Installing Let's Encrypt certificate

Hi @bulgaru,

I’m still getting the same response. I don’t want to use sudo cp for the reasons you mentioned, I don’t want to be manually updating every 3 months. I already have the certificate renew on autoupdate.

EDIT: I also attempted doing this as a root user, still no success.

AFAIK the path is something like
/etc/letsencrypt/live/[domain_name]/fullchain.pem

Yours looks like inside WP folder.

It is. I’m using a WP plugin to generate my certificates and they live in the WP folder. The plugin auto-renews the certificate when it expires.

HI,

Could you provide us with the following log files?

/opt/bitnami/apache2/logs/error_log
/opt/bitnami/apache2/logs/access_log

Best regards,
Silvio Fernández

Hi @silvio,

Access log
Error log

There’s nothing in the access_log, but the error_log shows the following relating to when I try and activate the certificates.

[Fri Apr 28 04:17:56.871187 2017] [ssl:warn] [pid 2655:tid 139845498488640] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Fri Apr 28 04:17:56.917031 2017] [ssl:warn] [pid 2656:tid 139845498488640] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Fri Apr 28 04:17:56.936823 2017] [mpm_event:notice] [pid 2656:tid 139845498488640] AH00489: Apache/2.4.25 (Unix) OpenSSL/1.0.2k configured -- resuming normal operations
[Fri Apr 28 04:17:56.936857 2017] [core:notice] [pid 2656:tid 139845498488640] AH00094: Command line: '/opt/bitnami/apache2/bin/httpd.bin -f /opt/bitnami/apache2/conf/httpd.conf'
[Fri Apr 28 04:19:08.175397 2017] [mpm_event:notice] [pid 2656:tid 139845498488640] AH00491: caught SIGTERM, shutting down

Any help would be appreciated.

Hi @peterluu,

The ln command is showing that the server.crt file already exists, you only need to remove it and run the command again. In this case, you can also back up those files in case you want to use it in the future.

This is the error message Apache is throwing. It seems you didn’t copy the file properly, you can run the following commands to check if those files exists.

ls -la /opt/bitnami/apache2/conf/server.key
ls -la /opt/bitnami/apache2/conf/server.crt

You should get an output like the following one:

lrwxrwxrwx 1 bitnami bitnami 6 May 29 11:07 firstFile -> secondFile

Where first file is the file that is in the conf folder of Apache and secondFile is the one that is at /etc/letsencrypt/live/DOMAIN/.

In case you don’t have those files, you could run the following commands to copy them properly.

sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.backup
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.backup
sudo ln -s /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
sudo ln -s /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key

I hope this information helps.
Jota

Hi @jota,

Thanks for that. I followed those instructions already but they weren’t helping, but the ls -la command has shown something which might point to the cause of the issue.

Please keep in mind, I’m following the instructions from the WordPress installation, which utilises a plugin to generate the certificates.

lrwxrwxrwx  1 root    root     74 May 29 23:46 server.crt -> /opt/bitnami/apps/wordpress/letsencrypt/live/[DOMAIN]/fullchain.pem
…
lrwxrwxrwx  1 root    root     72 May 29 23:47 server.key -> /opt/bitnami/apps/wordpress/letsencrypt/live/[DOMAIN]/privkey.pem

What should the user permissions be? Should it be root:root?

In addition, when I look at the permissions on the actual [DOMAIN] directory, it returns:

drwx------ 2 daemon  daemon 4096 May 28 08:01 [DOMAIN]

EDIT: I also logged in as root user and checked the certificate file permissions.

-rw-rw-r-- 1 daemon  daemon 2143 May 28 08:01 cert.pem
-rw-rw-r-- 1 daemon  daemon 1647 May 28 08:01 chain.pem
-rw-rw-r-- 1 daemon  daemon 3791 May 28 08:01 fullchain.pem
-rw-rw-r-- 1 daemon  daemon 1756 May 28 08:01 last.csr
-rw-rw-r-- 1 daemon  daemon 3272 May 28 08:01 private.pem
-rw-rw-r-- 1 daemon  daemon  800 May 28 08:01 public.pem

Would this permissions cause the error in trying to link and access the certificate from the server?

Thanks.

Hi @jota, I found your post here.

Managed to find a solution. I think the Let’s Encrypt installation (for WordPress) needs to be updated. Here’s what I did.

The WP plugin (WP Encrypt) generates the certificates under the permissions daemon:daemon. So even though the folder permissions are set recursively, they are not generated as bitnami:daemon.

