Securing AWS Lightsail Node.js Instance with Certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Hello everyone, I have been trying to secure my domain recently with certbot, but have been facing issues as I do not have access to the DNS records to create TXT records for this authentication method. Is there any way to certify a website with the default HTTP challenge and have the SSL auto-renew?

My domain is:

I ran this command: sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

It produced this output:

My web server is (include version): Python 3.9.2

The operating system my web server runs on is (include version): Debian GNU/Linux 11 (bullseye)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): AWS CLI 1.19.1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.9.0

Hello @BTsoum, welcome to the Let's Encrypt community. :slightly_smiling_face:


See Getting Started - Let's Encrypt
And HTTP-01 challenge of the Challenge Types - Let's Encrypt
Certbot Instructions | Certbot
User Guide — Certbot 2.9.0 documentation


Hey Bruce, thanks for the quick reply. I am familiar with most of these websites but am unsure on how to translate them to steps I can take to secure my subdomain. My previous attempts on the AWS CLI seem to default to the DNS challenge and instructions on Certbot have seemed to direct me to bncert which is undesirable. Could you please provide insight on how I would go about this process?


Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.


Do you need a wildcard cert? If not you would not be limited to a DNS Challenge and could use HTTP Challenge instead. Probably easier especially as I don't see an existing plugin to automate with your DNS provider by either Certbot or

Why is bncert undesirable? Are you running bitnami?


I don't believe I need a wildcard cert, and yes the default instance does come with a bitnami stack leading me to believe bncert would be easier. However, I had read bncert doesn't work with IPv6 which I heard can cause issues and the person I am working on this project for stated a preference for using Certbot. If you would recommend bncert is there any drawbacks I should be aware of? I believe the HTTP challenge would be most desirable in this case. However, I am unsure how to complete it as all the steps I've found online default to the DNS challenge and I can't find steps on the HTTP challenge. Could you please advise me on how I would go about this?

You showed Certbot using a manual DNS Challenge. Which should work but cannot be automated so must be repeated every 60 days or so. This is not advised. There are ways to automate DNS challenges but they are often harder than HTTP Challenges.

Generally, bncert works well with bitnami. Often people come here using bitnami/Lightsail and it works well for them.

You say you have a "python" server but right now an Apache server is responding to HTTP requests to your domain.

If Apache will be running you could use Certbot with --webroot method or even --apache to get the cert. Both methods are easily automated for renewals. I just have never used it on bitnami.

The bitnami bncert tool is specifically designed for HTTP challenges on bitnami. I didn't recall the IPv6 limitation which seems very strange but maybe so. Is that an issue for you because right now I see you only have IPv4 anyway.


Thanks for the quick reply, I'll try out the --webroot and --apache methods you've mentioned. Also to clarify my earlier claim, this post on the Bitnami docs seems to claim it is incompatible with ipv6: Learn about the Bitnami HTTPS Configuration Tool. I am unsure if I would be allowed to continue with bncert given this limitation could affect things in the future, but perhaps I can ask the person I am building for.


Sorry for the late response, to elaborate further I've tried both the --webroot and --apache methods although perhaps I'm using them wrong, but I've gotten varying errors that hopefully someone here can illuminate me on. I have determined my project's webroot to be the following

Then when I attempt the --webroot method, I get an error 404

However, when I try the --apache method I get an error I had before stating basically that port 80 could not be bound to:

I hope some of this makes sense to someone out there!

Would you be willing to try bncert and see if it works for you?

The last I remember is that there is something distinctive about Bitnami installations (maybe the name of some configuration files or scripts?) that is unusual relative to the default Apache installation and made certbot --apache not work properly.

Maybe sometime I should look into this further and propose a patch either to make Certbot work better with Bitnami Apache or to make it detect it and give an error message recommending the use of bncert. :slight_smile:


Thanks for your insight! I'll reach out to my team and see if they're okay proceeding with bncert at least for now, unless I'm instructed otherwise!

bncert should be fine but Certbot --webroot should work too. webroot just places a challenge token file in a folder and does not directly reload the web server like --apache plugin.

Your try may have worked had you entered the options differently. Try

sudo certbot certonly --dry-run --webroot -w /var/www/html -d

If that works the production command is similar swapping out --dry-run for a deploy hook to reload Apache to pickup the new certs.

sudo certbot certonly --webroot -w /var/www/html -d --deploy-hook "insert your apache graceful reload command here"

You may need to setup a cronjob or timer to run the certbot renew. I don't know if the certbot install for bitnami would do that. See


Hey MikeMcQ, thanks for following up on the issue. I tried the --dry-run line and got the following error still:

I'm not sure if this error sheds any light or if Certbot is just incompatible with Bitnami apache at this point, so I may have to settle on bncert in the worst case scenario.


Does your Bitnami need port 80?

If not, I say we stick a "fork" in it!
One that can send ACME challenge requests to the ACME client [on a unique port] and also send the rest of the HTTP requests to Bitnami [on some other unique port].


I'm not either. On other distros a 404 just means the -w folder on the Certbot command did not match the DocumentRoot for the VirtualHost in Apache.

I suggested that value as you showed a grep of your VirtualHosts and that was the only value shown. Maybe that was bad assumption. You could check your DocumentRoot manually and if different than we tried retry with the DocumentRoot folder.

But, yeah, bncert was designed for bitnami with the known restriction of no wildcard cert and the IPv6 thing (which seems odd but okay).


Thanks for the response, to be honest I'm quite new to this all so I'm not sure if I would need port 80 down the line. What are the drawbacks to this method and how would I go about sticking a "fork" in it?


None that I can see.

Step #1: Find the Bitnami bindings and move HTTP from 80 to some other unused number [81, 88, 8000, 8080, etc.]

Step #2: Install a web server [to be used solely as an HTTP proxy] - I'd recommend using nginx.
Something like "sudo apt install nginx" should do that trick

Step #3: Configure nginx to:

[that part requires knowing which specific unique ports will be used for each - recall nginx would now be the only one using port 80]

Step #4: Test, Test, Test, and ReTest

Step #5: Have a :beer:


Thank you I'll give this a try, appreciate the help!

1 Like

For Step #1, I found this online:

I don't use Bitnami, so that's just my Google-foo at work.


Thank you so much, sorry for all the questions haha!

1 Like