Configuring let's encrypt in aws lightsail instance with subdomain pointed by A rocord


We have a domain say hosted in server x from last 3 years. There we configured letencrypt and it is working fine.

Recently we are in to AWS cloud and we are created one lightsail instance and couple of subdomains say and are pointed to AWS static ip using DNS A record in server x . After that we are added letsencrypt certificate as per this tutorial The ceritificate installation went correctly and got the congratulations message with expiry date in CLI as mentioned in tutorial.

The TXT records are added at both DNS zone of server x and also tried with creating DNS zone within lightsail. Tried with rebooting apache and whole instance also.

But, still browser not able to validate SSL and showing invalid certificate notice.

Where we are missing?


Step 7 addresses the installation part after you get the certificate and Step 8 involves configuring WordPress with some kind of plugin. I assumed you did that too? Because in your text, you're skipping from "Congratulations" to "Rebooting Apache".



Yes, we have followed all the steps and copied new certificate files to Apache folder as mentioned in steps; also configured WordPress using .htaccess file before the reboot.

1 Like

Well then there must have been a substep within all those steps that was missed or just did not complete properly.
The new names on the obtained cert (sd1 and sd2) resolve to more than just one IP or solely to other IPs (not that of server x). [Which would mean the cert is now in one server "X" while the name points to another server "Y".]

Naturally, it is difficult to be certain of anything without actual names to check.
But that is my best guess from the information given.

1 Like


We have our main domain which is hosted in server x with cpanel enabled. There we can easily set ssl options through cpanel and working smoothly.

Now, we created a new subdomain and pointed to AWS instance and added the letsencrypt certificate as per tutorial above and added the TXT records of ACME challenge in DNS zone of server x

For instance, we added the following code in the .htaccss file of wordpress installation

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

to redirect to https automatically instead of using plugin (This method is used in other couple of servers and it will redirect without issues)

OK, so far, so good.
The www has IP
The test has IP
[those are clearly two separate servers]

Now what remains unanswered...
Is test unable to get a cert?
I see no cert issued for that name:
For ease of use and renewals, that should be done right from the test server itself.
Otherwise, the www server will have the new test cert and then will need to somehow pass it to the test server so it can use it.

I do see a recently issued wildcard cert:
[which would cover the test name]
But I don't see that cert is use at test server:

The remaining clutter is the is not having valid ssl.

As per tutorial and our understandings, the wildcard (*) will manage all the subdomains to validate certificate? Or do we need to add seperate certificate to sub domain? If so where shall we put the TXT records, in server x ot test server?

That is correct.

TXT records go in DNS.
But you have already passed that step - you should have the cert on the test server.
Now you simply need to get the web server software to use it.
You can always check the status of the certs issued by using certbot with:
certbot certificates

Yes, Today just created new fresh certificate for the explaination here.

Show the output of this on the test server:
certbot certificates

The TXT records are already added in DNS of server x

Do we need to add it in test server?

BTW, the certbot certificates is giving following output

Found the following certs:
  Certificate Name:
    Domains: *
    Expiry Date: 2021-01-06 05:21:51+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/

You no longer need to do anything with TXT records.
That was just to get the cert - which you already have; as shown by output of certbot certificates

Now you need to continue through the steps after the step to get the cert.

Yes, we have done that also.
That is, moved the gereated certificate to apache folder as mentioned and edited .htaccess to redirect to https (We hope eventhough we do not redirecting to https the certificate should work if we manually enter the https with domain name)

This may be unrealted OR may be what you are trying to address.
I see that your main site shows as "insecure" even though it has a valid cert and lock.
The reason of that is "mixed content".
That is when a secure site contains links that use HTTP.
That makes the compete page NOT 100% HTTPS, so it get flagged as insecure.
Please review this check:

The test site is serving a cert for "".
That will never show as secure for any other name - and actually not even for that name; as the cert is self-signed.

Exactly we stucked here.

We completed all the steps in tutorial and we imagine the link should open with valid SSL; but showing not secure.

The mixed content in main domain is due to the images uploaded and there is no any such files in test subdomain. A clean single page created for demo purpose.

OK they are separate issues.

Although you say you completed all the steps in test.
A step must have been missed or failed to complete correctly.
I would redo all the steps (after getting the cert).
And try to understand them and find ways to test each them (if possible) to see is each was successful or not before proceeding to the next step.

Here are the steps we followed so far as per tutorial.

  1. Step 1 & 2 are ommited as there is already installed the certbot
  2. Followed exactly same as step 3, 4, 5 and the TXT records are confirmed here
  3. After continuing we have got congratulation message with expire date from certbot as in step 6 of tutorial.
  4. Then followed step 7 and successfully moved certificate files under /etc/letsencrypt/live/$DOMAIN/ and the output of certbot certificates is already shared above.
  5. Finally as per step 8, we have changed .htaccess file instead of using a plugin to always redirect to https (We hope, this step is not required to check https as it should validate if we manually typing the domain with https; mentioning the link is not redirecting further.)

But here the browser shows non secure.

Note: we are tried with installing the plugin and it also giving same insecure message saying certificate not matching with domain name

Is there anything missed further or need we update something with vhosts files?