I have been putting off setting up SSL (Secure Sockets Layer) for this website for a long time. One of the reason was that I am absolutely fearful I will screw it up (probably) and the other was a lack of offical documentation for SSL setting up in Amazon Lightsail.
Actually, nowadays if you purchased a hosting package, it almost will come with a SSL even. But not Amazon Lightsail. You can get it set up easily with Lightsail load balancer but I am not going to need that and does not want to spend money on a load balancer.
Reasons for Setting up SSL for WordPress in Amazon Lightsail
(1) I was planning a new web site and needed to have SSL for that web site. Because of the need for SSL, I was looking around for a non-Wordpress solution (Wix, Weebly, Squarespace and horror of horrors, WordPress.com) as they all came with SSL pre-installed. However, they all also came with so much inherent shortcomings and other problems (editor, themes, cost etc) as compared to WordPress.org hosting.
(2) SEO (Search Engine Optimization): Enough said about Google’s (and Chrome’s) love for SSL
(3) Finally, the most important. Amazon issued a tutorial on how to do this. I found it last week and decided to try it out. The tutorial is at https://lightsail.aws.amazon.com/ls/docs/en/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress
The SSL installation
Okay. First I am going to be the usual shameless patnotebook :). I am just following the instructions in the tutorial. Step by step. Command by Command. So this “guide” (if you even call it one) is just a “story” of how I followed blindly the tutorial to set up SSL on my WordPress web site.
Backup Backup Backup
Patnotebook is a “gut-less” guy. When you are alone and not much help from friends in this area (and your only help is the wonderful internet), you are paranoid about changes. So backup before you start. I backed up the site using Updraft-Plus and then I also did a whole backup of the Amazon Lightsail Instance using the Snapshot in Amazon Lightsail.
I did something else. I downloaded the “Really Simple SSL” plug in at https://wordpress.org/plugins/really-simple-ssl/. I did not install it yet but oh…. I am so ready…
There.. the typical Singaporean 🙂
Install Certbot on your Lightsail instance
This step is easy.. I just follow all the instructions.
The tutorial said this:
sudo apt-get update
I did this:
sudo apt-get update && sudo apt-get upgrade -y
Smart huh :).
Then it is this command:
sudo apt-get install software-properties-common
And this command:
sudo apt-add-repository ppa:certbot/certbot -y
And then this command…
sudo apt-get update -y
And finally this command. This one took the longest.. I had to hold my breath in fear.. as lines and lines of response in the terminal came back and I don’t know what the world it is talking about…. till I saw the command prompt back and I know I have not screwed up yet..
sudo apt-get install certbot -y
According to Amazon, “Certbot is now installed on your Lightsail instance”. What do I know.. it looks Greek to me.
Request a “Let’s Encrypt” SSL wildcard certificate
Now.. the next steps are:
DOMAIN=patnotebook.com (my domain, not yours !)
echo $DOMAIN && echo $WILDCARD
I got this back.. Basically telling me I have done correctly as I can see my dearest domain name… so far, so good….
The next command is a long one but as I have been using Amazon Lightsail’s terminal copy and paste box, which makes it easy not to screw up… you should spend time to play with that. It helps a lot.
sudo certbot -d $DOMAIN -d $WILDCARD –manual –preferred-challenges dns certonly
Then I got this back.. which requires me to give my email address, my consent for 1,000 things and my IP address… mmmm… Honestly, bro, I don’t have a choice…
Add TXT records to your domain’s DNS zone in Lightsail
And next is to verify my ownership of this domain. Obviously I cannot go around creating SSL certificates for Microsoft.com or Facebook.com or Google.com or I-am-So-Hunky.com etc. Need to prove I am the owner… easy.. I AM !! Believe me, Amazon !!
“You do this by adding TXT records to the DNS records for your domain. Two sets of TXT record values are provided”.(says Amazon tutorial)
Yes. Two sets of DNS records. What they did not say is that you need to do one first. Confirm that it is correct. Press Continue. Then do the second one. Press Continue. For me, as I am using the Amazon Lightsail DNS networking, it was easily done:
As I said, you do it twice so finally this was what happened:
You can use a MX tool to check that the wonderful DNS records are working around the globe….
And now you are ready to move on.. LA LA LA.. so far so good..
Complete the Let’s Encrypt SSL certificate request
Moving on… to complete the Let’s Encrypt SSL certificate request. I press “ENTER” key in the terminal (yes, go back to the black terminal) and I get this long story:
The last part “Donate to ISRG and EFF” etc tells me that I have got the SSL certificate. Obviously, since they are now asking for donation (which is right, by the way, you should if you have the funds. I already did that). The expiration date for the certificate is shown. Oh dear, what do I do when it expires.. I got to GOOGLE for help again 🙂
Move the Let’s Encrypt certificate files to the Apache directory
Moving on.. it is to backup some files and move some files.. whatever just follow the commands…
sudo /opt/bitnami/ctlscript.sh stop
Then these commands:
I get this. I am a good boy. The product of following instructions to the letter “T” from my wonderful Singapore education.
Now the next 6 commands. Trust me. I don’t know what I am doing here at all. Just copy and paste. Copy and Paste. Copy and PRAY !!
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
sudo ln -s /etc/letsencrypt/live/$DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key
sudo ln -s /etc/letsencrypt/live/$DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
sudo /opt/bitnami/ctlscript.sh start
In one of the steps, I saw my first failure. It does not seem too scary or too critical so I just ignored it. (Okay… nothing to backup there.. so that’s why it failed… see, I am thinking !!)
And one final step. To make your wp-config editable.
sudo chmod 666 /opt/bitnami/apps/wordpress/htdocs/wp-config.php
Install and activate the Really Simple SSL plugin in your WordPress
Finally at this stage, there is no more need for terminal. I am so done with the black screen. It look scary, unfriendly and definitely not good for Chinese New Year.
I get to go back to my WordPress Administration page. White. Nice Nice. So I uploaded my plugin and then I installed it… which leads me to this screen…..
And after I activated the plug in, I saw this error message. I knew it. Why would it be so easy (so far!). Something must go wrong !!
And okay.. calm down, boy….. Just click on the button “Reload over https”. This time, I see this page:
And looks like it is ready .. so I took a deep breath and then press the BLUE “Go Ahead and Activate SSL” button. And got this “SSL Activated” micro small message:
This means your blog is now SSL enabled…. wow.. OKAY !!!
So now I go to my blog using my trusty Safari browser and check the top of the address bar…. Ta ta ta. https://www.patnotebook.com 🙂
And clicking on the Certificate icon, I can see my certificate. There is a sudden strong feeling of ownership. My own SSL certificate !! YA RIGHT 🙂
And indeed, when I used Chrome to check, it was working great too.
So that’s it.. I managed to make this site SSL ! 🙂 Mission Accomplished. Give myself a pat on the back. Thank you for the instructions 🙂
Sidenote. But then I was doing more work after this and saw this help document from Bitnami (which provides the WordPress stuff in Amazon Lightsai)… damn.. it is even easier than I thought if I had found this link. You got to see the link. It makes it so easy (just one damn command line). HA HA.
Sidenote. There was one change I needed to make in the httpd-vhosts.conf file for this to work. Need to match the RED part to the above from Amazon. In other words my httpd-vhosts.conf file configuration need to point to the exact directory where Amazon has taught me to “deposit” the SSL certificate to.. Okay.. I do use my brain a little 🙂