If you are using AWS LightSail to host your WordPress blog, check how you can enable HTTPS mode with the help of Let’s Encrypt SSL certificate.
AWS LightSail is a great platform to host your blogs as it comes with a good infrastructure and a reasonable price. Nowadays, it has become one of my preferred solutions to install a WordPress and start a blog.
AWS LightSail is a virtual private server which means that you do not have cPanel available on the server. You either have to buy a license of cPanel and install it manually or manage the LightSail server by yourself.
I prefer it to manage by myself, but it can be an overwhelming task for someone who is not from a technical background. So be prepared to run some commands and look at log files.
The first thing you should do after bringing your WordPress LightSail server is to install SSL certificate on it. This will make sure your blog will server correctly on HTTPS Protocol.
Let’s look at a step-by-step guide on how you can install SSL certificate on AWS LightSail WordPress Server.
What is HTTPS Protocol?
When you type any blog URL you usually start the URL with “HTTP://” like – http://Metablogue.com.
HTTP means Hypertext Transfer Protocol, which allows your browser and website server to communicate and transfer data. HTTP is by default non-encrypted communication and can be vulnerable to man-in-the-middle and eavesdropping attacks.
If you are just transferring the information which is already available publicly like your blog posts and images, you may decide to serve it over HTTP.
Even if the communication is interrupted and someone snooped over it, they will only find information which is already available to everyone.
But what about if someone is trying to contact you using your contact page. If someone snooped the connection, they will be able to get the user’s email id and other contact information.
It becomes more critical if you are doing a financial transaction on your blog.
HTTPS For Encrypted Communications
HTTPS allows you to overcome this problem. It works in an equivalent manner as HTTP but allows you to add an encryption layer to overcome this problem.
For HTTPS to work correctly, server and browser need to do some handshaking and establish a secure channel for communications. They will decide on the encryption algorithm and SSL certificate to use while other things.
This added communication takes some time and affects the page loading speed, but it should benefit in terms of security and reliability of your user data.
According to Wikipedia, as of April 2018, 31% of Alexa top 1,000,000 websites use HTTPS as default and more are getting added every day.
How to know if the communication is secured?
Current browsers display the lock icon on the address bar to highlight secured communication over HTTPS protocol.
You can click the lock icon to get more details about the server.
If the server certificate and domain name will not match, you will see an error in your browser.
Join AWS LightSail Facebook Group
Connect with like minded people and help each other manage AWS LightSail WordPress installs.
Why SSL Certificate?
Google Webmasters Blog has talked about SSL certificate being one of the ranking factors. So, it not only helps your user to interact with your blog securely but also helps you in raking higher in SERP’s.
Nowadays, HTTPS is one of the basic requirements for any blog, the good thing is that AWS LightSail comes preconfigured for HTTPS.
You can access your blog over https, the only problem is the SSL certificate is a dummy certificate using the domain name “example.com” and you will see a warning in Chrome and other browsers.
To make sure you are able to correctly serve the blog over HTTPS protocol on AWS, you just need to install a proper SSL certificate.
Here are step-by-step instructions on how you can enable Let’s Encrypt SSL certificate on AWS LightSail.
Generate Let’s Encrypt SSL Certificate
SSL Certificate is a key component of HTTPS protocol. It contains the information like domain name, owner name, public key (which will be used to encrypt the data), validity dates etc.
There are companies who offer the paid SSL certificate like Symantec, Godaddy, RapidSSL etc. Paid certificates are good if you are doing financial transactions on your blog.
If you are not accepting payments and have only a few forms where you are accepting user information, you can use Let’s Encrypt free SSL certificate.
Using Certbot Client with Apache
Certbot client allows you to generate the SSL certificate. If you are not inclined to install multiple plugins on your WordPress installation, you can use this method to do everything through Linux shell.
The first thing you need to do is make sure all the packages are updated on your server. You can do that with below command.
AWS LightSail WordPress comes with the LetsEncrypt directory and Lego client. I have seen a lot of issues while working with Lego clients from the users, so our preferred method remains a CertBot client.
It’s time to go and install Certbot with the help of the below commands.
First, move into the LetsEncrypt directory.
Now go ahead and install the Certbot client from official certbot distribution. You also need to make sure that the script has the execute privilege.