So, first thing I did was to change user permissions to bitnami:daemon recursively. [To add to installation instructions, needs to be set again after generating certificates.] I also changed the file permissions for good measure:

$ sudo chown -R bitnami:daemon /opt/bitnami/apps/wordpress/letsencrypt
$ sudo find /opt/bitnami/apps/wordpress/letsencrypt -type d -exec chmod 0775 {} \;
$ sudo find /opt/bitnami/apps/wordpress/letsencrypt -type f -exec chmod 0664 {} \;

Secondly, the files generated are a little different from the Apache instructions.

-rw-rw-r-- 1 daemon  daemon 2143 May 28 08:01 cert.pem
-rw-rw-r-- 1 daemon  daemon 1647 May 28 08:01 chain.pem
-rw-rw-r-- 1 daemon  daemon 3791 May 28 08:01 fullchain.pem
-rw-rw-r-- 1 daemon  daemon 1756 May 28 08:01 last.csr
-rw-rw-r-- 1 daemon  daemon 3272 May 28 08:01 private.pem
-rw-rw-r-- 1 daemon  daemon  800 May 28 08:01 public.pem

Instead of privkey.pem the plugin generates the file private.pem instead.

So, the following command is needed instead:

sudo ln -s /etc/letsencrypt/live/DOMAIN/private.pem /opt/bitnami/apache2/conf/server.key

I hope this helps anyone who comes across this issue.

2 Likes

Hi @peterluu,

I’m glad to hear that you solved the issue. Thank you so much for sharing the solution, I’m sure it will help other users :slight_smile:

Don’t hesitate to write us back if you have any other question or suggestion.

Regards,
Jota

Hey @peterluu I followed your instructions in this post and I am still facing the same issue. apache wont restart and it is giving this error

SSLCertificateKeyFile: file ‘/opt/bitnami/apache2/conf/server.key’ does not exist or is empty
apache config test fails, aborting

I have followed all the instructions given in your solution.
this is screen shot of my files
image
I don’t know whats the problem kindly help me out here .
Thanks ,
@jota can you help too ?

Hi @bilalazhar,

The permissions on the certificates aren’t right, I can see in the screenshot they are showing as root:root.

It needs to be changed and updated to bitnami:daemon

If you login to your ssh terminal, you can change user permission with the following commands.

sudo chown -R bitnami:daemon /opt/bitnami/apache2/conf/
$ sudo find /opt/bitnami/apache2/conf/ -type d -exec chmod 0775 {} \;
$ sudo find /opt/bitnami/apache2/conf/ -type f -exec chmod 0664 {} \; 

The commands above assume you are using a WordPress installation using the WP Encrypt plugin. Otherwise, you will need to change the directories in the command.

EDIT: I noticed your directory is slightly different, so I can’t guarantee the previous commands are correct.

Hi @peterluu I ran these commands still the issue did not go. I am using WP Encrypt plugin. Kindly tell me what to do because I am really stuck . Can I repeat all the procedure from start or what else should I do . I am attaching screenshots of letsencrypt folder and apache2 conf folder after changing permissions .
https://drive.google.com/open?id=0B3gaXIyF8NY5NnFmT3FDX3IySlU

image
kindly tell me what to do next.
Thanks

Hi @bilalazhar,

How comfortable are you working in the ssh/shell teminal?

Can you please give me the output for the command ls -lh for the directory /opt/bitnami/apache2/conf/?

Could you do the same for the directory /opt/bitnami/wordpress/letsencrypt/live/[site name].

Thanks.

(It’s almost bedtime for me, so apologies if I don’t respond immediately.)

Hi @peterluu thanks for your immediate replies ,
I can only run commands and understand some of them not very comfortable with the ssh/shell. Here are the outputs of the following commands . Also after this problem is solved what is next step to go and change my site address from http to https in wp-config file or something else as instructions were not very clear what to do so kindly help me out
this is output for ls -lh /opt/bitnami/apache2/conf/

