paint-brush
Getting a Free SSL Certificate on AWS a How-To Guideby@sambernheim
73,676 reads
73,676 reads

Getting a Free SSL Certificate on AWS a How-To Guide

by Sam BernheimJuly 21st, 2018
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

AWS gives you a FREE SSL certificate if you use their load balancer (yes you do have to pay for the load balancer but its pretty cheap and in then end is something your site should have anyway) but I found the setup to be confusing. Setting up a load balancer, connecting it to the EC2 instance, configuring the DNS, and putting in all the correct information is not a trivial process. This guide gives you everything you need to get up and running with an SSL cert.

People Mentioned

Mention Thumbnail

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Getting a Free SSL Certificate on AWS a How-To Guide
Sam Bernheim HackerNoon profile picture

AWS gives you a FREE SSL certificate if you use their load balancer (yes you do have to pay for the load balancer but its pretty cheap and in then end is something your site should have anyway) but I found the setup to be confusing. Setting up a load balancer, connecting it to the EC2 instance, configuring the DNS, and putting in all the correct information is not a trivial process. This guide gives you everything you need to get up and running with an SSL cert.

What’s Covered

  • Setting up a Security Group
  • Setting up an EC2 Instance w/ Elastic IP
  • Setting up SSL with the Amazon Certificate Manager (ACM)
  • Setting up a Load Balancer
  • Setting up Target Groups

I assume you have some app that is ready to deploy. Whether it uses NodeJS, Python, or Java on the backend doesn’t matter. All that does matter is that it runs on some port that you can control. For this article I’ll assume port 8080. This is not a special port. It would work the same with port 1234, or 3000, or 5000. I just set my stuff up with 8080 so it will be easiest to follow.

Setting up an EC2 Instance

This part is easy. Log on to the amazon console and under services click EC2. Click on the launch instance button. It looks like this:

Launch new EC2 Instance

Then you have to select which AMI (Amazon Machine Image) you want. This is the OS the instance will use. Typically you’ll just want a linux instance but you might want something different depending on your needs. I’m going to choose the first one:

Click select and then select your instance type. This is to configure how much RAM your server will have, how much processing power, the size, and type. I personally just go with the defaults. Keeps things easy.

When you get to step 6 be you’ll want to make a new Security Group. The settings should look like this:

When you hit launch you will be given the option of making a new key. This is what will let you SSH into the instance. Make a new one (or use an old one if you still have access to the .pem file and want to use it) and give it a name. Download it and keep it somewhere on your computer that is easy to access (I usually keep it in ~/).

In your terminal cd to the folder where the .pem file is and follow the instructions that pop up when you hit the connect button (you need to have the instance selected by clicking on it). Once you’re SSH’d into the instance you can clone your code from GitHub or wherever its being stored, install any dependencies and start your server. Then exit out. Thats all the terminal work we’ll be doing :).

Setting up your Elastic IP Address

Next you’ll need an IP address for your instance to make it publicly accessible. AWS does this with Elastic IPs. It’s listed on the left side panel. Find it and open up the page. Click on Allocate new address and then when the EC2 instance you just made shows up in the list, CTRL click on it and select Associate Address. Then select the instance you just created and click Associate.

Visiting this IP address and then :PORT_NUM should bring you to your site. So if your Elastic IP was 34.200.70.235, and your app was running on port 8080, visiting 34.200.70.235:8080would make a get request to / .

Addendum: Thanks to Michael Flaxman for catching a mistake! In the security group shown in the above image, port 8080 is not included which means visiting 34.200.70.235:8080 would be blocked. To allow access, edit the security group and simply add port 8080 with type http with the same source options as ports 80 and 443.

Congrats!! You just deployed your website on AWS! Lets try and improve it a bit by adding SSL and associating it with a domain name.

Setting Up SSL

We’ll do this using ACM, AWS’s certificate manager. Click on services, search ACM and click on Certificate Manager.

Click Request a Certificate. You want a Public Certificate. Click on Request a Certificate and add all your domain names to the box. This should only include the main domain (also referred to as the naked domain) aka mypage.com and not things like mypage.com/blah. If you have other versions like [www.mypage.com](http://www.mypage.com) or blog.mypage.com add those too and click next.

