Reference:
https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/
Steps:
1)
Step 1: Install the Lego client
cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
tar xf lego_v4.9.1_linux_amd64.tar.gz
sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego
Step 2: Generate a Let’s Encrypt certificate for your domain
Turn off all Bitnami services:
sudo /opt/bitnami/ctlscript.sh stop
Request a new certificate for your domain as below, both with and without the www prefix.
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" run
-
Agree to the terms of service.
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*
Restart all Bitnami Servers
sudo /opt/bitnami/ctlscript.sh start
Step 4: Test the configuration
test it by browsing to https://DOMAIN (replace the DOMAIN placeholder with the correct domain name).
Step 5: Renew the Let’s Encrypt certificate
Let’s Encrypt certificates are only valid for 90 days. To renew the certificate before it expires, run the following commands from the server console as the bitnami user. Remember to replace the DOMAIN placeholder with your actual domain name, and the EMAIL-ADDRESS placeholder with your email address.
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start
To automatically renew your certificates before they expire, write a script to perform the above tasks and schedule a cron job to run the script periodically. To do this:
Create a script at /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
sudo mkdir -p /opt/bitnami/letsencrypt/scripts
sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
Enter the following content into the script and save it. Remember to replace the DOMAIN placeholder with your actual domain name, and the EMAIL-ADDRESS placeholder with your email address.
For Apache:
#!/bin/bash
sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache
-
Make the script executable:
sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
-
Execute the following command to open the crontab editor:
sudo crontab -e
0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null
Troubleshooting
In case the certificate generation process fails or you wish to start again for any reason, run the commands below to delete the generated output, replace the previous certificates and restart services. You can then go back to Step 1. It is important to note that doing this will delete any previously-generated certificates and keys.
rm -rf /opt/bitnami/letsencrypt
For Apache:
sudo mv /opt/bitnami/apache2/conf/server.crt.old /opt/bitnami/apache2/conf/server.crt sudo mv /opt/bitnami/apache2/conf/server.key.old /opt/bitnami/apache2/conf/server.key sudo mv /opt/bitnami/apache2/conf/server.csr.old /opt/bitnami/apache2/conf/server.csr sudo /opt/bitnami/ctlscript.sh restart
sudo crontab -e