Add a free Let’s Encrypt SSL certificate to your WordPress blog

Last week I posted a short tutorial on how to bootstrap a new blog using Amazon Lightsail. This week I will show how you can easily configure a free Let’s Encrypt certificate for your WordPress blog.

Why do I need an SSL certificate?

An SSL certificate encrypts the connection between your reader’s browser and your server. The user’s browser is also able to verify that a trusted certificate authority signed your SSL certificate.

Technically you don’t need an SSL certificate for your blog if your users will only be reading posts and won’t be transmitting any sensitive data, like passwords, over the connection.

If you don’t have an SSL certificate, though, most browsers will warn your users that your website is “Not Secure”. This warning might make your visitors uncomfortable or scare them off completely. It also comes across as unprofessional and crude.

Why Let’s Encrypt?

Let’s Encrypt is a nonprofit Certificate Authority provided by the Internet Security Research Group. They aim to give people access to free digital certificates in order to secure as much of the web as possible.

Amazon does provide free SSL certificates via the Amazon Certificate Manager, but you can only use those certificates through supported Amazon services like Elastic Load Balancers, CloudFront and API Gateway. If your blog is still small and your traffic volumes are low, then you probably don’t want to fork out $16 or more per month for a load balancer.

Create your SSL certificate using Certbot

Certbot is a free tool that enables you to easily install and configure a Let’s Encrypt SSL certificate on manually-administered websites.

To use Certbot, you have to SSH to your server. If you followed my previous post and your server is an Amazon Lightsail WordPress instance, then you can use the browser-based SSH from the Lightsail console and follow the steps below. If you’re running a website using other software on a different system, then rather head over to Certbot instructions to find detailed information on how to configure your server.

Once you have SSH’d over to your Lightsail WordPress instance, run the following commands to install Certbot:

sudo apt-get update
sudo apt-get install software-properties-common
sudo apt-get update -y
sudo apt-get install certbot -y

Once Certbot has been installed, create an environment variable with your specific domain (replace example.com in the command below):

export DOMAIN=example.com

Next, run the following command to create your certificate:

sudo certbot -d $DOMAIN -d *.$DOMAIN --manual --preferred-challenges dns certonly

Certbot will prompt you to enter your email address, accept the terms and conditions and ask you to accept that your IP will be logged. You have to accept these terms to create a certificate. Next, Certbot will ask you to prove that you are the owner of the domain you specified by adding TXT records to your DNS zone.

Navigate to the Networking tab on the Lightsail console and click on your DNS zone. Click on Add record, choose TXT record from the dropdown and fill in the details provided by Certbot. In my case, the subdomain was _acme-challenge, and the response was a long alphanumeric string. Click the green tick button, wait a couple of seconds and then head over to mxtoolbox to verify that the TXT record has propagated. Enter the full domain (e.g. _acme-challenge.example.com) into the textbox and hit TXT Lookup.

If you see your TXT record in the response, then return to the Certbot terminal and hit Enter. You might be prompted to add one or two more TXT records until Certbot is satisfied. Do not remove the previous TXT records, even though the subdomains will be the same.

Certbot will now create your certificates in a folder on the server.

Note the expiry date and renewal instructions. Let’s Encrypt certificates are valid for 90 days, and you should renew them before they expire.

Create symlinks in your Apache server directory

In the same SSH session, run the following command to stop your web server:

sudo /opt/bitnami/ctlscript.sh stop

Ensure your DOMAIN environment variable is still set by running `echo $DOMAIN`, otherwise, set it again using the export command shown earlier.

Run the following commands one after the other, which will backup any existing certificates and create symlinks for the new certificates:

sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
sudo ln -s /etc/letsencrypt/live/$DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key
sudo ln -s /etc/letsencrypt/live/$DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt

Start your web server again, using the following command:

sudo /opt/bitnami/ctlscript.sh start

While you’re still in the SSH shell, run the following commands to make two files writeable so they can be updated by the WordPress plugin used in the next step:

sudo chmod 666 /opt/bitnami/apps/wordpress/htdocs/wp-config.php
sudo chmod 666 /opt/bitnami/apps/wordpress/conf/htaccess.conf

Configure WordPress to serve your SSL certificate

The easiest way to configure an SSL certificate in WordPress is to use the Really Simple SSL plugin. Log into your WordPress admin console and navigate to Plugins.