Add your domains

Now AWS needs to verify you are in fact the owner of that domain. Select DNS Validation if you have access to the DNS settings (this would be through Route53, Namecheap, GoDaddy or any other domain name provider) or Email Validation if you do not. DNS validation is better and faster. If you are using Route 53 (which I recommend), then the remaining setup is very easy since AWS can add the required records for you to the DNS settings. Otherwise you will have to copy and paste them in. Save your changes and then you should then see something like this:

If you are using Route 53 an additional button will be available offering to add the CNAME Records to your DNS (shown below). Click it for each version of the domain (the www and non-www version and any other subdomains you added in the previous step). Otherwise copy the name and value and add it as a CNAME record to your DNS settings. Each version requires its own record so be sure to add all of them to your DNS settings.

Once AWS verifies everything the validation status will update to say Success in green. This may take some time (0–30+ mins but typically around 5) so don’t worry if it doesn’t happen immediately.

Setting up your Load Balancer

Now we need to configure the load balancer. This is also found in the left side panel in EC2. A load balancer makes it easy to evenly distribute traffic to your site to the multiple servers that are running it. We won’t really be making use of this aspect (since we only have one instance running) but that is its main function. Open up its page and click Create Load Balancer.

Which brings you to this page:

Create Load Balancer Options

We’ll be using the first option, HTTP and HTTPS. Click and give it a name. Under Load Balancer Protocol we’ll want to add HTTP and HTTPS as options. The HTTP option should be set to use port 80 and the HTTPS option port 443. Choose some availability zones (2 are required at a minimum). The setup should then look like this:

Notice how for port it specifies the Load Balancer Port. This is the port the of the load balancer, NOT of your application (which is 8080). This is because the Load Balancer will sit in front of your server and listens on ports 80 and 443 (what we just set up). When a request comes in on either of these ports, the load balancer will then take some action to forward the request onto your application which will be listening on port 8080 (We’ll set that up in the next step).

Once this is done click next.

This is where you connect the SSL certificate to the Load Balancer. Select Choose a Certificate from ACM and the cert you just made from the drop down menu. The default security policy is good to go.

See, not to bad and we’re almost done.

Go now to Target Groups, also on the left side of the EC2 settings and just below Load Balancers, and create a new target group.

Give it a name and use HTTP as the protocol with a port value of 8080 (the same as the port your actual server is listening on).

Select it, click on Targets in the bottom panel and then edit. You’re going to select your EC2 instance in the bottom and then click Add to registered and be sure the port is 8080 and then Save. It should now appear in the top part as a registered target.

Go back to the load balancer settings and select your load balancer. Choose listeners and click Add listener with a port value of 80 and forward to the Target group we just made (Ignore the red below).

Do the same thing again but instead of HTTP do HTTPS and use port 443 again with the same Target group we just made. For this one though we will set the SSL info to be from ACM and then select the Certificate we made earlier. Hit save and it should now look like this in the listeners section.

Be sure to also set up the security group for the load balancer to allow traffic to enter on port 80. To make a new security group, find the tab on the left panel of the EC2 page. Create a new security group allowing traffic from all sources in on port 80 like below. If you get an error about CIDR it’s because you have to set the source column.

Pointing your Domain to the Load Balancer

The last and final step is to update the DNS records for your site to now point to the load balancer.

Go to Route 53 in the console and open up the settings for your Domain.

If you don’t have them already, you’ll need to add two A records. If you already do have them, you’ll need to update them.

For type, select A record and then just below it you’ll see a yes or no option for Alias. Choose Yes.

Then click on the text book to the right of Alias Target and select the load balancer you just made from the list.

AND THAT’S IT!!!

When a request comes in to your domain (whether it be http or https), Route 53 will direct it to the Load balancer which will use the target group to send it to the EC2 instance.

If you run into any problems google the service you were working with (ACM, EC2, Route53, etc) and then the issue or drop a comment below. I hope this has helped you get your site running with SSL

As Jeb Bush said, please clap:  :)