DEV Community

Cover image for Configure SSL Certificate — AWS Elastic Beanstalk (Single Instance)
Haseeb Burki
Haseeb Burki

Posted on • Updated on

Configure SSL Certificate — AWS Elastic Beanstalk (Single Instance)

SSL secures data transfer between client and server-side. Not only that it also increases your website’s Google ranking, so it's safe to say that SSL certificates are a MUST have.

AWS provides a very convenient solution called “AWS Certificate Manager” (ACM). It provides free public SSL certificates that you can connect to your load balanced Elastic Beanstalk (EB) instances.

That’s great !! but we can lose the load balancer for instances hosting our development environments and side projects … RIGHT ??

After all, a single low-cost instance will suffice. We’ll just generate a certificate using ACM use it on our “single instance” … wait what’s that !! we can’t ?? 😧😧😧

Apparently, ACM requires a load balancer (or CloudFront distribution). It’s not possible to use the certificate with an instance directly.

Well, that’s mildly annoying 😒 but don’t worry we can still provision a free SSL certificate without enduring unnecessary load balancer expenses, in three easy steps.

1) Elastic Beanstalk

The first step is to say goodbye to your load balancer. Convert your instance type to “single instance” from “load balanced.” You can do this from the Capacity tab inside Configurations. Just choose single instance in the environment type and that’s it.

Elastic Beanstalk configuration tab.

2) Certbot

The second step is creating and signing the certificate using “certbot”. You can find it here. I should mention that you’ll need a domain to use the certificate on.

Open up the terminal on your local machine, I’m using mac so some of the commands might be a little different for you.

certbot certonly --manual -d domain.com --preferred-challenges dns
  • “certonly”: use certbot authenticators

  • “manual”: generate certificates on machines other than web servers.

  • “d”: specify a domain

  • “preferred-challenges”: a method for domain verification

The cli will ask you to allow to log your machine’s IP address. You have to agree to continue.

After that, it’ll ask you to deploy a DNS TXT record with the name _acme-challenge.domain.com. Press “enter” when you want to verify the new record.

On successfully creating the certificate the cli will spit out two files “privkey.pem” & “fullchain.pem”.

certbot certificates

You can use the above command to list all the certificates along with paths to their files.

3) .ebextensions

Okay so we’re nearly there, the third and last step is enabling HTTPS for your “single instance” by allowing traffic on port 443.

Create a folder named .ebextensions, it is important that the name be exactly the same. Then create a configuration file with the extension “.config”.

  • “packages” key installs mod24_ssl on the instance.

  • “files” key is used to create files which hold the certificate, certificate chain and private key that certbot created.

Note:

  1. Copy the contents of “privkey.pem” to server.key file

  2. Copy the contents in “fullchain.pem” to chain.pem file

  3. There will be two keys in “fullchain.pem” You only need to copy the first key to server.crt file

Now all you have to do is deploy your code to Elastic Beanstalk. Make sure that your instance is connected to the same URL in Route53 that you entered in certbot cli …

Aaand Voilà !!! A+ rating for your very own, free of cost SSL Certificate. You can test your SSL certificate at ssllabs.com.

nuff’ said 😎😎😎

Happy Coding :)

Discussion (6)

Collapse
https_india profile image
Https

Hasseb, nice to see your effort to help AWS lovers to deal with SSL certs. I have also come across a SSL certificate installation service provider (ssl.support) who helps in getting your ssl installed on server, specially for them who are not tech savvy.

Collapse
hzburki profile image
Haseeb Burki Author

Cool, I'll give it a look soon! :D

Collapse
aschwad profile image
ASchwad

Hi Haseeb!
Great article, is there also a way on how to provide the certificates directly to the instance, without using s3? How can i allow this specific instance and nobody else to access the certificate files? Thanks in advance!
Alex

Collapse
hzburki profile image
Haseeb Burki Author

You don't have to use S3, all you need to do is use the files that Let's Encrypt creates. It doesn't matter where you put them. In fact, you can put them on the server you are using and give the path to the file .elasticbeanstalk config file.

I have been looking for a way to automate this process further so we don't have to renew the domain every 90 days. Take a look at this post if you are interested

Collapse
huguesgauthier profile image
Hugues Gauthier

Yum does not have mod24_ssl available for installation

Collapse
paticopro profile image
Patico

There is a workaround for getting certbot at Amazon Linux 2:

sudo wget -r --no-parent -A 'epel-release-*.rpm' http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*
sudo yum repolist all
sudo yum install -y certbot
Enter fullscreen mode Exit fullscreen mode

Found it at Amazon docs: docs.aws.amazon.com/AWSEC2/latest/...