June 03, 2019
In this post we will be covering how to apply an SSL certificate for HTTPS access, to a domain registered with Route 53 on AWS, using the AWS Certificate Manager.
In our example we will be applying the SSL against a web application running on AWS Elastic BeanStalk. Delivering content over HTTPs is best practice and is required for various purposes, most often it is required to access the user webcam and other input devices such as a microphone.
While this process is covered well in the official AWS documentation I thought it would be good to centralize the process in a more easy to follow manner for my future reference. This will not cover domain purchasing on Route 53 as that process is fairly straight forward.
To apply an SSL certificate against a domain on AWS the following steps must be followed:
On Route 53 register your desired domain name to use. This only requires the name of the URL, contact details and verification and purchase. This will create the URL as a hosted zone in Route 53. For transferring domains refer to the official documentation
For static websites that will need HTTPS, you will need to use CloudFront for viewers, for the SSL to work with this configuration the SSL certificate will need to be purchase in the US East (N. Virginia) region. This is important! So once again…
Only certificates registered in AWS Certificate Manager (ACM) in the US East (N. Virginia) Region will be enabled for use in CloudFront
See docs. There are alternative configurations using ELB load balancer which can be registered in any region but this is out of scope for this article.
Log on to AWS Certificate Manager, switch to US East (N. Virginia), and click on
Request Certificate. Request a public certificate since the site will be publicly available. On the next screen enter your domain name. Using wildcards for the SSL allows you to apply HTTPS to subdomains, for example
*.mysite.com. The article assumes SSL is bought as a wildcard.
The next step we need to validate that we own the domain. You can verify via email or DNS. If you purchased the domain on Route 53, choose DNS, the next screen click the chevron, you will see an option to automatically add the needed DNS records to Route 53. Otherwise copy the name, CNAME and values and input them into your domain register option. The SSL will be
Pending Validation until it is verified. If the verification fails for any reason the status will change to
Validation Timeout. With Route 53 the validation takes about 30 minutes. When the verification succeeds, the status will change to
If you are applying HTTPS traffic to a Elastic Beanstalk application you will need to navigate to teh application, go to configuration overview and modify the
We will now add a new listener for HTTPS traffic, click
Add Listener, select 443 as the port (standard port for HTTPS). Pick HTTPs as the protocol.
Under the SSL certificate pick your newly issued certificate. Pick
ELBSecurityPolicy-FS-2018-06 as the SSL policy. If the Elastic Beanstalk application is registered in US East (N. Virginia) region you will be able to pick the certificate.
For static websites the process is a bit different, you cannot apply SSL certificates against a S3 buckets. You will need to create a Cloudfront distribution. Click create distribution, select Web and click get started.
There will be a lot of settings on the next page, you can most of them as default. The key settings are:
Click create distribution. This process takes about 30 minutes. When this process is completed you will get a Cloud distribution URL in the following format
This is the URL you will need to use in Route 53, for domains purchased on AWS. Create A and AAAA records, with the Cloudfront URL as the value. If the domain is registered elsewhere you will need to create a CNAME that points to the Cloudfront URL. If everything was done correctly you will have a static website with HTTPS applied.
See official documentation How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?