SSL secures data transfer between client and server-side. Not only that it also increases your website’s Google ranking, so it's safe to say that SSL certificates are a MUST have.
AWS provides a very convenient solution called “AWS Certificate Manager” (ACM). It provides free public SSL certificates that you can connect to your load balanced Elastic Beanstalk (EB) instances.
That’s great !! but we can lose the load balancer for instances hosting our development environments and side projects … RIGHT ??
After all, a single low-cost instance will suffice. We’ll just generate a certificate using ACM use it on our “single instance” … wait what’s that !! we can’t ?? 😧😧😧
Well, that’s mildly annoying 😒 but don’t worry we can still provision a free SSL certificate without enduring unnecessary load balancer expenses, in three easy steps.
The first step is to say goodbye to your load balancer. Convert your instance type to “single instance” from “load balanced.” You can do this from the Capacity tab inside Configurations. Just choose single instance in the environment type and that’s it.
The second step is creating and signing the certificate using “certbot”. You can find it here. I should mention that you’ll need a domain to use the certificate on.
Open up the terminal on your local machine, I’m using mac so some of the commands might be a little different for you.
certbot certonly --manual -d domain.com --preferred-challenges dns
“certonly”: use certbot authenticators
“manual”: generate certificates on machines other than web servers.
“d”: specify a domain
“preferred-challenges”: a method for domain verification
The cli will ask you to allow to log your machine’s IP address. You have to agree to continue.
After that, it’ll ask you to deploy a DNS TXT record with the name _acme-challenge.domain.com. Press “enter” when you want to verify the new record.
On successfully creating the certificate the cli will spit out two files “privkey.pem” & “fullchain.pem”.
You can use the above command to list all the certificates along with paths to their files.
Okay so we’re nearly there, the third and last step is enabling HTTPS for your “single instance” by allowing traffic on port 443.
Create a folder named .ebextensions, it is important that the name be exactly the same. Then create a configuration file with the extension “.config”.
“packages” key installs mod24_ssl on the instance.
“files” key is used to create files which hold the certificate, certificate chain and private key that certbot created.
Copy the contents of “privkey.pem” to server.key file
Copy the contents in “fullchain.pem” to chain.pem file
There will be two keys in “fullchain.pem” You only need to copy the first key to server.crt file
Now all you have to do is deploy your code to Elastic Beanstalk. Make sure that your instance is connected to the same URL in Route53 that you entered in certbot cli …
Aaand Voilà !!! A+ rating for your very own, free of cost SSL Certificate. You can test your SSL certificate at ssllabs.com.