Let’s run the certbot-auto script to complete the installation.
The script might show some errors about not knowing how to configure your server, but you can ignore it. It will run and download all the dependency needed for it.
Once the Certbot client is installed, you can go ahead and generate the certificate for your domain.
$ sudo ./certbot-auto certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs/ -d www.example.com -d example.com
Change the domain name to your domain name.
If you need certificates for multiple domains, you can add additional domains with -d option. Check more about the Certbot client at their official page.
It will store the generated certificate in /etc/letsencrypt/live/DOMAIN directory.
You should include a www and non-www domain in the certificate. This needs to be done because some browsers will not do the conversion automatically and users will receive a security error. So it’s useful to include both versions of the domain in the certificate.
If you have already generated the SSL certificate, please issue the above command again. It will ask if you want to expand the existing certificate by including additional domains. Type ‘E’ for expand and it will regenerate the certificate.
Link Let’s Encrypt SSL Certificate to Apache
You can use any of the above mentioned to generate the SSL certificate. Once you have the certificates you have to let Apache know where it can pick it up.
By default, Apache store the certificate at below mention locations
You can just copy your SSL certificate on these locations and restart Apache to enable the new file. But with this approach, you will have to copy the files again when you renew your certificate.
So the better approach is to create a symbolic link to your certificate files. Whenever you renew your license, it can take effect without this extra step.
First, we need to rename the existing certificate files so that we can create the symbolic links easily.
$ mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/serverkey.old $ mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/servercrt.old
You can use the below commands to create a symbolic link. Make sure that the certificate file name and path are correct. [DOMAIN] needs to be replaced with first domain used in the certificate issue command.
$ sudo ln -s /etc/letsencrypt/live/[DOMAIN]/fullchain.pem/opt/bitnami/apache2/conf/server.crt $ sudo ln -s /etc/letsencrypt/live/[DOMAIN]/privkey.pem/opt/bitnami/apache2/conf/server.key
Once your symbolic links are in place you can restart the Apache server to make it into effect. Use the below command to restart the Apache server.
After Apache restart, you can try to access your blog over HTTPS and make sure there are no errors.
Redirect Your Blog to HTTPS
Once you have installed the Let’s Encrypt SSL certificate and link it with Apache, you need to redirect your blog to HTTPS rather than HTTP.
This is a two-step process. First, you need the change the home URL for your blog. That can be done by editing wp-config.php file.
Edit the wp-config.php and replace the below mention two lines to point to HTTPS rather HTTP.
For the second step, you need to update Apache to redirect the traffic to HTTPS.
You can edit the httpd-prefix.conf file to force the redirection on Apache. The file is present at /opt/bitnami/apps/wordpress/conf/
Add the below section at the top of the file to force the redirection.
Now all of your traffic will redirect to HTTPS version.
Change all internal links to HTTPS
The last step is to make sure all the internal links are using HTTPS.
WordPress uses site address to create a link but all the existing link inside the posts and image links will be still using HTTP.
If you only have few posts, you can go and manually edit the posts to change the links. But if you have many posts you can use the WordPress plugin to make this change.
Better Search-Replace is a WordPress plugin which allows you to search and replace the domain name in the WordPress database.
Just install the plugin, select all the tables, and do a dry run to see how many changes will be needed.
If you are ok with the changes, you can run it and make those changes in the WordPress database.
If you are not planning to make regular changed to WordPress Database, you can uninstall the plugin.
How to Renew The SSL Certificate
Once you have set up Let’s Encrypt SSL certificate, you need to renew it in every 90 days. Let’s encrypt will send an email to remind you of the certificate expiration.
To renew the certificate, connect to your instance through SSH. First, update all the packages on your server.
It’s not a necessary step but a good habit to make sure most of the maintenance is up to date before making any changes.
Now go to your certbot directory with the below command (Change the directory location, if you have installed it at a different place)
Now run the below command to renew the SSL certificate.
This will renew the certificate and place the updated certificate in /etc/letsencrypt/live/DOMAIN directory.
Now restart the apache to make sure new certificates are in effect.
So this is how you can enable HTTPS on the AWS LightSail with the help of Let’s Encrypt SSL certificate. Let us know if you are facing any issue in installing the SSL certificate to your AWS LightSail WordPress install.