AWS lightsail documentation change
Summary
Updated documentation for using Let's Encrypt certificates with Nginx on Lightsail. Changes include: restructured headings (changed from ## to ######), added detailed connection instructions with console screenshots, clarified Certbot installation steps, corrected apostrophe usage, added notes about maintaining DOMAIN variable, updated DNS verification instructions, and corrected Bitnami distribution names.
Security assessment
The changes improve documentation for implementing SSL/TLS encryption using Let's Encrypt certificates, which is a security feature. However, there is no evidence of addressing a specific vulnerability or security incident. The modifications enhance clarity and accuracy of security-related configuration but don't reference any CVE, exploit, or security patch.
Diff
diff --git a/lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md b/lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md index 9d39b2123..7f94e30ae 100644 --- a//lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md +++ b//lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md @@ -7,2 +6,0 @@ -Identify your Nginx blueprint vendor - @@ -15 +13 @@ In the latter case, you might consider using Let's Encrypt to obtain a free SSL -## Identify your Nginx blueprint vendor +###### Identify your Nginx blueprint vendor @@ -47 +45 @@ Lightsail -## Step 1: Complete the prerequisites +###### Step 1: Complete the prerequisites @@ -70 +68 @@ You can also use your own SSH client, such as PuTTY. To learn more about configu -## Step 2: Install Certbot on your Lightsail instance +###### Step 2: Install Certbot on your Lightsail instance @@ -72 +70 @@ You can also use your own SSH client, such as PuTTY. To learn more about configu -Certbot is a client used to request a certificate from Let’s Encrypt and deploy it to a web server. Let’s Encrypt uses the ACME protocol to issue certificates, and Certbot is an ACME-enabled client that interacts with Let’s Encrypt. +Certbot is a client used to request a certificate from Let's Encrypt and deploy it to a web server. Let's Encrypt uses the ACME protocol to issue certificates, and Certbot is an ACME-enabled client that interacts with Let's Encrypt. @@ -76 +74,7 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - 1. Connect to your instance using an SSH client, for example, the Lightsail browser-based SSH terminal. Enter the following command to update the packages on your instance: + 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). + + 2. On the Instances tab of the Lightsail home page, choose the SSH quick connect icon for the instance that you want to connect to. + + + + 3. After your Lightsail browser-based SSH session is connected, enter the following command to update the packages on your instance: @@ -80 +84 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - 2. Enter the following command to install the software properties package. Certbot’s developers use a Personal Package Archive (PPA) to distribute Certbot. The software properties package makes it more efficient to work with PPAs. + 4. Enter the following command to install the software properties package. Certbot's developers use a Personal Package Archive (PPA) to distribute Certbot. The software properties package makes it more efficient to work with PPAs. @@ -84 +88 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - 3. Enter the following command to update apt to include the new repository: + 5. Enter the following command to update apt to include the new repository: @@ -88 +92 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - 4. Enter the following command to install Certbot: + 6. Enter the following command to install Certbot: @@ -97 +101 @@ Certbot is now installed on your Lightsail instance. -## Step 3: Request a Let’s Encrypt SSL wildcard certificate +###### Step 3: Request a Let’s Encrypt SSL wildcard certificate @@ -99 +103 @@ Certbot is now installed on your Lightsail instance. -Begin the process of requesting a certificate from Let’s Encrypt. Using Certbot, request a wildcard certificate, which lets you use a single certificate for a domain and its subdomains. For example, a single wildcard certificate works for the `example.com` top-level domain, and the `blog.example.com`, and `stuff.example.com`subdomains. +Begin the process of requesting a certificate from Let's Encrypt. Using Certbot, request a wildcard certificate, which lets you use a single certificate for a domain and its subdomains. For example, a single wildcard certificate works for the `example.com` top-level domain, and the `blog.example.com`, and `stuff.example.com` subdomains. @@ -101 +105 @@ Begin the process of requesting a certificate from Let’s Encrypt. Using Certbo -###### To request a Let’s Encrypt SSL wildcard certificate +###### To request a Let's Encrypt SSL wildcard certificate @@ -103 +107 @@ Begin the process of requesting a certificate from Let’s Encrypt. Using Certbo - 1. In the same browser-based SSH terminal window used in step 2 of this tutorial, enter the following commands to set an environment variable for your domain. You can now more efficiently copy and paste commands to obtain the certificate. Be sure to replace ``domain`` with the name of your registered domain name. + 1. In the same browser-based SSH terminal window used in the previous step of this tutorial, enter the following commands to set an environment variable for your domain. Be sure to replace `domain` with the name of your registered domain name. @@ -125 +129 @@ You should see a result similar to the following: - 4. Enter your email address when prompted, because it’s used for renewal and security notices. + 