This Blog begins with a story about SSL certification with Amazon Lightsail and Bitnami. My first blog and my first WordPress site, I started up this thing with Lightsail since I already had an AWS account and the price seemed right. Installation was fairly easy and all went well until I got to the SSL certification.
It looked like it was going to be a breeze. I am pretty new to deployment, but there is a browser-based SSH terminal and a quick tool provided by Bitnami that would take care of all the things – provided I followed all the directions.
So I click in to the terminal, run the command:
(I have it memorized now as I’ve run it so many times unsuccessfully)
No dice. I get an error message:
Warning: The domain ‘stephenagraham.com’ resolves to a different IP address than the one detected for this machine, which is ‘blah-blah-blah’. Please fix its DNS entries or remove it.
I double check that blah-blah-blah is the static ip for my instance, and it is. I reeeeeally scrutinize the numbers just to make sure I’m not mixing something up. Nope. I’m not sure what’s going on.
I do some searching, but come up empty. There is some talk in the documents that DNS stuff can take up to 72 hours to propagate all around the world, so I’m like “maybe bncert is checking a server that doesn’t have the dns info yet, so it’s getting the wrong address. I guess I have to wait.” and I leave it.
I check back over the next couple of days to no avail. Same error every time. I’m becoming an expert at running ‘sudo /opt/bitnami/bncert-tool.’ I should put it on my resume.
72 hours and more have passed. Still not happening. I decide to do some deeper digging. I find this post on the Bitnami community forum, where someone notes that bncert-tool doesn’t support IPv6 addresses.
Stephenagraham.com has an IPv6 address enabled by default. I didn’t do this, it came that way. I’m skeptical, and do some more digging to see if I can corroborate this – the post was from last year, and things change.
I end up finding reference in the documentation that confirms it. The bncert-tool does not support IPv6 adresses (or NGINX web servers, but I’m not using one).
This information is missing from the quick and breezy “Getting Started” documentation for noobs.
1. I disabled IPv6 for my instance.
(Then I did an nslookup on cmd, and I still had the stupid-long ipv6 address showing up. Same thing if I did getent hosts stephenagraham.com after sshing into the server. (see all the fancy CLI commands I’m learning?)
2. I Delete the AAAA record in my Lightsail DNS zone. (Important second step)
(I don’t need that anymore – I just released that address into the wild by disabling that service.)
After those two things, I ran my favorite command again
And it worked!! All went fine.
I decided to redirect www.stephenagraham.com to the apex without the www. Is that wrong? I dunno, with such a long name, if I can get rid of 4 characters (including the period) I think it looks cleaner.
I went to the site in the browser, and got my happy little lock icon. Woohoo!
But… Do I need an IPv6 address active? It’s free. What if I reenable it, does the SSL break?
I figured what the hell.
I reenabled the IPv6 service, getting a brand new stupid-long address. Created a new AAAA record in the DNS zone, and I’m done. So far it seems to be working. You got here, right? Is there a little lock icon up there?
I guess I’ll see what happens.