When and how to set up SSL during development

I am not having specific problems installing an SSL cert. But I am an SSL newbie with process and best practice questions. I am redesigning a website that is hosted today on Wix and I plan to move it to AWS. Questions:

  1. Is it true that the SSL certificate can not be set up on AWS until the domain is pointing to the new site/server on AWS? i.e. I can’t set up an SSL cert on the raw IP and expect it to be in place when the new site is live.

  2. If that’s true, does that mean I can only install an SSL certificate after the new website is live? And if so, is that dangerous? To leave a site unencrypted for some amount of time until the cert is installed?

  3. I think things like WooCommerce require https to do testing. How do I test a site in development without https?

I feel like this topic must have been addressed in the past so please refer me to the thread if there is one. Many thanks for any help you can offer. -Sasha

1 Like

Hi squasha!

Welcome to the community!

You can use the DNS challenge type to obtain a certificate even when the domain is not yet pointed to to your new host.

This challenge type works by adding a temporary DNS record to show that you control the domain.

With this method your website’s DNS A record doesn’t need to be pointed at your new site.

You can read more about the challenge types here:


Thanks so much for the info. I think I am on the right track, but wheels are coming off. I was following this tutorial to install an SSL cert on my Lightsail instance and I came to Step 4 where I need to install two TXT records on my AWS server. I was instructed to confirm the TXT records are in place at https://mxtoolbox.com/TXTLookup.aspx but when I tried, it would only check a domain, not an IP address.

The other thing that is throwing me off is that the TXT record looks like this:

The TXT records look like they are being created in a subdomain of the live server, not the IP address of the new AWS server. That doesn’t make sense to me and I wonder if I made a mistake at Step 2 when it asks for

I used the .com domain that will eventually point to this new server but I wonder if I should have put the IP address there?

I decided to go ahead and see what happens by proceeding with thost TXT records and got Cleaning up challenges > Failed authorization procedure.

Not surprised because I didn’t create the TXT records on the live server - they are installed on the new AWS server. Help?

You need to create the TXT records wherever the domain’s DNS is currently hosted. That might be your domain registrar, your old web hosting company, your old server, Amazon, your new server, or a third party DNS host.

Amazon’s tutorial assumes you’re using the Amazon Lightsail DNS service. If that’s not the case, you can follow some TXT record or Let’s Encrypt documentation for your current DNS service (or just guess how it works).

In the long term, using manual DNS validation is a bad idea. You should switch to an automated validation method, whether it’s DNS validation (using a DNS service’s API) or one of the other validation methods. But it is a convenient way to get up and running while you’re working on things.

Got it! Site is currently hosted on Wix.com so it sounds like I need to create the TXT records on there. Can do…

But if that is the case, should I create the same TXT records on the new AWS server as well, since that is where the site will live eventually? Is that how this works? If I don’t put the same TXT records on the new AWS server, will SSL not work once the site is moved over from Wix to AWS?

Can you clarify what you mean by creating TXT records "on" a server?

What's your domain?

What DNS service are you using? Are you running DNS software on your servers?

No. The TXT records only need to exist for a few moments, while Let's Encrypt is validating that you control the name, before the certificate is issued. You can delete them afterwards.

(To renew the certificate, you'll have to set new TXT records. That's why it's important to automate everything.)

Apologies - I am a web designer playing in the unfamiliar world of DNS so I’m sure I have the terminology wrong. And I think I was just typing fast. I was just asking whether I need to create a duplicate TXT record with the old host and new (and you answered that - thanks).

Domain is brittanylynnefitness.com. Just moved the domain from GoDaddy to Google domains in the last 24 hours. I have access to the Wix account so I can make the TXT records there to create the new SSL cert on AWS account.

As for DNS software, AWS Lightsail comes with all the means to edit DNS zones and records. Is that what you mean?

And finally, I will automate cert renewal. I found another tutorial for that. :slight_smile:

Well, I did manage to get an SSL cert on my new AWS server. At least, according to Really Simple SSL:

However, front end won’t go to https. Debug shows this:

htaccess rules test failed with error: cURL error 51: SSL: certificate subject name 'brittanylynnefitness.com' does not match target host name ''
checking if .htaccess can or should be edited...
.htaccess does not contain default Really Simple SSL redirect
.htaccess not writable.
converting siteurl and homeurl to https

I dug into this " .htaccess not writable." thing and found that Bitnami Lightsail instance doesn’t use an .htaccess file, but rather wordpress > conf > htaccess.conf.

Do you know what this is about? I found more here but I am not sure how to proceed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.