Let’s Encrypt and Certbot with Bitnami WordPress. How To

The result of ls -ln on /opt/bitnami/apache2/conf after using certbot
Permissions in /opt/bitnami/apache2/conf after a successful certbot install.

Preface

"aww, fuck this" -Me, earlier today.

I had a hard time configuring let’s encrypt using Certbot on an instance of Bitnami WordPress in AWS Lightsail. Bitnami wants you to use the LEGO client, but I was not a fan. In fact, the Bitnami document with the correct instructions is currently showing a 404 error. So, I tried this from memory and promptly mauled my server. Somehow Certbot spun up another instance of apache which began my descent into madness. I eventually read over the Certbot docs and came up with this as an easy way to set up Let’s encrypt in Lightsail using Bitnami’s image. I am posting this because my wife pointed out that I would forget this. I was working on the https://fucktrump2020.org server, you will need to replace fucktrump2020.org with your FQDN. By the end you should be able to use let’s encrypt and certbot with bitnami wordpress.

Requisites

  • A working Bitnami WordPress instance.
  • Apache
  • SSH access.
  • super user access (for every command).
  • Ubuntu 16.04 (but it should work in bionic)

Process

Install CERTBOT

Install the Certbot repository and application as outlined here https://certbot.eff.org/docs/install.html. Do not run the commands for  the automated installer. In fact, make sure the text `–apache` never appears in anything you type into the terminal.

 Download your Certs

If you aren’t careful you can mess up Bitnami’s custom apache install. Instead of doing that run this command. It will use the http method to verify your site without taking your site down or running its own apache server at the same time.

certbot certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs --email adminaccount@youremail.com -d fucktrump2020.org

Your certs will now be saved in:

server.crt == /etc/letsencrypt/live/fucktrump2020.org/cert.pem
server.key == /etc/letsencrypt/live/fucktrump2020.org/privkey.pem

Stop web server

We are going to stop the server for the next step. Run the command below:

/opt/bitnami/ctlscript.sh stop

 Swap certs

After backing up the old certs We are going to symbolically link to the symbolic links. Let’s Encrypt keeps living(current) certs in “/etc/letsencrypt/live/” those certs are symbolic links to files in some other folder, usually “/etc/letsencrypt/archive”. Beware the dangle.

Backup old certs

mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old

Create symbolic links to the live certs

ln -s /etc/letsencrypt/live/fucktrump2020.org/privkey.pem /opt/bitnami/apache2/conf/server.key
ln -s /etc/letsencrypt/live/fucktrump2020.org/cert.pem /opt/bitnami/apache2/conf/server.crt

Ensure your private key isn’t available to all

Run these commands to make sure that access to the certificates is alright

chown root:root /opt/bitnami/apache2/conf/server*
chmod 600 /opt/bitnami/apache2/conf/server*

Restart services

Run the command below to start Bitnami’s  services back up:

/opt/bitnami/ctlscript.sh start

Test renewal

Run the following command to ensure that you can renew the certs:

certbot renew --dry-run

Return to your Saturday night at the kratom bar.

It’s finally over

Troubleshooting

You probably weren’t using super user access. Run `sudo -i` and start over.

More Stuff

Want to know how I really feel about Maple Street Biscuit Company?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.