How to instal Godaddy’s HTTPS SSL Certificate onto Amazon Lightsail website.
Generate the HTTPS certificates
When you generate certificates on GoDaddy it asks for a CSR (Certificate Signing Request). To generate this, log into your Lightsail container and go in the opt/bitnami/apache2/conf folder. There might already be some dummy keys generated so just in case back them up:
- sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
- sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
- sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
Run the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
You will be asked a bunch of questions. Enter all the required info. Executing the command generates two files: server.key and server.csr. Copy the content of the server.csr to GoDaddy and generate the certificates. GoDaddy needs some time until it verifies everything and emails you when the certificates are ready. You will need to download two files. One has some random hashed string for name f68dc40404848.crt and the other is named gd_bundle-g2-g1.crt. Copy both to your container to an arbitrary location like /home/bitnami/keys .
Configure Apache to use the certificates
From inside your container run the following commands:
- sudo ln -s /home/bitnami/keys/f68dc40404848.crt /opt/bitnami/apache2/conf/server.crt (if it doesn’t work you can rename the file “server.crt” and put them in /opt/bitnami/apache2/conf/)
- sudo ln -s /home/bitnami/keys/gd_bundle-g2-g1.crt /opt/bitnami/apache2/conf/server-ca.crt (if it doesn’t work you can rename the file “server-ca.crt” and put them in /opt/bitnami/apache2/conf/)
- sudo ln -s /home/bitnami/server.key /opt/bitnami/apache2/conf/server.key
- sudo chown root:root /opt/bitnami/apache2/conf/server.key
- sudo chmod 600 /opt/bitnami/apache2/conf/server.key
After this, you will have prepared the three files you need: server.key, server.crt, and server-ca.crt. Don’t miss to set the correct permissions for the files. For some silly reason the first time I did this I skipped those two lines and, of course, nothing worked.
In /opt/bitnami/apache2/conf/bitnami/bitnami.conf you should be able to find the following two lines:
- SSLCertificateFile “/opt/bitnami/apache2/conf/server.crt”
- SSLCertificateKeyFile “/opt/bitnami/apache2/conf/server.key”
Add the line for the SSLCACertificateFile as well:
- SSLCACertificateFile “/opt/bitnami/apache2/conf/server-ca.crt”
Force HTTPS
After I did all the previous steps the certificates were set up but the site was still using HTTP. In order to force Apache to use HTTPS you will have to do a couple of changes. Open /opt/bitnami/apps/APPNAME/conf/httpd-prefix.conf in an editor. Make sure you first substitute APPNAME with the name of the app you are using. In my case, that was ‘wordpress’. Add the following lines at the top of the file:
- RewriteEngine On
- RewriteCond %{HTTPS} !=on
- RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
Unless you have some specific Apache configuration, it should be enough to add the following lines in the default Apache virtual host configuration file at /opt/bitnami/apache2/conf/bitnami/bitnami.conf, inside the default VirtualHost directive:
- <VirtualHost _default_:80>
- DocumentRoot “/opt/bitnami/apache2/htdocs”
- RewriteEngine On
- RewriteCond %{HTTPS} !=on
- RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
- …
- </VirtualHost>
Restart all the services
Before starting everything up, make sure that the 443 port is open on your Lightsail console.
To start all the services again, run:
sudo /opt/bitnami/ctlscript.sh start
Reference: https://igorski.co/environment/install-https-certificates-amazon-lightsail/