4. Enter your email address when prompted, because it's used for renewal and security notices. @@ -127 +131 @@ You should see a result similar to the following: - 5. Read the Let’s Encrypt terms of service. When done, press Y if you agree. If you disagree, you cannot obtain a Let’s Encrypt certificate. + 5. Read the Let's Encrypt terms of service. When done, press A if you agree. If you disagree, you cannot obtain a Let's Encrypt certificate. @@ -131 +135 @@ You should see a result similar to the following: - 7. Let’s Encrypt now prompts you to verify that you own the domain specified. You do this by adding TXT records to the DNS records for your domain. A set of TXT record values are provided as shown in the following example: + 7. Let's Encrypt now prompts you to verify that you own the domain specified. You do this by adding TXT records to the DNS records for your domain. A set of TXT record values are provided as shown in the following example: @@ -135,3 +139 @@ You should see a result similar to the following: -Let’s Encrypt may provide a single or multiple TXT records that you must use for verification. In this example, we were provided with two TXT records to use for verification. - - +Let's Encrypt may provide a single or multiple TXT records that you must use for verification. In this example, we were provided with two TXT records to use for verification. @@ -139 +141 @@ Let’s Encrypt may provide a single or multiple TXT records that you must use f - 8. Keep the Lightsail browser-based SSH session open—you return to it later in this tutorial. Continue to the next section of this tutorial. + @@ -144 +146 @@ Let’s Encrypt may provide a single or multiple TXT records that you must use f -## Step 4: Add TXT records to your domain’s DNS zone +###### Step 4: Add TXT records to your domain’s DNS zone @@ -179 +181 @@ The Lightsail console pre-populates the apex portion of your domain. For example -## Step 5: Confirm that the TXT records have propagated +###### Step 5: Confirm that the TXT records have propagated @@ -210 +212 @@ Example: -## Step 6: Complete the Let’s Encrypt SSL certificate request +###### Step 6: Complete the Let’s Encrypt SSL certificate request @@ -229 +231 @@ The message confirms that your certificate, chain, and key files are stored in t -## Step 7: Update SSL configuration in NGINX and redirect traffic from HTTP to HTTPS +###### Step 7: Update SSL configuration in NGINX and redirect traffic from HTTP to HTTPS @@ -260,0 +263,4 @@ You should see a result similar to the following: +###### Note + +If you closed your browser-based SSH terminal window since setting the `DOMAIN` variable in Step 3, run `DOMAIN=`example.com`` again, replacing `example.com` with your domain. + @@ -282 +288 @@ Your Nginx instance is now configured to use SSL encryption and traffic is redir -## Step 8: Renew the Let’s Encrypt certificates every 90 days +###### Step 8: Renew the Let’s Encrypt certificates every 90 days @@ -323 +329 @@ Bitnami -## Step 1: Complete the prerequisites +###### Step 1: Complete the prerequisites @@ -342 +348 @@ After you've completed the prerequisites, continue to the next section of this t -## Step 2: Install Certbot on your Lightsail instance +###### Step 2: Install Certbot on your Lightsail instance @@ -350 +356 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - 2. In the left navigation pane, choose the SSH quick connect icon for the instance that you want to connect to. + 2. On the Instances home page, choose the SSH quick connect icon for the instance that you want to connect to. For example, with a WordPress instance named _Example_ : @@ -352 +358 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - + @@ -360 +366 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - 4. Enter the following command to install the software properties package. Certbot’s developers use a Personal Package Archive (PPA) to distribute Certbot. The software properties package makes it more efficient to work with PPAs. + 4. Enter the following command to install the software properties package. Certbot's developers use a Personal Package Archive (PPA) to distribute Certbot. The software properties package makes it more efficient to work with PPAs. @@ -366 +372 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo -If you encounter a `Could not get lock` error when running the `sudo apt-get install` command, please wait approximately 15 minutes and try again. This error may be caused by a cron job that is using the Apt package management tool to install unattended upgrades. +If you encounter a `Could not get lock` error when running the `sudo apt-get install` command, please wait approximately 15 minutes and try again. This error may be caused by a cron job that is using the Apt package management tool to install [unattended-upgrades](https://wiki.debian.org/PeriodicUpdates). @@ -391 +397 @@ Certbot is now installed on your Lightsail instance. -## Step 3: Request a Let’s Encrypt SSL wildcard certificate +###### Step 3: Request a Let’s Encrypt SSL wildcard certificate @@ -440 +446 @@ Let's Encrypt may provide a single or multiple TXT records that you must use for -## Step 4: Add TXT records to your domain’s DNS zone +###### Step 4: Add TXT records to your domain’s DNS zone @@ -475 +481 @@ The Lightsail console pre-populates the apex portion of your domain. For example -## Step 5: Confirm that the TXT records have propagated +###### Step 5: Confirm that the TXT records have propagated @@ -477 +483 @@ The Lightsail console pre-populates the apex portion of your domain. For example -Use the MxToolbox utility to confirm that the TXT records have propagated to the Internet’s DNS. DNS record propagation