Skip to content

WordPress On AWS Lightsail Made Easy: Part 2 – Networking, DNS and SSL

Last updated on 29/07/2020

Let Get Configuring

In part 1 of this series, I showed you how to deploy an instance using AWS Lightsail. Now that this has been deployed, we can continue to configure it to our requirement. There are three things we will look at today.

First, we will assign a static IP address to the instance. Current the IP address of our instance changes whenever it is stopped or started. If this instance was behind a load balancer, this would not be a problem, the load balancer itself would have the static IP assigned to it. However, because we have deployed only a single instance, we need to assign the static address to it and then update our DNS.

Following on nicely from configuring the IP address, we will then update our DNS to point to our WordPress instance. This will be done via Route 53.

Finally, we will configure SSL using Lets Encrypt and the Simple SSL plugin for WordPress.

Configuring A Static IP

Back in the Lightsail console, we can see that I have one WordPress instance running. Currently, the IP address is set dynamically to 3.9.176.78. However, when I stop and restart this instance the IP address changes to 3.9.146.251. If we did not assign a static address to this instance, each time we stop and start this machine we would also need to update the DNS record in Route 53 (or your prefered DNS provider).

IP address of instance before instance restarted
Instance IP address after instance has been restarted

To solve this problem, we can assign a static IP address to our WordPress instance. There is no charge for up to 5 static IP addresses when attached to an instance. However, if the IP address is detached, you will be charged a fee of $0.005/per hour for addresses that are not attached for more than 1 hour.

Setting a static address is a straight forward process. From the main menu in the Lightsail console, click on the ‘Networking’ tab.

AWS Lightsail networking tab

In the networking tab, we can see the options for creating a static IP, creating a DNS zone and creating a load balancer. As we want to create a static address, click the ‘Create static IP’ button. This takes us to the ‘Create a static IP address’ screen.

Create a static IP address screen within Lightsail

Static addresses can only be assigned to instances in the same region. Therefore, you must select the same region as your instance is deployed in. For me, this in the London region (eu-west-2). From the dropdown menu under ‘Attach to an instance’ I will select the only instance that I have running in this account which is my wordpress_example_blog instance. Lastly, I will give my static IP a unique name for easy reference. I will call this static address ‘wordpress_example_blog_static_address’.

Creating static IP address with configuration in lightsail console.

With all the configuration completed, scroll down to the bottom of the page and click the ‘Create’ button. Once completed, you will see a summary of the new address and to which instance this is attached.

Static address summary in aws lightsail

Now on the main page of the Lightsail console, we can see that out instance has the static address of 3.11.138.76 (as per the summary) and there is now a little pin next to this address indicating that it is a static address as opposed to a dynamic one.

WordPress instance with a static IP

Route53 DNS

Now that we have our static IP address, we are now ready to create our DNS record for our site. If we go to the IP address of 3.11.138.76 we can see that the blog is up and running:

Default install of a WordPress blog

But to make our site easier to find we will create a DNS record for the IP address under our hosted zone ‘demo.systemsmystery.tech’. In the AWS console, locate the Route53 service.

AWS Route53 Service

On the dashboard of the Route53 service, click on ‘Hosted zones’ either under the ‘DNS management’ heading or from the left-hand side menu.

Hosted zones on route53

After clicking into the hosted zones section, you should see a list of all the hosted zones within that account. For me, I only have a single hosted zone. If you do not have a hosted zone already setup, you can do this by clicking on the ‘Create Hosted Zone’ button at the top of the page. For more information on this process, see the AWS Route53 documentation.

After selecting the appropriate hosted zone, a list of all the record sets within the hosted zone will be displayed. As we want to create a new record, click the ‘Create Record Set’ button. The create record set box will appear from the right-hand side of the screen. As I want my blog to be available from blog.demo.systemsmystery.tech, I will give this record a name of ‘blog’ and select ‘A – IPv4 address’ as my record type. I will then enter the value as the IP address that is statically defined and attached to my Lightsail WordPress instance and click ‘Create’.

Route53 Create record set dialog

We now have our DNS record in place, however, the SSL certificate that ships with the Bitnami image is only valid for www.example.com. Next we need to setup a proper SSL certificate for our site.

Firefox SSL security risk.

Setting Up SSL Using Let’s Encrypt

The AWS Lightsail documentation already has a tutorial for creating and using a SSL certificate generated using Let’s Encrypt. I used this when I first setup my blog, so, I will use the same tutorial here as well.

The first thing we need to do it to connect to the Lightsail instance using SSH. This can be done in one of three ways. Firstly, on the Lightsail dashboard, you can click on the little terminal icon next to the instance you wish to connect to:

Lightsail instance console button

The second method is located within the instance summary page. This can be found by clicking on the name of the instance on the dashboard. Within the summary page, under the ‘Connect’ tab there is a large orange button ‘Connect using SSH’. Both of these methods will open up a new window with a SSH connection to the instance.

Lightsail web SSH connection

I, however, prefer to use a native SSH client on my machine. Connecting to the instance requires the SSH keypair that we created when deploying the instance. To connect to the instance, find the keypair created earlier and run:

ssh -i [KEYPAIR] bitnami@[INSTANCE STATIC IP]

If this is the first time you have used the keypair, you may get this error:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'wordpress_blog_example.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "wordpress_blog_example.pem": bad permissions
bitnami@3.11.138.76: Permission denied (publickey).

