Adding HTTPS to Route 53 domains on AWS

In this post we will be covering how to apply an SSL certificate for HTTPS access, to a domain registered with Route 53 on AWS, using the AWS Certificate Manager.

In our example we will be applying the SSL against a web application running on AWS Elastic BeanStalk. Delivering content over HTTPs is best practice and is required for various purposes, most often it is required to access the user webcam and other input devices such as a microphone.

While this process is covered well in the official AWS documentation I thought it would be good to centralize the process in a more easy to follow manner for my future reference. This will not cover domain purchasing on Route 53 as that process is fairly straight forward.

Overview

To apply an SSL certificate against a domain on AWS the following steps must be followed:

• Register or transfer domain on AWS Route 53
• Acquire SSL certificate on AWS certificate manager
• Domain verification via DNS or email
• Apply HTTPS ports on Elastic Beanstalk
• Apply HTTPS for Static Websites on S3

Purchase or transfer domain on Route 53

On Route 53 register your desired domain name to use. This only requires the name of the URL, contact details and verification and purchase. This will create the URL as a hosted zone in Route 53. For transferring domains refer to the official documentation

Acquire SSL certificate on AWS certificate manager

For static websites that will need HTTPS, you will need to use CloudFront for viewers, for the SSL to work with this configuration the SSL certificate will need to be purchase in the US East (N. Virginia) region. This is important! So once again…

Only certificates registered in AWS Certificate Manager (ACM) in the US East (N. Virginia) Region will be enabled for use in CloudFront

See docs. There are alternative configurations using ELB load balancer which can be registered in any region but this is out of scope for this article.

Log on to AWS Certificate Manager, switch to US East (N. Virginia), and click on Request Certificate. Request a public certificate since the site will be publicly available. On the next screen enter your domain name. Using wildcards for the SSL allows you to apply HTTPS to subdomains, for example *.mysite.com. The article assumes SSL is bought as a wildcard.

Domain Validation

The next step we need to validate that we own the domain. You can verify via email or DNS. If you purchased the domain on Route 53, choose DNS, the next screen click the chevron, you will see an option to automatically add the needed DNS records to Route 53. Otherwise copy the name, CNAME and values and input them into your domain register option. The SSL will be Pending Validation until it is verified. If the verification fails for any reason the status will change to Validation Timeout. With Route 53 the validation takes about 30 minutes. When the verification succeeds, the status will change to Issued.

Apply HTTPS ports on Elastic Beanstalk

If you are applying HTTPS traffic to a Elastic Beanstalk application you will need to navigate to teh application, go to configuration overview and modify the Load Balancer.

We will now add a new listener for HTTPS traffic, click Add Listener, select 443 as the port (standard port for HTTPS). Pick HTTPs as the protocol.

Under the SSL certificate pick your newly issued certificate. Pick ELBSecurityPolicy-FS-2018-06 as the SSL policy. If the Elastic Beanstalk application is registered in US East (N. Virginia) region you will be able to pick the certificate.

Apply HTTPS for Static Websites on S3

For static websites the process is a bit different, you cannot apply SSL certificates against a S3 buckets. You will need to create a Cloudfront distribution. Click create distribution, select Web and click get started.

There will be a lot of settings on the next page, you can most of them as default. The key settings are:

• Origin Domain Name: Pick your S3 bucket here where the static page is being hosted
• Viewer Protocol Policy: Pick Redirect HTTP to HTTPS
• Alternate Domain Names (CNAMEs): Enter your domain address, *.mysite.com
• Custom SSL certificate: Pick your certificate, as long as it is registered in US East (N. Virginia) Region it will appear as an option.
• Default Root Object: Enter index.html here.

Click create distribution. This process takes about 30 minutes. When this process is completed you will get a Cloud distribution URL in the following format d1l3ij4ksot170.cloudfront.net.

This is the URL you will need to use in Route 53, for domains purchased on AWS. Create A and AAAA records, with the Cloudfront URL as the value. If the domain is registered elsewhere you will need to create a CNAME that points to the Cloudfront URL. If everything was done correctly you will have a static website with HTTPS applied.

See official documentation How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?

Written by Farhad Agzamov who lives and works in London building things. You can follow him on Twitter and check out his github here