AWS Lightsail Auto-Renew Certificate With Bncert

I am using certbot to manually renew my certificates every 90 days, and most of the time certbot make system unstable on renew process, so i contacted AWS support they suggested that use bncert tool for auto renew certificate and they don't have any guide for bncert. Now i have 15 days left to renew my certificate and i don't have any idea how can i shift to bncert from certbot. Please help me out to migrate to bncert for auto renew which might won't cause any issue in future

My system is Lightsail with debian 11 (LAMP) and not the wordpress one

I am following this guide from AWS:for my every renew/new installation-

That should not happen. Can you describe what you mean by "unstable"?

The article you linked describes getting a wildcard cert. bncert does not support wildcards

The bncert tool is the preferred way on bitnami so if you don't need a wildcard it is worth considering. There are several good guides including bitnami docs for bncert.

The article you linked describes waiting for the TXT records to propagate in the DNS. You do have to wait but only for them to propagate between your authoritive DNS Servers - not the worldwide DNS. This is often very fast like 1 minute. You can check this using rather than mxToolBox


The guide i followed having steps for renew certificate too and most of the time when i try to use it for renew many unwanted things happens like:-

  • Certificate renewed but not showing on website
  • Unable to verify key on DNS
  • Create duplicate certificates and untouched the original one(not renewed)

So last time i talked to AWS support they helped me to bring the server back and they suggest before expiry the best bet would be to move to bncert with auto renew mode.

I have single page website and might add subdomain soon and also i am redirecting http ->https ,> Can you please let me know whether bncert will work for me in auto renewal mode? I need to migrate from certbot to bncert for auto renewal

All of those are problems of not following the instructions exactly. The last problem happens when you request a cert with a diff set of domain names than last time. I would have pointed that out to you earlier if you had provided your domain name(s).

Still, those steps were to use a manual method which is not the best. Ideally you want a method that allows for auto-renew. Yes, bncert provides this capability. Did Amazon provide a link to a tutorial or the bncert docs? General bncert docs are below. There are various docs from AWS about using bncert and Lightsail


Thanks mike for the quick reply. AWS don't have any doc for bncert but they suggested to use bncert-tool before expiry but i need to figure out how to migrate from certbot to bncert without messing up with server and certificate.

You might be right that the problems i had with manual because of not following instructions exactly but the domain part i always use the same like * and i still faced the issue.

The AWS support person told me to move your cert to bncert carefully else it will mess up your server as i did before with certbot.

1 Like

I am not a bncert expert but you do not need to move any old cert to it. Just get a new cert using that and configure lightsail / apache to use the new certificate


Thanks again Mike. Do you know any guide or link where i can override existing cert and renew it with bncert for lightsail (no wordpress)?

1 Like

I don't understand the question. You don't "override" the existing cert.

The cert is just a couple of files that are referenced by your Apache config in Lightsail.

Use bncert to get a new cert and update Apache to use those new files instead.

I provided a link already. You can try this as well

or this
That came from:


Thanks alot Mike. I will try to make it work and will update you here for the people having same issue.

1 Like

Thanks Mike for your support. Migrating from certbot to bncert isi not that hard and it's much fast and only few steps so migrate. As mike said i don't need to delete existing certificate so use following commands in my console to successfully install(migrate) bncert.

sudo /opt/bitnami/bncert-tool

Domain list :

E-mail address :

Do you agree to the Let's Encrypt Subscriber Agreement? [Y/n]: y

These are the only commands i use to move from certbot to bncert.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.