SSL Cert for WordPress on LightSail


#1

Beginner here. Trying to get an SSL Certificate for my WordPress website on Amazon LightSail. I’m following this tutorial:
https://lightsail.aws.amazon.com/ls/docs/en/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

Certbot provided me with 2 _acme-challange.morelandarts.com codes. I used the codes to set up 2 DNS Zone TXT records.

On Step #5 of the tutorial, on the MX toolbox site, when I do a DNS Text Lookup, I get “DNS Record not found”.
I have waited over 2 hours, but still not found.

I’ve done the tutorial up to step 5 twice to make sure I wasn’t doing something wrong with the same results. I don’t know where to go from here.

Thanks for your help!

I’m afraid I don’t even know enough to figure out how to answer some of these questions.

My domain is:
morelandarts.com

I ran this command:
sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

It produced this output:
It provided me with 2 _acme-challange.morelandarts.com codes. I used the codes to set up 2 DNS Zone TXT records

The operating system my web server runs on is (include version):
I’m hoping you will know.

My hosting provider, if applicable, is:
Amazon LightSail

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes, I think so

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
LightSail’s Control Panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Latest Version I ran the update commands


#2

Have you deleted the two TXT records?

Can you post a screenshot of the whole DNS control panel?

Edit:

By the way, it’s recommended to manage Let’s Encrypt certificates in an automated fashion. As it is now, you’ll have to manually run Certbot and edit your DNS records every 2-3 months.

Amazon Route 53 has an API that supports automated DNS record changes, though I don’t know if Lightsail customers have complete access to it.

Depending on what OS you’ve installed, and how you installed Certbot, it may be easy to install Certbot’s Route 53 plugin to support fully automated certificate renewal.

Even if it’s not, you could use HTTP-01 validation, or a different ACME client, or even a different OS.


#3

Hopefully this is what you were asking to see.


#4

Pretty much. (I wish the console didn’t cut off the record names like “_acme-c...” but it’s not a problem.)

You did set up the records correctly in that hosted zone.

_acme-challenge.morelandarts.com. 60 IN TXT     "KL4WLywVCQTOVGQtqQo3WHmk4D-Az3v2bzhN4HVDqpQ"
_acme-challenge.morelandarts.com. 60 IN TXT     "rdIKfJxQ2KVtIjqjxRDo6Dj0i9MKkiH_FC5Vp0NjlvU"

However, the domain is actually using a different hosted zone on a different set of nameservers.

morelandarts.com.       167543  IN      NS      ns-523.awsdns-01.net.
morelandarts.com.       167543  IN      NS      ns-2021.awsdns-60.co.uk.
morelandarts.com.       167543  IN      NS      ns-1153.awsdns-16.org.
morelandarts.com.       167543  IN      NS      ns-390.awsdns-48.com.

You need to either find the other hosted zone in your AWS account(s) and copy your records over and start using it, or go to the domain registration part of the AWS console and change the nameserver settings to use this hosted zone’s nameservers.

(Changing the nameservers would take up to ~48 hours to fully take effect due to caching by DNS resolvers. Though the resolvers Let’s Encrypt uses for validation don’t cache, so they’d be okay as soon as the TLD is updated.)

(Once it’s no longer used, you can delete one of the hosted zones.)


#5

Hi Matt,

Thank you so much for your help. I’m finding the AWS documentation to be maddening. I cannot find where, in LightSail, I would modify the host zone. Realizing that this is not your problem… would you mind telling me how you retrieved the records you listed in your response?

Thanks again for all your help!


#6

Hi Matt,

And thanks again… I found the “Who Is” function which shows the names servers. I also found the place where you can modify the Name Servers on AWS-Route 53. Now the Who Is matches. WooHoo. Progress.

I also managed to find Route 53s Certificate Issuing site. I completed the steps and it said “Success”, but it still does not work as a HTTPS website.

I shall endeavor on. And thanks again…


#7

Certificates issued by ACM can only be installed on various AWS-managed services, such as ELBs or CloudFront. They don’t allow you to download the private key, and you can’t install the certificate directly in an EC2 instance.


#8

Hey Matt,

I re-ran the Certbot procedure and I now have a secure site! Whew!
You have been a great help. Thank you. But I have one more question.
It told me my cert will expire on 2019-06-20. Do I need to go through this process again before that time? It said something about running “certbot renew” instead? Is there a better / automated way to manage these certificates (for free)?

I guess that’s really 3 questions. Thanks again for all your help.


#9

Yes, if you used the manual mode as shown in that tutorial, you’ll have to run the command again and set new DNS records.

In an automated setup, “certbot renew” takes care of everything (and a systemd timer or cron job should be running it about twice a day). For manual certificates, you can’t use it.

I wrote before:

I’ve used AWS, but not Lightsail, and I don’t know much about its differences or limitations. :confused:

(HTTP-01 validation is usually very easy to set up, but doesn’t allow wildcards.)


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.