If you are using AWS LightSail to host your WordPress blog, check how you can enable HTTPS mode with the help of Let’s Encrypt SSL certificate.
Pro Tips: I have many instances where readers have come back for additional information or looking for this page after 3 months to renew their SSL certificates. I would strongly suggest bookmarking this page, so you won’t lose it when you need it later on.
AWS LightSail is a great platform to host your blogs as it comes with a good infrastructure and a reasonable price. Nowadays, it has become one of my preferred solutions to install a WordPress and start a blog.
AWS LightSail is a virtual private server which means that you do not have cPanel available on the server. You either have to buy a license of cPanel and install it manually or manage the LightSail server by yourself. It offers Bitnami based WordPress Install or Plesk Server install to manage your site.
I prefer it to manage by myself, but it can be an overwhelming task for someone who is not from a technical background. So be prepared to run some commands and look at log files.
The first thing you should do after bringing your WordPress LightSail server is to install SSL certificate on it. This will make sure your blog will server correctly on HTTPS Protocol.
Let’s look at a step-by-step guide on how you can install SSL certificate on AWS LightSail WordPress Server.
What is HTTPS Protocol?
When you type any blog URL you usually start the URL with HTTP for example – http://Metablogue.com.
HTTP means Hypertext Transfer Protocol, which allows your browser and website server to communicate and transfer data. HTTP is by default non-encrypted communication and can be vulnerable to man-in-the-middle and eavesdropping attacks.
If you are just transferring the information which is already available publicly like your blog posts and images, you may decide to serve it over HTTP.
Even if the communication is interrupted and someone snooped over it, they will only find information which is already available to everyone.
But what about if someone is trying to contact you using your contact page. If someone snooped the connection, they will be able to get the user’s email id and other contact information.
It becomes more critical if you are doing a financial transaction on your blog.
Join AWS LightSail Facebook Group
Connect with like minded people and help each other manage AWS LightSail WordPress installs.
HTTPS For Encrypted Communications
HTTPS allows you to overcome this problem. It works in an equivalent manner as HTTP but allows you to add an encryption layer to overcome this problem.
For HTTPS to work correctly, server and browser need to do some handshaking and establish a secure channel for communications. They will decide on the encryption algorithm and SSL certificate to use while other things.
This added communication takes some time and affects the page loading speed, but it should benefit in terms of security and reliability of your user data.
According to Wikipedia, as of April 2018, 31% of Alexa top 1,000,000 websites use HTTPS as default and more are getting added every day.
How to know if the communication is secured?
Current browsers display the lock icon on the address bar to highlight secured communication over HTTPS protocol.
You can click the lock icon to get more details about the server.
If the server certificate and domain name will not match, you will see an error in your browser.
Why SSL Certificate?
Google Webmasters Blog has talked about SSL certificate being one of the ranking factors. So, it not only helps your user to interact with your blog securely but also helps you in raking higher in SERP’s.
Nowadays, HTTPS is one of the basic requirements for any blog, the good thing is that AWS LightSail comes preconfigured for HTTPS.
You can access your blog over https, the only problem is the SSL certificate is a dummy certificate using the domain name “example.com” and you will see a warning in Chrome and other browsers.
To make sure you are able to correctly serve the blog over HTTPS protocol on AWS, you just need to install a proper SSL certificate.
Here are step-by-step instructions on how you can enable Let’s Encrypt SSL certificate on AWS LightSail.
Generate Let’s Encrypt SSL Certificate
SSL Certificate is a key component of HTTPS protocol. It contains the information like domain name, owner name, public key (which will be used to encrypt the data), validity dates etc.
There are companies who offer the paid SSL certificate like Symantec, Godaddy, RapidSSL etc. Paid certificates are good if you are doing financial transactions on your blog.
If you are not accepting payments and have only a few forms where you are accepting user information, you can use Let’s Encrypt free SSL certificate.
Using Certbot Client with Apache
Certbot client allows you to generate the SSL certificate. If you are not inclined to install multiple plugins on your WordPress installation, you can use this method to do everything through Linux shell.
The first thing you need to do is make sure all the packages are updated on your server. You can do that with below command.
AWS LightSail WordPress Bitnami distribution comes with SSL script but many people have complained about the renewal of the certificate. Our preferred method still remain Certbot.
