This is a modified version of: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress
After your Lightsail browser-based SSH session is connected, enter the following command to update the packages on your instance:
sudo apt-get updateEnter the following command to install the software properties package. Certbot’s developers use a Personal Package Archive (PPA) to distribute Certbot. The software properties package makes it more efficient to work with PPAs.
sudo apt-get install software-properties-commonEnter the following commands to install the GPG package, and add Certbot to the local apt repository:
Note
Step 5 applies only to instances that use the Ubuntu Linux distribution. Skip this step if your instance uses the Debian Linux distribution.
sudo apt-get install gpg -ysudo apt-add-repository ppa:certbot/certbot -yEnter the following command to update apt to include the new repository:
sudo apt-get update -yEnter the following command to install Certbot:
sudo apt-get install certbot -yCertbot is now installed on your Lightsail instance.
Keep the browser-based SSH terminal window open—you return to it later in this tutorial. Continue to the next selection of this tutorial.
Request a Let’s Encrypt SSL wildcard certificate
DO THIS ON THE HOST, NOT INSIDE THE CONTAINER
Begin the process of requesting a certificate from Let’s Encrypt. Using Certbot, request a wildcard certificate, which lets you use a single certificate for a domain and its subdomains. For example, a single wildcard certificate works for the example.com a top-level domain, and the blog.example.com, and stuff.example.com subdomains.
- In the same browser-based SSH terminal window used in step 2 of this tutorial, enter the following commands to set an environment variable for your domain. You can now more efficiently copy and paste commands to obtain the certificate. Be sure to replace
domainwith the name of your registered domain.DOMAIN=domainWILDCARD=*.$DOMAINExample:DOMAIN=example.comWILDCARD=*.$DOMAIN - Enter the following command to confirm the variables return the correct values:
echo $DOMAIN && echo $WILDCARDYou should see a result similar to the following:
- Enter the following command to start Certbot in interactive mode. This command tells Certbot to use a manual authorization method with DNS challenges to verify domain ownership. It requests a wildcard certificate for your top-level domain, as well as its subdomains.
sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly - Enter your email address when prompted, because it’s used for renewal and security notices.
- Read the Let’s Encrypt terms of service. When done, press A if you agree. If you disagree, you cannot obtain a Let’s Encrypt certificate.
- Respond accordingly to the prompt to share your email address and to the warning about your IP address being logged.
- Let’s Encrypt now prompts you to verify that you own the domain specified. You do this by adding TXT records to the DNS records for your domain. A set of TXT record values are provided as shown in the following example:NoteLet’s Encrypt may provide a single or multiple TXT records that you must use for verification. In this example, we were provided with two TXT records to use for verification.
- Keep the Lightsail browser-based SSH session open—you return to it later in this tutorial. Continue to the next section of this tutorial.
Add TXT records to your domain’s DNS zone in Lightsail
Adding a TXT record to your domain’s DNS zone verifies that you own the domain. For demonstration purposes, we use the Lightsail DNS zone. However, the steps might be similar for other DNS zones typically hosted by domain registrars.
Note
To learn more about how to create a Lightsail DNS zone for your domain, see Creating a DNS zone to manage your domain’s DNS records in Amazon Lightsail.
- On the Lightsail home page, choose the Networking tab.
- Under the DNS zones section of the page, choose the DNS Zone for the domain that you specified in the Certbot certificate request.
- In the DNS zone editor, choose Add record.
- In the record type drop-down menu, choose TXT record.
- Enter the values specified by the Let’s Encrypt certificate request into the Subdomain and Responds with fields as shown in the following screenshot.
- Choose the Save icon.
- Repeat steps 3 through 6 to add the second set of TXT records specified by the Let’s Encrypt certificate request.
- Keep the Lightsail console browser window open—you return to it later in this tutorial. Continue to the next section of this tutorial.
Confirm that the TXT records have ropagated
Use the MxToolbox utility to confirm that the TXT records have propagated to the internet’s DNS. DNS record propagation might take a while depending on your DNS hosting provider, and the configured time to live (TTL) for your DNS records. It is important that you complete this step, and confirm that your TXT records have propagated, before continuing your Certbot certificate request. Otherwise, your certificate request fails.
Open a new browser window and go to https://mxtoolbox.com/TXTLookup.aspx.
Enter the following text into the text box. Be sure to replace domain with your domain._acme-challenge.domainExample:_acme-challenge.example.com
Choose TXT Lookup to run the check.
One of the following responses occurs:
If your TXT records have propagated to the internet’s DNS, you see a response similar to the one shown in the following screenshot. Close the browser window and continue to the next selection of this tutorial.
If your TXT records have not propagated to the internet’s DNS, you see a DNS Record is not found response. Confirm that you added the correct DNS records to your domains’ DNS zone. If you added the correct records, wait a while longer to let your domain’s DNS records propagate, and run the TXT lookup again.
Complete the Let’s Encrypt SSL certificate request
Go back to the Lightsail browser-based SSH session for your WordPress instance and complete the Let’s Encrypt certificate request. Certbot saves your SSL certificate, chain, and key files to a specific directory on your WordPress instance.
In the Lightsail browser-based SSH session for your WordPress instance, press Enter to continue your Let’s Encrypt SSL certificate request. If successful, a response similar to the one shown in the following screenshot appears:
The message confirms that your certificate, chain, and key files are stored in the directory.
Make sure to replace domain with your domain, such as /etc/letsencrypt/live/example.com/.
Make note of the expiration date specified in the message. You use it to renew your certificate by that date.
Now that you have the Let’s Encrypt SSL certificate, continue to the next selection of this tutorial.
Create links to the Let’s Encrypt certificate files in the Apache server directory
Stop the container from running
Enter the following commands individually to create links to your Let’s Encrypt certificate files in the Apache directory:
For newer instances that use the Debian Linux distribution:
sudo ln -s /etc/letsencrypt/live/$DOMAIN/privkey.pem /var/lib/docker/volumes/apacheconfigs-files/_data/conf/server.keysudo ln -s /etc/letsencrypt/live/$DOMAIN/fullchain.pem /var/lib/docker/volumes/apacheconfigs-files/_data/conf/server.crt
For older instances that use the Ubuntu Linux distribution:
sudo ln -s /etc/letsencrypt/live/$DOMAIN/privkey.pem /var/lib/docker/volumes/apacheconfigs-files/_data/conf/server.keysudo ln -s /etc/letsencrypt/live/$DOMAIN/fullchain.pem /var/lib/docker/volumes/apacheconfigs-files/_data/conf/server.crt
Once done, restart your container and everything should be ready to roll!