If you are using AWS LightSail to host your WordPress blog, check how you can enable HTTPS mode with the help of Let’s Encrypt SSL certificate.
AWS LightSail is a great platform to host your blogs as it comes with a good infrastructure and a reasonable price. Nowadays, it has become one of my preferred solutions to install a WordPress and start a blog.
AWS LightSail is a virtual private server which means that you do not have cPanel available on the server. You either have to buy a license of cPanel and install it manually or manage the LightSail server by yourself.
I prefer it to manage by myself but it can be an overwhelming task for someone who is not from a technical background. So be prepared to run some commands and look at log files.
The first thing you should do after bringing your WordPress LightSail server is to install SSL certificate on it. This will make sure your blog will server correctly on HTTPS Protocol.
Let’s take a look at a step by step guide on how you can install SSL certificate on AWS LightSail WordPress Server.
What is HTTPS Protocol
When you type any blog URL you usually start the URL with “HTTP://” like – http://Metablogue.com.
HTTP means HyperText Transfer Protocol, which allows your browser and website server to communicate and transfer data. HTTP is by default non-encrypted communication and can be vulnerable to man-in-the-middle and eavesdropping attacks.
If you are just transferring the information which is already available publically like your blog posts and images, you may decide to serve it over HTTP.
Even if the communication is interrupted and someone snooped over it, they will only find information which is already available to everyone.
But what about if someone is trying to contact you using your contact page. If someone snooped the connection, they will be able to get user’s email id and other contact information.
It becomes more critical if you are doing a financial transaction on your blog.
HTTPS For Encrypted Communications
HTTPS allows you overcome this problem. It works in a similar manner as HTTP but allows you to add an encryption layer to overcome this problem.
For HTTPS to work correctly, server and browser need to do some handshaking and establish a secure channel for communications. They will decide on the encryption algorithm and SSL certificate to use while other things.
This added communication takes some time and affects the page loading speed but it should benefit in terms of security and reliability of your user data.
According to Wikipedia As of November 2017, 27.7% of Alexa top 1,000,000 websites use HTTPS as default and more are getting added every day.
How to know if the communication is secured
Current browsers display the lock icon on the address bar to showcase secured communication over HTTPS protocol.
You can click the lock icon to get more details about the server.
If the server certificate and domain name will not match, you will see an error in your browser.
Why SSL Certificate
Google Webmasters Blog has talked about SSL certificate being one of the ranking factors. So it not only helps your user to interact with your blog securely but also helps you in raking higher in SERP’s.
Nowadays, HTTPS is one of the basic requirements for any blog, good thing is that AWS LightSail comes preconfigured for HTTPS.
You can access your blog over https, the only problem is the SSL certificate is a dummy certificate using domain name “example.com” and you will see a warning in Chrome and other browsers.
To make sure you are able to correctly serve the blog over HTTPS protocol on AWS, you just need to install a proper SSL certificate.
Here are step-by-step instructions how you can enable Let’s Encrypt SSL certificate on AWS LightSail.
Generate Let’s Encrypt SSL Certificate
SSL Certificate is a key component of HTTPS protocol. It contains the information like domain name, owner name, public key (which will be used to encrypt the data), validity dates etc.
There are companies who offer the paid SSL certificate like Symantec, Godaddy, RapidSSL etc. Paid certificates are good if you are doing financial transactions on your blog.
If you are not accepting payments and have only a few forms where you are accepting user information, you can use Let’s Encrypt free SSL certificate.
There are two ways you can generate the Let’s Encrypt SSL certificate with LightSail
– WordPress Plugin
– Certbot Client
Both the methods are explained below, you can use any one of them to generate your SSL certificate.
Using WordPress Plugin
WordPress plugin is an easy way to generate SSL certificate as most of the work can be done through the admin panel.
You can just install the plugin and click few buttons to generate the SSL certificate.
Create Folders For SSL Certificate
You need to create a folder to store your Let’s Encrypt SSL certificate before installing the WordPress plugin.
You also need to make sure that the WordPress has enough access to the folders so that it can read and write certificate files in it.
Use the below mention commands to create the folders and give WordPress access to it.
This will make sure that you have a folder created as /opt/bitnami/apps/wordpress/letsencrypt/live, if you want to store your SSL certificate somewhere else just change the folder location in the commands.
Once you have created a directory and set the ownership, you need to set the file and directory access for all of the files inside that directory.
You can use the below two commands to do that.
