loading...
Cover image for Configure SSL Certificate — AWS Elastic Beanstalk (Single Instance)

Configure SSL Certificate — AWS Elastic Beanstalk (Single Instance)

hzburki profile image Haseeb Burki Updated on ・3 min read

SSL secures data transfer between client and server-side. Not only that it also increases your website’s Google ranking, so it's safe to say that SSL certificates are a MUST have.

AWS provides a very convenient solution called “AWS Certificate Manager” (ACM). It provides free public SSL certificates that you can connect to your load balanced Elastic Beanstalk (EB) instances.

That’s great !! but we can lose the load balancer for instances hosting our development environments and side projects … RIGHT ??

After all, a single low-cost instance will suffice. We’ll just generate a certificate using ACM use it on our “single instance” … wait what’s that !! we can’t ?? 😧😧😧

Apparently, ACM requires a load balancer (or CloudFront distribution). It’s not possible to use the certificate with an instance directly.

Well, that’s mildly annoying 😒 but don’t worry we can still provision a free SSL certificate without enduring unnecessary load balancer expenses, in three easy steps.

1) Elastic Beanstalk

The first step is to say goodbye to your load balancer. Convert your instance type to “single instance” from “load balanced.” You can do this from the Capacity tab inside Configurations. Just choose single instance in the environment type and that’s it.

Elastic Beanstalk configuration tab.

2) Certbot

The second step is creating and signing the certificate using “certbot”. You can find it here. I should mention that you’ll need a domain to use the certificate on.

Open up the terminal on your local machine, I’m using mac so some of the commands might be a little different for you.

certbot certonly --manual -d domain.com --preferred-challenges dns
  • “certonly”: use certbot authenticators

  • “manual”: generate certificates on machines other than web servers.

  • “d”: specify a domain

  • “preferred-challenges”: a method for domain verification

The cli will ask you to allow to log your machine’s IP address. You have to agree to continue.

After that, it’ll ask you to deploy a DNS TXT record with the name _acme-challenge.domain.com. Press “enter” when you want to verify the new record.

On successfully creating the certificate the cli will spit out two files “privkey.pem” & “fullchain.pem”.

certbot certificates

You can use the above command to list all the certificates along with paths to their files.

3) .ebextensions

Okay so we’re nearly there, the third and last step is enabling HTTPS for your “single instance” by allowing traffic on port 443.

Create a folder named .ebextensions, it is important that the name be exactly the same. Then create a configuration file with the extension “.config”.

  • “packages” key installs mod24_ssl on the instance.

  • “files” key is used to create files which hold the certificate, certificate chain and private key that certbot created.

Note:

  1. Copy the contents of “privkey.pem” to server.key file

  2. Copy the contents in “fullchain.pem” to chain.pem file

  3. There will be two keys in “fullchain.pem” You only need to copy the first key to server.crt file

Now all you have to do is deploy your code to Elastic Beanstalk. Make sure that your instance is connected to the same URL in Route53 that you entered in certbot cli …

Aaand Voilà !!! A+ rating for your very own, free of cost SSL Certificate. You can test your SSL certificate at ssllabs.com.

nuff’ said 😎😎😎

Happy Coding :)

Posted on by:

hzburki profile

Haseeb Burki

@hzburki

I’m a full stack engineer working at Numu, in charge of developing web and mobile apps, handling AWS applications and devOps tasks. I may also write sporadically about my technical adventures.

Discussion

pic
Editor guide
 

Hasseb, nice to see your effort to help AWS lovers to deal with SSL certs. I have also come across a SSL certificate installation service provider (ssl.support) who helps in getting your ssl installed on server, specially for them who are not tech savvy.

 

Cool, I'll give it a look soon! :D

 

Hi Haseeb!
Great article, is there also a way on how to provide the certificates directly to the instance, without using s3? How can i allow this specific instance and nobody else to access the certificate files? Thanks in advance!
Alex

 

You don't have to use S3, all you need to do is use the files that Let's Encrypt creates. It doesn't matter where you put them. In fact, you can put them on the server you are using and give the path to the file .elasticbeanstalk config file.

I have been looking for a way to automate this process further so we don't have to renew the domain every 90 days. Take a look at this post if you are interested

 

Yum does not have mod24_ssl available for installation

 

There is a workaround for getting certbot at Amazon Linux 2:

sudo wget -r --no-parent -A 'epel-release-*.rpm' http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*
sudo yum repolist all
sudo yum install -y certbot

Found it at Amazon docs: docs.aws.amazon.com/AWSEC2/latest/...