudo ln -sf /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/nginx/conf/server.key
sudo ln -sf /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/server.crt
sudo /opt/bitnami/ctlscript.sh start
Note: For the preceding commands, replace DOMAIN with your domain name.
-
Set up HTTPS redirection. For more information, see Force HTTPS redirection with Apache and Force HTTPS redirection with NGINX on the Bitnami website.