By /

🔒 Enable Free HTTPS on AWS Lightsail (Bitnami WordPress)

Learn how to install a free SSL certificate on your AWS Lightsail WordPress instance using the Bitnami HTTPS tool. Step-by-step guide with fixes for missing bncert-tool and ACME challenge errors.

Enable Free HTTPS on AWS Lightsail (Bitnami WordPress)

🌤️ Introduction

So you’ve got WordPress running on AWS Lightsail — that’s great 🎉
But you noticed that your site still shows “Not Secure” in the browser bar.
Let’s fix that!

In this tutorial, we’ll set up free HTTPS using Let’s Encrypt and the Bitnami HTTPS configuration tool (bncert) — the official way to secure Bitnami WordPress on Lightsail. This guide also includes fixes for the two most common pitfalls:

  • ACME challenge failing when using generic Certbot
  • bncert-tool missing on newer stacks

This is the exact process we used on NoCodeAWS.com, including how we fixed those tricky SSL setup issues.

⚙️ Step 1 — Connect to Your Instance

In your Lightsail dashboard:

  1. Go to your WordPress instance.
  2. Click Connect using SSH (browser-based terminal).

You’ll see a command prompt like this:

bitnami@ip-172-26-2-193:~$
  1. In order to verify you’re on Bitnami, run this command:
ls /opt/bitnami
  1. In the last command, you should see folders like apache, php, wordpress.

That means you’re inside your running WordPress server ✅

🚫 Step 2 — The Common Error: Missing bncert-tool

When most people follow older tutorials, they run:

sudo /opt/bitnami/bncert-tool

…and get this:

sudo: /opt/bitnami/bncert-tool: command not found

That’s because newer Bitnami images (especially Debian-based ones) don’t include the HTTPS tool preinstalled.

But don’t worry — we can manually install it.

🧩 Step 3 — Install the Bitnami HTTPS Configuration Tool

Run these commands exactly:

cd /tmp
curl -Ls https://downloads.bitnami.com/files/bncert/latest/bncert-linux-x64.run -o bncert.run
chmod +x bncert.run
sudo ./bncert.run

This will:

  • Download the latest Bitnami HTTPS Config Tool
  • Make it executable
  • Run it interactively

You’ll see something like this:

Welcome to the Bitnami HTTPS Configuration tool.
Please enter your domain names (separated by spaces): nocodeaws.com www.nocodeaws.com
Email address: you@example.com
Enable HTTP to HTTPS redirection? (Y/n): Y
Enable non-www to www redirection? (Y/n): Y

Use your own domain name/s and email address. Hit Enter after each.

The tool will automatically:

  • Verify DNS configuration
  • Request certificates from Let’s Encrypt
  • Configure Apache with SSL
  • Enable redirects
  • Create a cron job for renewal

Why This Works (and Certbot Doesn’t)

Earlier, you might have tried to use Certbot and it failed with this:

Invalid response from http://example.com/.well-known/acme-challenge/... (404)

That’s because:
>>Bitnami uses /opt/bitnami/apache/ (not /etc/httpd/)
>>Certbot couldn’t find the correct webroot to serve the ACME challenge

The bncert.run tool fixes that automatically.
It knows where to write and serve the challenge file because it’s built specifically for Bitnami’s folder structure.

🧾 Step 4 — Verify the Certificate

Once the process finishes, confirm that the certificate was created:

sudo openssl x509 -in /opt/bitnami/letsencrypt/certificates/YOURDOMAIN.crt -noout -issuer -dates -subject

Example output:

issuer=C = US, O = Let's Encrypt, CN = E7
notBefore=Oct 12 06:55:35 2025 GMT
notAfter=Jan 10 06:55:34 2026 GMT
subject=CN = nocodeaws.com

✅ Your SSL is active and valid!

