OK, we've had this domain sort of working for the last month and here are some tips and tricks for doing this Multisite

# Fixing Security: SSH Keys

1. Using your own SSH keys. Lightsail is really convenient. By default it creates an SSH key pair for every region that you have. This means that you don't need to know anything about keys to make it all work. You can use the web-based SSH and do all your work. But if you want to access it from say your mobile app or a terminal, then you should upload your SSH key into the Lightsail console. This is different than the EC2 stuff, so go to the Lightsail console, choose Account at the upper right and pick Account (I know the duplicate names are confusing) and pick upload SSH key. One annoying thing about this is that the file name you upload matters, it can only contain dash, underscore and dot. That's because it uses that filename, so you may have to name your .pub file appropriate. The main problem is that this upload thing doesn't seem to actually work. If you change it, nothing happens to the authorized keys file on your instances. So you either should download the PEM file which I don't advise since the PEM is not encrypted, or manually add the public key to each Lightsail instance.
2. The Lightsail will fail if there are too many keys in presented. This can be a problem if you are using the ssh-add -A feature of MacOS which adds all keys for which you added the passphrase to the MacOS keychain with ssh-add -K _key_to solve this problem, you need to delete all unnecessary keys with ssh-add -K -d _unneeded key and then you wipe it all with ssh-add -D && ssh-add -A.Also as a silly aside, you need to use the fully qualified filename and not just the last bit, so start from the root.
3. Note that if you decide to use the default PEM, that you should encrypted it on your local machine, you do this with ssh-keygen -p -f _the_new_key and you will get the dialog to change the passphrase, if you doesn't exist, you get to create a new one. And you definitely want to stuff all of this into 1Password

# Fixing WordPress

Getting rid of the Bitnami button at the bottom. By default, the Lightsail image has a Bitnami button at the bottom. That is not only annoying, but it is a bit of a security hole. Getting rid of it requires some ssh hacking, so SSH into your Lightsail instance. Then at least for our instance, you have to make the configuration program executable with

sudo chmod +x /opt/bitnami/apps/wordpress/bnconfig
sudo /opt/bitnami/apps/wordpress/bnconfig --disable_banner 1
sudo /opt/bitnami/ctlscript.sh restart apache

The other thing that is broken is the lets encrypt renewal seems to be broken at least on our instance, the SSL certificate did not renew.

Now you need the new bncert-tool which basically does the same let's encrypt tool, but following the installation instructions, if you don't have an install after May 2019, then you will need to install it. It's a little strange, but basically you download an executable and then you run it. Note that the application is super sensitive, it seems to need an absolute path name when it is run.

wget -O bncert-linux-x64.run https://downloads.bitnami.com/files/bncert/latest/bncert-linux-x64.run
sudo mkdir /opt/bitnami/bncert
sudo mv bncert-linux-x64.run /opt/bitnami/bncert/
sudo chmod +x /opt/bitnami/bncert/bncert-linux-x64.run
sudo ln -s /opt/bitnami/bncert/bncert-linux-x64.run /opt/bitnami/bncert-tool
sudo /opt/bitnami/bncert-tool

Once this is installed, I mean into a whole host of errors. The first was an error 400 for no DNS for www entry. And indeed when I looked at the records this is correct. Now most browsers if they can't find www will just to the top level domain, but not for lets encrypt. So make sure that all the domains have a real A record for all the domains you specify

If you are after May 2019, it's simpler, just run

sudo /opt/bitnami/bncert-tool

This actually failed because it didn't recognize an email address when and asked for a "valid" email address. So you need to have set that up with lego run but I could not it, so I'm a little confused about how to change that. But some sleuthing mainly in the crontab, I found the valid email.

Also the crontab entries were broken. The bncert tool does not like running multiple times, so you need to delete the crontab with crontab -e and then deleting the file, but this seems to need a null file.

In looking more at this, this doesn't seem to be the real error, it is that the file https://yoursite.com/.well_known is being masked. This happened because I have some protection plugins that are doing this. And Bitnami explains you need to fix the rewrite rules in .htaccess and you have to add the rewrite rule RewriteCond %{REQUEST_URL} !^/\.well-known to prevent any rewrites

Alternatively, it could be in the Apache virtual hosts directive, so you need to find httpd

So off to figure out where Bitnami squirrels away the actual WordPress files, turns out that it is in /bitnami/apps/wordpress/htdocs that the actual .htaccess files live