Secure communication always has its advantages. Also, https communications increase your website rankings too.
That’s why, websites on AWS Lightsail also need SSL certificates. Unfortunately, the Lightsail SSL needs a manual install that involves preset steps.
At Bobcares, we often get requests from our customers to install SSL on their AWS Lightsail websites as part of our Server Administration Services.
Today, we’ll see how our Support Engineers install Lightsail SSL in AWS instances without breaking the websites.
The need for LightSail SSL
Firstly, let’s get an idea on why we need SSL on the AWS Lightsail website. When using http connection, the data transfer between the web server and your browser will not be encrypted. This means, any attacker can get hold of your sensitive data during the transfer process. That’s where SSL helps. It encrypts all communication with the web server.
Luckily, AWS Lightsail comes with https support. It helps to encrypt the communication with the web server. But, the default dummy certificate will be having the domain name as “example.com“. But, when you access your website using secure https:// link, the certificate name conflict happens. And, this will cause warnings while access your websites via browser.
That explains, why we need to install an SSL certificate for your domain in Lightsail instance.
Steps to do Lightsail SSL install
Now, let’s check on the steps to install Lightsail SSL. Based on the type of SSL certificate, the install process varies.
1. Generate SSL
The primary step in the process is generating the SSL certificate. This depends on the type of SSL that we like to use on the website.
LetsEncrypt SSL
For example, let’s first check how our Support Engineers enable LetsEncrypt free SSL in Lightsail.
To make LetsEncrypt available, we first install certbot. For example, in a Ubuntu Lightsail instance, we use the following commands.
cd /home/bitnami
sudo apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
This will setup Let’sEncrypt on the server. Now, its time to install the SSL certificate.
To install SSL for the domain.com, our Dedicated Engineers execute the following commands.
cd letsencrypt
/home/bitnami/letsencrypt/letsencrypt-auto certonly -w /home/bitnami/apps/domain.com/wordpress -d domain.com -d www.domain.com -d abc.domain.com
Here, -w gives the path to your website files, and the -d adds one or more domain names to the certificate.
For this command to work, the domain should resolve to the Lightsail instance correctly. This requires DNS modifications of the domain.
Let’s Encrypt prompts for a method to verify the ownership of the domain specified. We do this by adding TXT records to the DNS records for the domain. Finally, the cert generation will succeed only after DNS propagation.
Normal paid SSL
Again, some customers would like to use paid SSL certificates in their websites handling credit card data or so. In such cases, they get SSL from providers like RapidSSL, GoDaddy, etc. Here, the SSL installation steps slightly differs.
Generating CSR
As the first step, we need to generate Certificate Signing Request (CSR) to purchase SSL from the provider. Before proceeding further, our Dedicated Engineers log into your Lightsail container and rename the default certificate, key files in the folder /opt/bitnami/apache2/conf
Then, to generate CSR, we use the command:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
We, then send the server.csr file to the customer to get the SSL certificate.
2. Changing Webserver configuration
After SSL purchases or creation, we collect all the certificate files from the customer and configure the webserver to use it in the website. For instance, in the Apache web server, it involves the following changes.
Firstly, we copy the actual SSL certificate and key file to the folder /opt/bitnami/apache2/conf. Then, we check and confirm the following entries in the file /opt/bitnami/apache2/conf/bitnami/bitnami.conf :
SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
SSLCACertificateFile "/opt/bitnami/apache2/conf/server-ca.crt"
We restart the web server to make the SSL available on the Lightsail instance.
3. Forcing Website to use SSL
Installing SSL on the Lightsail instance is not enough for secure website transactions. All your visitors must be forcibly changed to the secure URL. Else, users will still use the normal http link, even though server has SSL.
To make this possible, our Dedicated Engineers add rewrite rules in .htaccess file. For example, in a WordPress website, the rules will look like :
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
This forces the website in Lightsail instance to use SSL link always.
Common errors with Lightsail SSL install process
From our experience in managing servers, we often see customers finding it difficult to make SSL work in Lightsail based websites. Let’s take a look at them now.
1. Wrong Permissions
Usually, wrong permissions create problems with website SSL working.
Recently, one of the customers came to us to fix the SSL error on his Lightsail website. On checking, our Support Engineers found that the certificate and the key files were having wrong permissions.
Here, we check the user that runs the webserver processes and make adequate modifications to the file permissions to fix the issue. For example, if Apache is running as the website’s user, we add file read privileges for the user.
2. Incomplete cert files
Again, incomplete certificate files also create problems with SSL. The cert file can get truncated when the user uploads it to the server. Or, there can be bad characters that accidentally get into the file. These all can cause SSL to fail.
Here, our Dedicated Engineers check the file in detail and fix the format. Or, we ask customers to upload the certificate and key files once again to fix the problems.
3. Firewall
Likewise, the Lightsail firewall can also make SSL fail. When the SSL port 443 is not open on the Lightsail instance, secure communication with websites does not work.
To fix, we enable port 443 from the firewall settings in the Networking tab of the Lightsail container control panel.
Further, we restart all the services using:
/opt/bitnami/ctlscript.sh restart
[Trouble will SSL install in Lightsail? We can fix it straight away.]
Conclusion
In short, installing SSL in Lightsail involves a series of steps. Today, we saw how our Support Engineers enable SSL in Lightsail and fix common problems with the install process.
0 Comments