🌐 Step 5 — Force HTTPS inside WordPress (if URLs are greyed out)

If inside wordpress dashboard, Settings → General shows greyed URLs or still uses http://, update wp-config.php:

sudo nano /opt/bitnami/wordpress/wp-config.php

Change these lines:

define( 'WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] . '/' );
define( 'WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] . '/' );

Save the file (Ctrl + O, then Enter, then Ctrl + X). Then reload your dashboard. You should see the padlock icon 🔒

🔁 Step 6 — Check auto-renew is scheduled

The wizard normally creates a cron entry which renews your SSL certificates automatically. Let’s check check if it is working:

sudo grep -H . /etc/cron.d/bitnami-letsencrypt-renew || echo "No cron file found."

You should see an output like “Renew Let’s Encrypt certs daily at 03:00 and reload Apache”. If you see this, all is done perfectly, do not proceed with the workaround. Jump to Step 7.

🛠️ Workaround if the cron renewal is not set

If you don’t see a cron file, create a tiny renew script and a daily cron job. Make sure to replace the email id and domain name/s.

1) Create the renew script

sudo tee /opt/bitnami/letsencrypt/renew-certs.sh > /dev/null <<'SH'
#!/bin/bash
export PATH="/opt/bitnami/letsencrypt:/opt/bitnami/apache/bin:/usr/bin:/bin"
LOG="/opt/bitnami/letsencrypt/renew.log"
DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
echo "[$DATE] Starting renew..." >> "$LOG"
/opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" \
  --email="abc@xyz.com" \
  --domains="nocodeaws.com" --domains="www.nocodeaws.com" \
  --tls renew --days 30 >> "$LOG" 2>&1
/opt/bitnami/ctlscript.sh reload apache >> "$LOG" 2>&1
echo "[$DATE] Done." >> "$LOG"
SH
sudo chmod +x /opt/bitnami/letsencrypt/renew-certs.sh
sudo chown root:root /opt/bitnami/letsencrypt/renew-certs.sh

2) Create a cron.d entry (runs daily at 03:00)

sudo tee /etc/cron.d/bitnami-letsencrypt-renew > /dev/null <<'CRON'
SHELL=/bin/bash
PATH=/opt/bitnami/letsencrypt:/opt/bitnami/apache/bin:/usr/bin:/bin
0 3 * * * root /opt/bitnami/letsencrypt/renew-certs.sh
CRON
sudo chmod 644 /etc/cron.d/bitnami-letsencrypt-renew
sudo ls -l /etc/cron.d/bitnami-letsencrypt-renew

If above method does not work, use this Alternative (root crontab):

sudo crontab -e

This opens the root crontab file which you can edit.

Scroll down and add this at the last line:

0 3 * * * /opt/bitnami/letsencrypt/renew-certs.sh

3) Test renewal manually now

sudo /opt/bitnami/letsencrypt/renew-certs.sh
sudo tail -n 50 /opt/bitnami/letsencrypt/renew.log

You should see messages like “authorization already valid” or “Server responded with a certificate or “The certificate expires in 60 days, the number of days defined to perform the renewal is 30: no renewal.”

🪄 Step 7 — Double-Check Everything

Run this to confirm your SSL health:

sudo openssl x509 -in /opt/bitnami/letsencrypt/certificates/YOURDOMAIN.crt -noout -dates
curl -Is https://YOURDOMAIN.com | head -n 5

✅ You should see a valid date range and HTTP/1.1 200 or HTTP/2 200.

🧩 Troubleshooting Summary

ProblemSymptomSolution
bncert-tool missingcommand not foundManually install it using curl method
ACME challenge failsInvalid response (404)Use bncert instead of Certbot
Permission denied errorsWriting logs or cronUse sudo and correct Bitnami paths
“Not Secure” even after SSLWordPress still uses http://Update WP_HOME and WP_SITEURL in wp-config.php

🎉 Conclusion

You did it! 🥳
Your Lightsail WordPress site is now running secure HTTPS with automatic renewal — no paid certificates needed, no manual renewals, no guesswork.

This is the exact setup we used for NoCodeAWS.com, and it’s rock-solid.

🪶 What’s Next

Next up:
👉 Set Up S3-uploads plugin to store media in S3 — Free up space and reduce load on your server by placing all your media files such as images, pdf’s on AWS S3. Or better, go another step and include cloudFront CDN to deliver your media files.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top