Last week I posted a short tutorial on how to bootstrap a new blog using Amazon Lightsail. This week I will show how you can easily configure a free Let’s Encrypt certificate for your WordPress blog.
Why do I need an SSL certificate?
An SSL certificate encrypts the connection between your reader’s browser and your server. The user’s browser is also able to verify that a trusted certificate authority signed your SSL certificate.
Technically you don’t need an SSL certificate for your blog if your users will only be reading posts and won’t be transmitting any sensitive data, like passwords, over the connection.
If you don’t have an SSL certificate, though, most browsers will warn your users that your website is “Not Secure”. This warning might make your visitors uncomfortable or scare them off completely. It also comes across as unprofessional and crude.
Why Let’s Encrypt?
Let’s Encrypt is a nonprofit Certificate Authority provided by the Internet Security Research Group. They aim to give people access to free digital certificates in order to secure as much of the web as possible.
Amazon does provide free SSL certificates via the Amazon Certificate Manager, but you can only use those certificates through supported Amazon services like Elastic Load Balancers, CloudFront and API Gateway. If your blog is still small and your traffic volumes are low, then you probably don’t want to fork out $16 or more per month for a load balancer.
Create your SSL certificate using Certbot
Certbot is a free tool that enables you to easily install and configure a Let’s Encrypt SSL certificate on manually-administered websites.
To use Certbot, you have to SSH to your server. If you followed my previous post and your server is an Amazon Lightsail WordPress instance, then you can use the browser-based SSH from the Lightsail console and follow the steps below. If you’re running a website using other software on a different system, then rather head over to Certbot instructions to find detailed information on how to configure your server.
Once you have SSH’d over to your Lightsail WordPress instance, run the following commands to install Certbot:
sudo apt-get update sudo apt-get install software-properties-common sudo apt-get update -y sudo apt-get install certbot -y
Once Certbot has been installed, create an environment variable with your specific domain (replace example.com in the command below):
Next, run the following command to create your certificate:
sudo certbot -d $DOMAIN -d *.$DOMAIN --manual --preferred-challenges dns certonly
Certbot will prompt you to enter your email address, accept the terms and conditions and ask you to accept that your IP will be logged. You have to accept these terms to create a certificate. Next, Certbot will ask you to prove that you are the owner of the domain you specified by adding TXT records to your DNS zone.
Navigate to the Networking tab on the Lightsail console and click on your DNS zone. Click on Add record, choose TXT record from the dropdown and fill in the details provided by Certbot. In my case, the subdomain was _acme-challenge, and the response was a long alphanumeric string. Click the green tick button, wait a couple of seconds and then head over to mxtoolbox to verify that the TXT record has propagated. Enter the full domain (e.g. _acme-challenge.example.com) into the textbox and hit TXT Lookup.
If you see your TXT record in the response, then return to the Certbot terminal and hit Enter. You might be prompted to add one or two more TXT records until Certbot is satisfied. Do not remove the previous TXT records, even though the subdomains will be the same.
Certbot will now create your certificates in a folder on the server.
Note the expiry date and renewal instructions. Let’s Encrypt certificates are valid for 90 days, and you should renew them before they expire.
Create symlinks in your Apache server directory
In the same SSH session, run the following command to stop your web server:
sudo /opt/bitnami/ctlscript.sh stop
Ensure your DOMAIN environment variable is still set by running `echo $DOMAIN`, otherwise, set it again using the export command shown earlier.
Run the following commands one after the other, which will backup any existing certificates and create symlinks for the new certificates:
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old sudo ln -s /etc/letsencrypt/live/$DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key sudo ln -s /etc/letsencrypt/live/$DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
Start your web server again, using the following command:
sudo /opt/bitnami/ctlscript.sh start
While you’re still in the SSH shell, run the following commands to make two files writeable so they can be updated by the WordPress plugin used in the next step:
sudo chmod 666 /opt/bitnami/apps/wordpress/htdocs/wp-config.php sudo chmod 666 /opt/bitnami/apps/wordpress/conf/htaccess.conf
Configure WordPress to serve your SSL certificate
The easiest way to configure an SSL certificate in WordPress is to use the Really Simple SSL plugin. Log into your WordPress admin console and navigate to Plugins.
Click on Add new and search for Really Simple SSL. Click on Install Now and once it is installed, click on Activate. If prompted, click on Go ahead, activate SSL.
You are now encrypted
If everything went according to plan, once you refresh your browser, you should see the “Not Secure” warning replaced by a lock icon. If you click on the lock icon, you can view the certificate details, the expiry date and the root Certificate Authority.
Congrats, you are now encrypted!