With these two commands, you will set the directory permission as 0775 and all of the executable file permissions to 0664.
WP Encrypt is a WordPress plugin which allows you to generate the Let’s Encrypt certificate from your admin dashboard.
It will also keep a track of certification expiration and can automatically renew the certificate.
By default the plugin uses the location /opt/bitnami/apps/wordpress/letsencrypt/live for storing the SSL certificate. So if you have changed the location while creating the folder, you need to add below line at the end of your wp-config.php
Once you add this line, the plugin will know which directory to use for storing the SSL certificates.
The plugin is available free of cost from WordPress repository. So go ahead and install the plugin.
Once the plugin is installed and activated, you can go Settings -> WP Encrypt to access the settings.
In the account settings, enter the Organisation name, Country Name and Country Code. If you are not sure about your two digit country code, you can take a look here.
Go ahead and click on register account to create a new account on Let’s Encrypt. Once the account is created, you can click on Generate Certificate to generate the SSL certificate.
If you have used this method to generate the Let’s Encrypt certificate, you can skip the next section and directly jump to link it with Apache.
Using Certbot Client with Apache
Another method is to use the Certbot client to generate the SSL certificate. If you are not inclined to install multiple plugins on your WordPress installation, you can use this method to do everything through linux shell.
Certbot client is available on Git and can be installed with a line command. AWS LightSail does not come with Git installed, so you need to install the Git before installing Certbot.
You can connect to your LightSail instance with any SSH client. I use Putty for Windows and Terminal on Mac.
The first thing you need to do is make sure all the packages are updated on your server. You can do that with below command.
Now, use the below command to install the Git on your AWS LightSail.
Once the Git is installed, its time to go and install Certbot now with a git clone command.
First, create a directory where you want to install a Certbot client and move into that directory.
Now go ahead and install the Certbot client from Github.
Now go into the Certbot directory and run certbot-auto script to complete the installation.
The script might show some errors but you can ignore it. It will run and download all the dependency needed for it.
Once the Certbot client is installed, you can go ahead and generate the certificate for your domain.
Change the domain name to your domain name.
If you need certificates for multiple domains, you can add additional domains with -d option. Check more about the Certbot client at their official page.
It will store the generated certificate in /etc/letsencrypt/live/DOMAIN directory.
Link Let’s Encrypt SSL Certificate to Apache
You can use any of the above mentioned to generate the SSL certificate. Once you have the certificates you have to let Apache know where it can pick it up.
By default Apache store the certificate at below mention locations
You can just copy your SSL certificate on these locations and restart Apache to enable the new file. But with this approach, you will have to copy the files again when you renew your certificate.
So the better approach is to create a symbolic link to your certificate files. Whenever you renew your license, it can take effect without this extra step.
You can use the below commands to create a symbolic link
Make sure that the certificate file name and path is correct. If you receive an error that file already exists, use the below command to rename the files.
Once your symbolic link are in place you can restart the Apache server to make it in effect. Use the below command to restart the Apache server.
After Apache restart, you can try to access your blog over HTTPS and make sure there are no errors.
Redirect Your Blog to HTTPS
Once you have installed the Let’s Encrypt SSL certificate and link it with Apache, you need to redirect your blog to HTTPS rather than HTTP.
This is a two-step process. First, you need the change the home URL for your blog. That can be done by editing wp-config.php file. Edit the wp-config.php and replace the below mention two lines to point to HTTPS rather HTTP.
For the second step, you need to update Apache to redirect the traffic to HTTPS. You can edit the https-prefix.conf file to force the redirection on Apache. The file is present at /opt/bitnami/apps/wordpress/conf/
Add the below section at the top of the file to force the redirection.
Now all of your traffic will redirect to HTTPS version.
Change all internal links to HTTPS
The final step is to make sure all the internal links are using HTTPS.
WordPress uses site address to create a link but all the existing link inside the posts and image links will be still using HTTP.
If you only have few posts, you can go and manually edit the posts to change the links. But if you have many posts you can use the WordPress plugin to make this change.
Better Search-Replace is a WordPress plugin which allows you to search and replace the domain name in the WordPress database.
Just install the plugin, select all the tables and do a dry run to see how many changes will be needed.
If you are ok with the changes, you can run it and make those changes in WordPress database.
If you are not planning to make regular changed to WordPress Database, you can uninstall the plugin.
So this is how you can enable HTTPS on the AWS LightSail with the help of Let’s Encrypt SSL certificate.