I recently setup this site usingWordPress using the pre-built Lightsail blueprint from Bitnami. Overall super straight forward and was up and running quickly. Once I got the domain ported over I released my admin site was secured, so obviously I had to get a cert installed.

I’ve been using Let’s Encrypt for a while now (at least 2 years, maybe 3?) and its great! I figured there’d be a WordPress plugin, I could hit a button and be ready to rock.. but alas! (if there is one, leave it in the comments!)

The assumption in this article is that you’ve already setup your instance with WordPress and are ready to secure it. If not, go do that first : )

Here’s our checklist:

  1. Install Let’s Encrypt (LE)
  2. Create certificate
  3. Replace example/default certs with our domain certs
  4. Https always!
  5. Setup certificate renewal
  6. Wrap up + disable Bitnami banner

1. Install Let’s Encrypt

This step is straight from LE’s instructions:

  1. Open up the console from your Lightsail control panel
  2. Ensure your machine is up to date and can install certbot from source:
    sudo apt-get update
    sudo apt-get install software-properties-common
    sudo add-apt-repository ppa:certbot/certbot
    sudo apt-get update
    
  3. Now install certbot:
    sudo apt-get install python-certbot-apache
    

2. Create certificates

I ran into a snag following those instructions  where the certbot couldn’t find apache2ctl (since I guess its been depreciated for a while). Thankfully there’s an obvious an easy work around: symlink it!

  1. If you try running sudo certbot --apache you’ll most likely get an error saying apache2ctl wasn’t found in your PATH
  2. Ok, so easy fix, run the following to sym link to your existing apachectl:
    sudo ln -s /opt/bitnami/apache2/bin/apachectl /opt/bitnami/apache2/bin/apache2ctl
    
  3. Run the following again and follow the instructions and you should be good:
     sudo certbot --apache 

    Some handy tips:

    • LE certs do not support wildcard certs at the time of his writing, so when asking for a domain I used the www, (so www.workwith.io for example)
    • This will then be the DOMAIN referred to in the rest of this tutorial
    • You may get an option asking if you want to redirect all HTTP traffic to HTTPS. I highly recommend you say YES unless you have a good reason not to.

3. Replace example/default certs with our domain certs

I always confuse which files I’m supposed to use since its not something that I do all the time anymore. certbot generates four different .pem files and you only need two… so after some trial and error and some DuckDuckGo-ing I determined the two I needed:

The steps to replace:

  1. Backup the default certs:
    sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
    sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
    sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
    
  2. Copy your LE certs:
    sudo ln -s /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
    sudo ln -s /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key
    
  3. Once in place, restart apache:
    sudo /opt/bitnami/ctlscript.sh restart apache
    
  4. You’re done! Visit https://YOUR-DOMAIN and you should get a successful https request! (if not, try shift-refreshing once or twice in case the browser cached the cert)

4. Https always!

To really wrap this up, you’ll want to make sure every visit to the site uses an https request. ALWAYS USE HTTPS!

  1. First, open the wp-config.php file:
    sudo vim /home/bitnami/apps/wordpress/htdocs/wp-config.php
    
  2. Now modify the follow two lines such that the http:// becomes https.
    (Hint: in VIM, type /WP_SITEURL to search.)

    define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] . '/');
    define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] . '/');
    

5. Setup certificate renewal

LE Certs expire after 3 months and its easy to forget. The best way not to forget is to not allow yourself to forget!

Some installations are supposed to come with a systemd script all setup.. Mine didn’t, so here’s what I did.

First: make a certbot.timer file.

cd /etc/systemd/system/
sudo vim certbot.timer

Hit i for insert mode and paste in the following:

[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=3600
Persistent=true

[Install]
WantedBy=timers.target

Hit ESC and type wq! to save and exit. Next, make a certbot.service file

sudo vim certbot.service

Hit i and paste in the following:

[Unit]
Description=Certbot
Documentation=https://letsencrypt.readthedocs.io/en/latest/

[Service]
Type=oneshot
ExecStart=sudo certbot renew --preferred-challenges http
PrivateTmp=true

From here we’ll have to start the timer and then enable it as a recurring service.

sudo systemctl daemon-reload
sudo systemctl start certbot.timer 
sudo systemctl enable certbot.timer 

Wrap up!

Great! Welcome to world of always-on, free, HTTPS!

One last note: If you haven’t disabled the Bitnami banner in the bottom right, you should do so now:

sudo touch /opt/bitnami/apps/bitnami/banner/disable-banner
sudo  /opt/bitnami/ctlscript.sh restart apache

I found that the Bitnami docs didn’t work they way they described, but manually adding that file is just as effective.

References:

The following links were helpful in putting together this post. While none of them were complete on their own, putting together pieces from each of them + some trial and error got me to this spo

# # # # # # # # #

August 9, 2018

Leave a Reply