Click on Add new and search for Really Simple SSL. Click on Install Now and once it is installed, click on Activate. If prompted, click on Go ahead, activate SSL.

You are now encrypted

If everything went according to plan, once you refresh your browser, you should see the “Not Secure” warning replaced by a lock icon. If you click on the lock icon, you can view the certificate details, the expiry date and the root Certificate Authority.

Congrats, you are now encrypted!

Resources

How to quickly bootstrap a blog on Amazon Lightsail

I’ve wanted to play around with Amazon Lightsail for a while as it’s an AWS service that I haven’t used previously. I’ve also been tempted to try my hand at blogging, and this seemed like a great combination. I decided to test out Lightsail by spinning up a blog and writing my first post on the experience on said blog.

Lightsail is an all-in-one platform that makes it easy to build an application or website with fixed monthly costs. You can get started with Lightsail using an Amazon Free Tier account, that gives you the first 30 days (750 hours) for free. After that, the cheapest option will cost you $3.50 per month.

Launch an instance

If you navigate to the Lightsail console and click on Create instance, you’ll see a variety of pre-baked options that you can choose.

For this experiment, I chose to spin up an instance with WordPress pre-installed. Lightsail also lets you decide in which region you want your instance, so you can make sure it is as close as possible to your intended audience.

Scrolling down, you have the option to upload an SSH key for the instance or leave it at the default that Amazon generates for you. If you leave it at the default, make sure to download it by clicking on Change SSH key pair and selecting Download next to Default. You can also enable automatic snapshots, but note that these are not covered by the Amazon Free Tier and are charged at $0.05 per GB-Month of stored snapshot data.

Lastly, you get to choose your instance size and cost. $3.50 per month gets you 512MB RAM, 1vCPU, 20 GB SSD storage and 1TB data bandwidth. Click Create instance and your instance should be ready within a couple of minutes.

Get your WordPress login details

Now that your instance is up, you need to gain access to the WordPress console somehow. The WordPress installation generates a password and stores it in a file on the file system. You need to SSH into the instance to retrieve it. You can do that directly from the Lightsail console in the browser or, if you prefer, you can use Putty or your Terminal using the key pair you either uploaded or downloaded during setup.

Once logged into your instance, run the following command to get the WordPress password:

cat $HOME/bitnami_application_password

Setup a static IP for the instance

Currently, your instance’s IP is bound to change any time you reboot the instance. To make it a bit easier to work with it, you can create a static IP for free that won’t change even if you stop and start your instance. To do this, click on your instance in the Lightsail console and navigate to the Networking tab. Click on Create static IP, choose a location, give it a name and click Create.

You can now connect to your WordPress admin console, by entering the following URL into your browser: http://static-ip/wp-login.php

Use the password you retrieved above with the username user.

Make sure to create yourself a new admin user with a strong password and remove the default user.

Point your domain to your blog

Your blog is now up and running, but you don’t want to point readers at an ugly IP. You want to have a friendly domain name for your blog that makes sense and is easy to remember. You can use any domain registrar, like GoDaddy, for this purpose.

Once you have your domain registered, you can create a Lightsail DNS zone to transfer management of your domain to Lightsail. Go to the Networking tab on the Lightsail console and choose Create DNS zone.

Enter your domain and click on Create DNS zone. Lightsail will now display a list of name server addresses. You have to copy these and go to your domain registrar and add them to your domain configuration. Doing this will transfer management of the domain to Lightsail.

You now have to create an A record in Lightsail that points to your homepage. Navigate to the DNS zone you created and click on Add record. In the Subdomain box, enter an @ symbol to create an apex record that points the root of your domain to your blog. Choose your static IP from the dropdown box and click on the green tick button. After about 60 seconds, you should be able to connect to your blog using your domain.

I would recommend also adding an A record to point the www subdomain to your static IP.

Next up

You now have a functional blog running on AWS! That wasn’t hard, was it? There are a couple of things left to do, and in the next post, I’ll cover how you can easily add a free SSL certificate to your blog, so it looks a bit more professional. I also plan on covering other AWS services, software architecture in general and many other interesting topics, so stay tuned.

Resources

  • https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-tutorial-launching-and-configuring-wordpress