How to install a free Let’s Encrypt SSL certificate

In this tutorial, we will generate, install and configure the Let’s Encrypt SSL certificate on AWS Lightsail instance for a WordPress website. We have used the Bitnami package/application stack to install WordPress.

Let’s Encrypt is a Certificate Authority (CA) that offers free SSL Certificates. It’s a nonprofit that secures 260 million websites across the world.

Prerequisites

  • WordPress is deployed and available on public IP
  • You can have server access. You must have sudo access
  • You own the domain name and have access to the DNS manager
  • You have already pointed domain names’ DNS to the public IP.

Step 1 ) Install Lego Client

  • Log in to the server as bitnami user.
  • Install Lego client. These commands downloads the Lego package archive, uncompresses it, and moves to the newly created directory letsencrypt
cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
tar xf lego_vX.Y.Z_linux_amd64.tar.gz
sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego

Note: Do not forget to replace X.Y.Z with the version number of the downloaded package.

Step 2 ) Generate Certificate

Make sure that the domain name points to the public IP of the website, or domain verification will fail.

  • Stop all Bitnami services (i.e., Apache, PHP, and MySQL)
sudo /opt/bitnami/ctlscript.sh stop
  • Request a new certificate for your domain both with and without the www prefix.
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" run

Replace MAIL-ADDRESS with your email ID and DOMAIN with your domain address.

Example:

sudo /opt/bitnami/letsencrypt/lego --tls --email="example@vikreed.com" --domains="vikreed.com" --domains="www.vikreed.com" --path="/opt/bitnami/letsencrypt" run

Note: Though we have provided domain and www subdomain in this command, it creates only one SSL Certificate. Technically it creates a SAN (Subject Alternate Names) certificate where the first domain is added as “CommonName” and second one as “DNSNames”.

  • Agree to the terms of service and proceed.
  • Lego will generate a set of certificates and save it in /opt/bitnami/letsencrypt/certificates directory. It generates DOMAIN.crt server certificate and DOMAIN.key key. (Note: Never share this key publically)
  • Lego client then prompts information about certificate locations and expiry dates.

Step 3: Configure Apache server to use generated SSL certificate

  • rename/move the default server certificate and key
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
  • Link newly generated certificate and ket to default one.
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt
  • Update the file permissions to make them readable by the root user only.
sudo chown root:root /opt/bitnami/apache2/conf/bitnami/certs/server*
sudo chmod 600 /opt/bitnami/apache2/conf/bitnami/certs/server*
  • Restart all Bitnami services
sudo /opt/bitnami/ctlscript.sh start

Step 4: Testing

  • Open your website in a browser with the domain name and check for a green lock icon in the address bar.
  • Click on the lock icon to see certificate details.

Step 5: SSL renewal

Let’s Encrypt certificates are only valid for 90 days only. You need to either renew it manually or schedule a cron to renew it.

Manual renewal

  • Stop all Bitnami services
sudo /opt/bitnami/ctlscript.sh stop
  • renew the certificate for the next 90 days
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90

Note: Make sure that you add the same email address and domain name in this command.

  • Start all service back
sudo /opt/bitnami/ctlscript.sh start
  • Check expiry date in browser

Automated renewal

  • Add a scripts directory and create a script at /opt/bitnami/letsencrypt/scripts/renew-certificate.sh (or any name)
sudo mkdir -p /opt/bitnami/letsencrypt/scripts
sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
  • Add following commands to renew-certificate.sh and save it.
#!/bin/bash

  sudo /opt/bitnami/ctlscript.sh stop apache
  sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
  sudo /opt/bitnami/ctlscript.sh start apache
  • Make the script executable
sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
  • Schedule the corn
sudo crontab -e
0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

About Author

Sorry, Comments are closed!