"aww, fuck this" -Me, earlier today.
I had a hard time configuring let’s encrypt using Certbot on an instance of Bitnami WordPress in AWS Lightsail. Bitnami wants you to use the LEGO client, but I was not a fan. In fact, the Bitnami document with the correct instructions is currently showing a 404 error. So, I tried this from memory and promptly mauled my server. Somehow Certbot spun up another instance of apache which began my descent into madness. I eventually read over the Certbot docs and came up with this as an easy way to set up Let’s encrypt in Lightsail using Bitnami’s image. I am posting this because my wife pointed out that I would forget this. I was working on the https://fucktrump2020.org server, you will need to replace fucktrump2020.org with your FQDN. By the end you should be able to use let’s encrypt and certbot with bitnami wordpress.
- A working Bitnami WordPress instance.
- SSH access.
- super user access (for every command).
- Ubuntu 16.04 (but it should work in bionic)
Install the Certbot repository and application as outlined here https://certbot.eff.org/docs/install.html. Do not run the commands for the automated installer. In fact, make sure the text `–apache` never appears in anything you type into the terminal.
Download your Certs
If you aren’t careful you can mess up Bitnami’s custom apache install. Instead of doing that run this command. It will use the http method to verify your site without taking your site down or running its own apache server at the same time.
certbot certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs --email email@example.com -d fucktrump2020.org
Your certs will now be saved in:
server.crt == /etc/letsencrypt/live/fucktrump2020.org/cert.pem
server.key == /etc/letsencrypt/live/fucktrump2020.org/privkey.pem
Stop web server
We are going to stop the server for the next step. Run the command below:
After backing up the old certs We are going to symbolically link to the symbolic links. Let’s Encrypt keeps living(current) certs in “/etc/letsencrypt/live/” those certs are symbolic links to files in some other folder, usually “/etc/letsencrypt/archive”. Beware the dangle.
Backup old certs
mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
Create symbolic links to the live certs
ln -s /etc/letsencrypt/live/fucktrump2020.org/privkey.pem /opt/bitnami/apache2/conf/server.key
ln -s /etc/letsencrypt/live/fucktrump2020.org/cert.pem /opt/bitnami/apache2/conf/server.crt
Ensure your private key isn’t available to all
Run these commands to make sure that access to the certificates is alright
chown root:root /opt/bitnami/apache2/conf/server*
chmod 600 /opt/bitnami/apache2/conf/server*
Run the command below to start Bitnami’s services back up:
Run the following command to ensure that you can renew the certs:
certbot renew --dry-run
Return to your Saturday night at the kratom bar.
It’s finally over
You probably weren’t using super user access. Run `sudo -i` and start over.