How do I install a standard SSL certificate for my website hosted in an Amazon Lightsail instance that doesn't use a Bitnami stack?
Short description
The following resolution covers installing a standard Let's Encrypt SSL certificate for websites hosted in Lightsail instances that don't use a Bitnami stack. Examples of these instance blueprints include Amazon Linux 2, Ubuntu, and so on. If you have a different instance blueprint or want to install a standard certificate, see one of the following:
Standard Let's Encrypt certificates
For information installing a standard Let's Encrypt SSL certificate (not a wildcard) in a Lightsail instance with a Bitnami stack, such as WordPress, LAMP, Magento, and so on, see How do I install a standard Let's Encrypt SSL certificate in a Bitnami stack hosted on Amazon Lightsail?
Wildcard Let's Encrypt certificates (for example, *.example.com)
For information on installing a wildcard Let's Encrypt certificate in a Lightsail instance with a Bitnami stack, such as WordPress, Lamp, Magento, MEAN, and so on, see How do I install a wildcard Let's Encrypt SSL certificate in a Bitnami stack hosted on Amazon Lightsail?
For information on installing a wildcard Let's Encrypt certificate in a Lightsail instance that doesn't use a Bitnami stack, such as Amazon Linux 2, Ubuntu, and so on, see How do I install a wildcard Let's Encrypt SSL certificate in Amazon Lightsail?
Resolution
Prerequisites and limitations
- The following steps cover installing the certificate in the server. You must manually complete additional steps, such as configuring the certificate and setting up HTTPS redirection.
- Make sure that the domain is pointing to the Lightsail Instance either directly or through a load balancer or distribution. For the certificate verification to complete, make sure that the website URL doesn't return errors from the load balancer or distribution in the web browser.
Note: This method requires the installation of the Certbot tool first. For installation instructions, see How do I install the Certbot package in my Lightsail instance for Let's Encrypt installation?
1. Stop the web service running in your instance. The following are example commands for different Linux distributions:
Apache web service in Linux distributions such as Amazon Linux2, CentOS, and so on
sudo service httpd stop
Apache web service in Linux distributions such as Ubuntu, Debian, and so on
sudo service apache2 stop
NGINX web service
sudo service nginx stop
2. Run the following command to install the SSL certificate. Make sure to replace example.com with your domain name.
sudo certbot certonly --standalone -d example.com -d www.example.com
After the SSL certificate generates successfully, you receive the message "Successfully received certificate". The certificate and key file locations are also provided. Save these file locations to a notepad for use in step 5.
3. Start the web service. The following are example commands for different Linux distributions:
Apache web service in Linux distributions such as Amazon Linux 2, CentOS, and so on
sudo service httpd start
Apache web service in Linux distributions such as Ubuntu, Debian, and so on
sudo service apache2 start
NGINX web service
sudo service nginx start
4. Set up automatic certificate renewal.
If the certbot package is installed using snapd, then the renewal is configured automatically in systemd timers or cronjobs. However, because the web service must be stopped before running the Certbot command, you must automate stopping and starting web service. To set up this automation, run the following commands. The following example uses Apache2 as the web service. Replace the code and stop-start command according to your web service.
sudo sh -c 'printf "#!/bin/sh\n service apache2 stop \n" > /etc/letsencrypt/renewal-hooks/pre/webservice.sh'
sudo sh -c 'printf "#!/bin/sh\n service apache2 start \n" > /etc/letsencrypt/renewal-hooks/post/webservice.sh'
sudo chmod 755 /etc/letsencrypt/renewal-hooks/*/webservice.sh
If the Linux distribution is Amazon Linux 2 or FreeBSD, then the Certbot package isn't installed using snapd. In this case, you must configure the renewal manually by running the following command. The following example uses Apache2 as the web service. Replace the code and stop-start command according to your web service.
echo "30 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --pre-hook 'service apache2 stop' --post-hook 'service apache2 start'" | sudo tee -a /etc/crontab > /dev/null
5. Only the certificate installation and renewal setup is complete. You still must configure your web server to use this certificate and setup HTTPS redirection. This configuration varies and depends on the web server setup that you have in your instance. Refer to the official documentation based on your web service for instructions on completing these steps.