This guide explains how to enable HTTPS on an AWS Lightsail WordPress instance using Let’s Encrypt SSL certificates. The Bitnami bncert-tool is used to simplify the process.
Step 1: Connect to Your Lightsail Instance
First, log in to your AWS Lightsail instance via SSH.
Using the AWS Console
- Open AWS Lightsail.
- Select your WordPress instance.
- Click “Connect using SSH” (browser-based terminal).
Using Local Terminal (Mac/Linux)
If using an SSH key, connect with:
ssh -i ~/.ssh/lightsail-key.pem bitnami@your-instance-ipStep 2: Install Let’s Encrypt SSL with bncert-tool
Bitnami provides a built-in tool to automatically configure SSL certificates.
Run the SSL Configuration Tool
sudo /opt/bitnami/bncert-toolFollow the prompts:
- Enter your domain(s):
yourdomain.com www.yourdomain.com - Redirect HTTP to HTTPS: Select
Y - Enable automatic certificate renewal: Select
Y
Once completed, SSL certificates will be installed and HTTPS enabled.
Step 3: Verify SSL Configuration
After setup, confirm that SSL is working properly.
Restart Apache to Apply Changes
sudo /opt/bitnami/ctlscript.sh restart apacheCheck Certificate Installation
curl -I https://yourdomain.comExpected output should contain:
HTTP/2 200
...
server: Apache
...If HTTPS is working, your website should now load securely.
Step 4: Verify Auto-Renewal for SSL Certificates
Let’s Encrypt certificates expire every 90 days. The bncert-tool automatically configures renewal.
Check Cron Jobs for Auto-Renewal
sudo crontab -l -u bitnamiExpected output should contain a renewal command like:
0 0 * * * /opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" --email="you@example.com" --domains="yourdomain.com" --domains="www.yourdomain.com" renew --accept-tos && /opt/bitnami/ctlscript.sh restart apacheIf this is present, no further configuration is required.
Manually Test Certificate Renewal
To test renewal before expiration, run:
sudo /opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" --email="you@example.com" --domains="yourdomain.com" --domains="www.yourdomain.com" renew --accept-tosIf no errors occur, renewal is working correctly.
Step 5: Manually Add Renewal Cron Job (If Missing)
If the cron job is missing, add it manually.
Edit Cron Jobs
sudo crontab -e -u bitnamiAdd the Following Line
0 3 * * * /opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" --email="you@example.com" --domains="yourdomain.com" --domains="www.yourdomain.com" renew --accept-tos && /opt/bitnami/ctlscript.sh restart apache- This will renew the certificate daily at 3 AM.
Summary
| Step | Command/Action |
|---|---|
| Connect via SSH | ssh -i ~/.ssh/lightsail-key.pem bitnami@your-instance-ip |
| Run Let’s Encrypt Setup | sudo /opt/bitnami/bncert-tool |
| Restart Apache | sudo /opt/bitnami/ctlscript.sh restart apache |
| Check HTTPS Status | curl -I https://yourdomain.com |
| Check Auto-Renewal | sudo crontab -l -u bitnami |
| Manually Renew SSL | sudo /opt/bitnami/letsencrypt/lego renew |
| Add Cron Job (if needed) | sudo crontab -e -u bitnami |