Today, I set up a WordPress instance on Amazon Lightsail. It’s a nifty little service, that allows you to very easily launch and manage a virtual private server with AWS. You can find more information about Lightsail here. Helpfully, this same article also guides you in launching a WordPress instance.

Lightsail’s WordPress instance comes with automatically-generated dummy (self-signed) SSL/TLS certificates. That means that when I try to access my website using HTTPS, I get a certificate warning. Not great.

Luckily, there’s a great complementing service called Let’s Encrypt which can help solve this issue. Let’s Encrypt is a free, automated and open certificate authority. We’ll use it to generate valid certificates for our new WordPress instance.

Follow these instructions:

Get your WordPress instance running on Lightsail. Forward your domain to the instance’s public IP. For example, for the domain example.com this usually this means an A DNS record for example.com and CNAME DNS record for www.example.com to example.com. Verify that your website is accessible via HTTP and HTTPS. You’ll get a warning about the HTTPS certificate. SSH into your instance. Create a temporary directory: mkdir tmp cd tmp Install certbot as explained here: wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto Create a .well-known directory in the WordPress htdocs directory: mkdir /home/bitnami/apps/wordpress/htdocs/.well-known Create a .htaccess file in that directory: touch /home/bitnami/apps/wordpress/htdocs/.well-known/.htaccess Add the following contents to the .htaccess file, to make the .well-known directory accessible: # # Override overly protective .htaccess in webroot # RewriteEngine On Satisfy Any You can edit the file using nano or vi, e.g.: vi /home/bitnami/apps/wordpress/htdocs/.well-known/.htaccess Run certbot. Make sure you configure everything as expected and input a real email address when required: ./certbot-auto certonly --webroot -w /home/bitnami/apps/wordpress/htdocs/ -d example.com -d www.example.com Of course, change example.com to the name of your domain. If all executes as expected, you’ll see a message congratulating you for successfully acquiring the certificates you required. Next, edit the Apache configuration file, as explained here: sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf Comment out (by adding a # in the beginning of the line) the following lines: #SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt" #SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key" Add the following lines below: # Let's Encrypt SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem" SSLCACertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem" Of course, change example.com to the name of your domain. Finally, restart Apache: sudo /opt/bitnami/ctlscript.sh restart apache You should see the following output: Unmonitored apache Syntax OK /opt/bitnami/apache2/scripts/ctl.sh : httpd stopped Syntax OK /opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80 Monitored apache Done! You can check to see whether the correct certificate appears when you access our website at http://www.example.com

Note that Let’s Encrypt certificates expire after 90 days. As explained here, you can either manually renew the certificates every 90 or so days (simply by executing steps 10 and 13), or add a Cronjob that automatically does this for you.