Before we install Certbot client, we need to install Snap on the Bitnami instance. You can use the below commands to install the Snap on LightSail instance.
Now go ahead and install the Certbot client from official Certbot distribution. We also need to link the Certbot to user library so we can execute it with direct command.
Once the Certbot client is installed, you can go ahead and generate the certificate for your domain.
Change the domain name to your domain name.
If you need certificates for multiple domains, you can add additional domains with -d option. Check more about the Certbot client at their official page.
It will store the generated certificate in /etc/letsencrypt/live/DOMAIN directory where DOMAIN will be the first domain name used in the above command..
You should always include a www and non-www domain in the certificate. This needs to be done because some browsers will not do the automatic redirect and users will receive a security error. So it’s useful to include both versions of the domain in the certificate.
If you have already generated the SSL certificate, please issue the above command again. It will ask if you want to expand the existing certificate by including additional domains. Type ‘E’ for expand and it will regenerate the certificate.
Link Let’s Encrypt SSL Certificate to Apache
You can use any of the above mentioned to generate the SSL certificate. Once you have the certificates you have to let Apache know where it can pick it up.
By default, Apache store the certificate at below mention locations
You can just copy your SSL certificate on these locations and restart Apache to enable the new file. But with this approach, you will have to copy the files again when you renew your certificate.
So the better approach is to create a symbolic link to your certificate files. Whenever you renew your license, it can take effect without this extra step.
First, we need to rename the existing certificate files so that we can create the symbolic links easily.
You can use the below commands to create a symbolic link. Make sure that the certificate file name and path are correct. [DOMAIN] needs to be replaced with first domain used in the certificate issue command.
Once your symbolic links are in place you can restart the Apache server to make it into effect. Use the below command to restart the Apache server.
After Apache restart, you can try to access your blog over HTTPS and make sure there are no errors.
Redirect Your Blog to HTTPS
Once you have installed the Let’s Encrypt SSL certificate and link it with Apache, you need to redirect your blog to HTTPS rather than HTTP.
This is a two-step process. First, you need the change the home URL for your blog. That can be done by editing wp-config.php file.
Edit the wp-config.php and replace the below mention two lines to point to HTTPS rather HTTP.
For the second step, you need to update Apache to redirect the traffic to HTTPS. To do that you have to edit three different files on your instance. You can either use an online editor like vi or download the files using SFTP.
Here are three files which needs to be edited for redirecting the HTTP traffic to HTTPS.
Download all the three files and add the below section at the end of the file to force the redirection.
Now all of your traffic will redirect to HTTPS version.
Change all internal links to HTTPS
The last step is to make sure all the internal links are using HTTPS.
WordPress uses site address to create a link but all the existing link inside the posts and image links will be still using HTTP.
If you only have few posts, you can go and manually edit the posts to change the links. But if you have many posts you can use the WordPress plugin to make this change.
Better Search-Replace is a WordPress plugin which allows you to search and replace the domain name in the WordPress database.
Just install the plugin, select all the tables, and do a dry run to see how many changes will be needed.
If you are ok with the changes, you can run it and make those changes in the WordPress database.
If you are not planning to make regular changed to WordPress Database, you can uninstall the plugin.
How to Renew The SSL Certificate
Once you have set up Let’s Encrypt SSL certificate, you need to renew it in every 90 days. Let’s encrypt will send an email to remind you of the certificate expiration.
To renew the certificate, connect to your instance through SSH. First, update all the packages on your server.
It’s not a necessary step but a good habit to make sure most of the maintenance is up to date before making any changes.
Now run the below command to renew the SSL certificate.
This will renew the certificate and place the updated certificate in /etc/letsencrypt/live/DOMAIN directory.
If you have used our older method using Certbot-auto script and want to renew those certificates, you can use the below commands rather than above renew commands.
$ cd /opt/bitnami/letsencrypt $ sudo ./certbot-auto renew
Now restart the apache to make sure new certificates are in effect.
So this is how you can enable HTTPS on the AWS LightSail with the help of Let’s Encrypt SSL certificate. Let us know if you are facing any issue in installing the SSL certificate to your AWS LightSail WordPress install.