might take a while depending on your DNS hosting provider, and the configured time to live (TTL) for your DNS records. It is important that you complete this step, and confirm that your TXT records have propagated, before continuing your Certbot certificate request. Otherwise, your certificate request fails. +Use the MxToolbox utility to confirm that the TXT records have propagated to the internet's DNS. DNS record propagation might take a while depending on your DNS hosting provider, and the configured time to live (TTL) for your DNS records. It is important that you complete this step, and confirm that your TXT records have propagated, before continuing your Certbot certificate request. Otherwise, your certificate request fails. @@ -479 +485 @@ Use the MxToolbox utility to confirm that the TXT records have propagated to the -###### To confirm the TXT records have propagated to the Internet’s DNS +###### To confirm the TXT records have propagated to the internet's DNS @@ -483 +489 @@ Use the MxToolbox utility to confirm that the TXT records have propagated to the - 2. Enter the following text into the text box. Be sure to replace ``domain`` with your domain. + 2. Enter the following text into the text box. Be sure to replace `domain` with your domain. @@ -491 +497 @@ Example: - + @@ -497 +503 @@ Example: - * If your TXT records have propagated to the Internet’s DNS, you see a response similar to the one shown in the following screenshot. Close the browser window and continue to the next section of this tutorial. + * If your TXT records have propagated to the internet's DNS, you see a response similar to the one shown in the following screenshot. Close the browser window and continue to the next section of this tutorial. @@ -501 +507 @@ Example: - * If your TXT records have not propagated to the Internet’s DNS, you see a **DNS Record not found** response. Confirm that you added the correct DNS records to your domains’ DNS zone. If you added the correct records, wait a while longer to let your domain’s DNS records propagate, and run the TXT lookup again. + * If your TXT records have not propagated to the internet's DNS, you see a **DNS Record not found** response. Confirm that you added the correct DNS records to your domains' DNS zone. If you added the correct records, wait a while longer to let your domain's DNS records propagate, and run the TXT lookup again. @@ -506 +512 @@ Example: -## Step 6: Complete the Let’s Encrypt SSL certificate request +###### Step 6: Complete the Let’s Encrypt SSL certificate request @@ -527 +533 @@ The message confirms that your certificate, chain, and key files are stored in t -## Step 7: Create links to the Let’s Encrypt certificate files in the NGINX server directory +###### Step 7: Create links to the Let’s Encrypt certificate files in the NGINX server directory @@ -541,17 +547 @@ You should see a response similar to the following: - 2. Enter the following command to set an environment variable for your domain. You can more efficiently copy and paste commands to link the certificate files. Be sure to replace ``domain`` with the name of your registered domain. - - DOMAIN=domain - -Example: - - DOMAIN=example.com - - 3. Enter the following command to confirm the variables return the correct values: - - echo $DOMAIN - -You should see a result similar to the following: - - - - 4. Enter the following commands individually to rename your existing certificate files as backups. Refer to the **Important** block at the beginning of this tutorial for information about the different distributions and file structures. + 2. Enter the following commands individually to rename your existing certificate files as backups. Refer to the **Important** block at the beginning of this tutorial for information about the different distributions and file structures. @@ -579 +569,5 @@ Approach B (Self-contained Bitnami installations): - 5. Enter the following commands individually to create links to your Let’s Encrypt certificate files in the NGINX server directory. Refer to the **Important** block at the beginning of this tutorial for information about the different distributions and file structures. + 3. Enter the following commands individually to create links to your Let’s Encrypt certificate files in the NGINX server directory. Refer to the **Important** block at the beginning of this tutorial for information about the different distributions and file structures. + +###### Note + +If you closed your browser-based SSH terminal window since setting the `DOMAIN` variable in Step 3, run `DOMAIN=`example.com`` again, replacing `example.com` with your domain. @@ -601 +595 @@ Approach B (Self-contained Bitnami installations): - 6. Enter the following command to start the underlying services that you stopped earlier: + 4. Enter the following command to start the underlying services that you stopped earlier: @@ -611 +605 @@ Your Nginx instance is now configured to use SSL encryption. However, traffic is - 7. Continue to the next section of this tutorial. + 5. Continue to the next section of this tutorial. @@ -616 +610 @@ Your Nginx instance is now configured to use SSL encryption. However, traffic is -## Step 8: Configure HTTP to HTTPS redirection for your web application +###### Step 8: Configure HTTP to HTTPS redirection for your web application @@ -705 +699 @@ Your Nginx instance is now configured to automatically redirect connections from -## Step 9: Renew the Let's Encrypt certificates every 90 days +###### Step 9: Renew the Let's Encrypt certificates every 90 days @@ -715 +709 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -LAMP +LAMP by Bitnami @@ -717 +711 @@ LAMP -WordPress +WordPress by Bitnami