This is fixed by changing the permissions on the key file. To change the permissions run:

chmod 600 [KEY FILE NAME]

Now that we are connected to our instance, we need to update the OS, add the PPA (the repository containing the software packages that we need to install the certbot command), update the repo listing and then install certbot. Run the following commands, if you get the error ‘Cannot get lock’ wait and try again later. This can be caused by a background process using the apt command.

sudo apt-get update
sudo apt-get install software-properties-common
sudo apt-add-repository ppa:certbot/certbot -y
sudo apt-get update -y
sudo apt-get install certbot -y

Now that we have certbot installed, we can go ahead and request our certificate. To do this, we first need to set two environmental variables, DOMAIN and WILDCARD. These will be used to request a wildcard certificate from Lets Encrypt. This certificate will be able to be used with your top level domain (for example, example.com) as well as any sub domains. In my case my DOMAIN value will be demo.systemsmystery.tech.

DOMAIN=demo.systemsmystery.tech
WILDCARD=*.$DOMAIN

I can confirm that this has worked by echoing the two variables:

bitnami@ip-172-26-10-29:~$ echo $DOMAIN && echo $WILDCARD
demo.systemsmystery.tech
*.demo.systemsmystery.tech

To request the certificate we use the certbot command that we installed earlier:

sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

This tells certbot that we want a certificate for both our domain and our wildcard domain. It also chooses to obtain the certificate manually and to use DNS for validation. When running the certbot command, you are asked several questions. You need to provide a email address for renewal and security notices, accept the terms of service, confirm if you want to share your email with the EFF (Electronic Frontier Foundation) and confirm that you are happy for your IP to be logged against the request. You will then be asked to deploy a TXT record for the domain you are requesting the certificate for.

bitnami@ip-172-26-10-29:~$ sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): example@systemsmystery.tech
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for demo.systemsmystery.tech
dns-01 challenge for demo.systemsmystery.tech

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.demo.systemsmystery.tech with the following value:

SgD6mwguvy_jv9Vum_mBjgJ3_arqGr4LSKnwhhc6ZvY

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Deploying the TXT record is similar to deploying the A record above, instead of selecting A record, this time we would select the TXT record type. Certbot displays the record that it is looking for, in this instance ‘_acme-challenge.demo.systemsmystery.tech’. Therefore the record name will be ‘_acme-challenge’ and the value will be ‘SgD6mwguvy_jv9Vum_mBjgJ3_arqGr4LSKnwhhc6ZvY’. This step must be completed before continuing.

Example record for certificate TXT verification.

It took me a few attempts to get certbot to work correctly, the issue I mostly had was with the two TXT records that it asks you to create. As I could only create one TXT record with multiple entries, sometimes I did not leave it long enough between adding the record and continuing.

Once completed you should see a notice telling you that your certificates have been created and saved. It will also tell you when you need to renew your certs.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/demo.systemsmystery.tech/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/demo.systemsmystery.tech/privkey.pem
   Your cert will expire on 2020-10-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Now that we have created out certificates we need to configure our blog to use them. First we need to stop the services which server our blog:

sudo /opt/bitnami/ctlscript.sh stop

Once all services have stopped, make sure the DOMAIN variable is still set:

bitnami@ip-172-26-10-29:~$ echo $DOMAIN
demo.systemsmystery.tech

We will use the DOMAIN variable to locate the certificates. First move the old certificates out of the way:

sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old

And replace them with the new ones we just created:

sudo ln -s /etc/letsencrypt/live/$DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key
sudo ln -s /etc/letsencrypt/live/$DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt

Then start the services that we previously stopped:

sudo /opt/bitnami/ctlscript.sh start

You should see all three services start.

The last thing we need to do is to install the Really Simple SSL WordPress plugin. This plugin detects your configuration and configures your site to run on HTTPS.

If this is the first time you have logged into the admin console of the blog, you will first need to locate the application username and password for your instance. Detailed instructions on how to find this are located on the Bitnami documentation. To login to WordPress go to the wp-admin page, this can be found at https://[YOUR WEBSITE]/wp-admin.

Wordpress admin login

Once logged in, hover over ‘Plugins’ on the left hand menu and click ‘Add New’.

WordPress Add New Plugin

In the search bar at the top of the ‘Add Plugins’ screen, search for ‘Really Simple SSL’. The first plugin on the list should be the one that you want.

Really Simple SSL Plugin

Click on ‘Install Now’. Once installed, click ‘Activate’. Once activated you should now see ‘SSL’ under ‘Settings’.

SSL under Settings in WordPress

Before we can activate SSL, we need to make sure that the wp-config.php file is writable. If it isn’t you should see and error under a heading of ‘System detection encountered issues’.

WordPress WP-Config.php not writable

To fix this, we will go back to our terminal connected to our instance and run:

chmod 660 /opt/bitnami/apps/wordpress/htdocs/wp-config.php

Now that we have made the file writable, we can go back to our blog, refresh the SSL page and the error will have gone. To enable SSL, click ‘Go ahead, active SSL!’ at the top of the page.

Activate SSL in WordPress

The last thing I want to do now is enable 301 redirects to HTTPS. Really Simple SSL makes this easy. Go to the ‘Settings’ tab and toggle ‘Enable 301 .htaccess redirect’ on and click save. If your htaccess.conf file is not writable you should see the entries that are required for this to work.

.htaccess redirect required lines.

Copy these lines and go back to your terminal. To edit the file run:

nano /opt/bitnami/apps/wordpress/conf/htaccess.conf

Paste the copied lines to the end of the file and save.

And that’s it! We have configured our networking, dns and SSL. There is still more to do however. Next we will look at how to setup a backup to S3 and setup the AWS plugin for WordPress. Till next time, happy coding!

Published inLightsailAWSWordPress