total 280K
drwxrwxr-x 2 bitnami daemon 4.0K Aug 24 12:26 bitnami
-rw-rw-r-- 1 bitnami daemon 289 Aug 4 12:16 deflate.conf
drwxrwxr-x 2 bitnami daemon 4.0K Aug 4 12:13 extra
-rw-rw-r-- 1 bitnami daemon 20K Aug 4 12:19 httpd.conf
-rw-rw-r-- 1 bitnami daemon 13K Jul 28 11:30 magic
-rw-rw-r-- 1 bitnami daemon 60K Jul 28 11:30 mime.types
-rw-rw-r-- 1 bitnami daemon 7.3K Aug 2 2012 modsecurity.conf
drwxrwxr-x 3 bitnami daemon 4.0K Aug 4 12:13 original
-rw-rw-r-- 1 bitnami daemon 17K Aug 4 12:16 pagespeed.conf
-rw-rw-r-- 1 bitnami daemon 119K Aug 4 12:13 pagespeed_libraries.conf
-rw-rw-r-- 1 bitnami daemon 199 Aug 4 12:14 php-fpm-apache.conf
-rw-rw-r-- 1 bitnami daemon 1.8K Aug 4 12:16 privkey.pem
lrwxrwxrwx 1 bitnami daemon 73 Sep 24 06:51 server.crt -> /opt/bitnami/apps/wo rdpress/letsencrypt/live/agirlsshop.com/fullchain.pem
lrwxrwxrwx 1 bitnami daemon 50 Sep 23 10:56 server.crt.backup -> /etc/letsencr ypt/live/agirlsshop.com/fullchain.pem
-rw-rw-r-- 1 bitnami daemon 899 Aug 4 12:16 server.csr
lrwxrwxrwx 1 bitnami daemon 48 Sep 24 07:24 server.key -> /etc/letsencrypt/liv e/agirlsshop.com/private.pem
lrwxrwxrwx 1 bitnami daemon 48 Sep 23 10:57 server.key.backup -> /etc/letsencr ypt/live/agirlsshop.com/private.pem
-rw-rw-r-- 1 bitnami daemon 204 Aug 4 12:15 ssi.conf

and output for ls -lh /opt/bitnami/apps/wordpress/letsencrypt/live/[sitename]

total 24K
-rw-rw-r-- 1 bitnami daemon 2.2K Sep 23 11:18 cert.pem
-rw-rw-r-- 1 bitnami daemon 1.7K Sep 23 11:18 chain.pem
-rw-rw-r-- 1 bitnami daemon 3.8K Sep 23 11:18 fullchain.pem
-rw-rw-r-- 1 bitnami daemon 1.8K Sep 23 11:18 last.csr
-rw-rw-r-- 1 bitnami daemon 3.2K Sep 23 10:29 private.pem
-rw-rw-r-- 1 bitnami daemon 800 Sep 23 10:29 public.pem

let me know what to do next Thanks

hi @peterluu still waiting for your answer as I am stuck on this. kindly help me out
Thanks

Hi @peterluu thanks for your answers I do realize that you do not work for Bitnami . You have been of great help though it did not solve my problem while running this command

sudo chown root:root /opt/bitnami/apache2/conf/server.key
I got output
chown: cannot dereference ‘/opt/bitnami/apache2/conf/server.key’: No such file or directory
so apparently I cannot change owner as it says no file or directory but the file exists I have double checked .
I don’t know what to do from this point. Thanks for your great help anyway .

HI @jota would you be kind enough to see my problem and help me solve it as @peterluu helped me but we were unable to solve the problem . all the information is in this thread
Thanks

Hello everyone,

Firstly, I want to thank @peterluu so much for helping @bilalazhar. It’s very nice to see how Community users try to help each other.

Secondly, regarding your issue. I would like to have a general overview about your configuration. We have a Support Tool that will gather relevant information for us to debug the issue. Could you please download and execute it in the machine where the stack is running?

Basically you need to connect via SSH and run the commands:

wget -O bnsupport_tool https://downloads.bitnami.com/files/bnsupport/0.2.0/bnsupport-linux-x64.run
chmod +x bnsupport_tool
./bnsupport_tool

The output of the execution of this tool will be a zip file with all the information inside. Could you please send it to juan[at]bitnami[dot]com ?

You can download the zip file from your instance, you can follow this guide to download it and the send it to me via mail.

Lastly, you mentioned:

Also after this problem is solved what is next step to go and change my site address from http to https in wp-config file or something else as instructions were not very clear what to do so kindly help me out.

Well, once you fix the problem with Let’s Encrypt, you just need to follow this guide in order to force the redirection:
https://docs.bitnami.com/aws/components/apache/#how-to-force-https-redirection-for-an-application

Best Regards,

Juan Ariza

Hey @jariza thanks for your reply , I have sent you zip file kindly check it
Thanks
Bilal

Hello @bilalazhar

I noticed you also created this ticket I will close it and continue here with the discussion in order to avoid confusion.

Where did you send the ZIP file to? I have been checking my mail inbox and I don’t have any mail coming from the mail account you have associated to the Community User. Did you send them to juan@bitnami.com? Are you using a different mail account?

Best Regards,

Juan Ariza