loading...

Attach SSL to Elastic Load Balancer (ELB) and enable HTTPS

mubbashir10 profile image Mubbashir Mustafa ・4 min read

HTTPS enables you to transfer data over the network securely. To be able to use HTTPS with your load balancer you need to do the following steps:

  1. Request a certificate
  2. Add a CNAME record
  3. Attach HTTPS listener to the load balancer

1. Request a certificate

From AWS console, go to "Certificate Manager".
Alt Text

It will take you to the homepage of the AWS Certificate Manager. Select Provision Certificate and click "Get started".
Alt Text

Choose "Request a public certificate" and click on the "Request a certificate" button.
Alt Text

Enter the domain name you are using with your load balancer and click next. If you are using a sub-domain, you will have to enter that sub-domain. Also, you can cover more than one domain in a single certificate like this:

whateverdomain.club
my.whateverdomain.club
abc.whateverdomain.club
Enter fullscreen mode Exit fullscreen mode

or to cover all the sub-domains, you have to use

*.whateverdomain.club
whateverdomain.club
Enter fullscreen mode Exit fullscreen mode

Select "DNS Validation" (learn why) and click "Next"
Alt Text

You can add tags if you want, otherwise, leave them empty and click "Review". On the review page, review the info and click "Confirm and Request". Click "Export DNS configuration to a file" (it will download a csv file) and click "Continue".
Alt Text

Now we need to validate our request (prove that we are authorized to request SSL certificates for our domain). Until the validation is completed you will see "Pending validation" status against the certificate request.
Alt Text

2. Add a CNAME record

To prove our authorization we need to add the CNAME record to our domain's DNS records. To do that go over to route 53 (if your domain's NS are not pointing towards AWS then you will have to do the following steps from your domain registrar's control panel or some other service that you are using).
Alt Text

Select the Hosted Zone for the domain in question.
Alt Text

Click "Create record set", open up the csv file that was downloaded earlier and enter the values accordingly:

Name = From csv's Record Name column
Type = CNAME - Canonical name
Alias = No
Value = From csv's Record Value column

After entering the values click "Save Record Set".

Alt Text

*Note: in the CSV file, the Record Name is completely written, you just need the random string part.

# value in csv
_ab1e89753de00b10b8de785149740feb.whateverdomain.club. 

# value you need to enter in the name field
_ab1e89753de00b10b8de785149740feb

Enter fullscreen mode Exit fullscreen mode

Once the CNAME record has been added (correctly), go back to the AWS Certificate Manager and look for the status. It should be changed to "Issued".
Alt Text

*Note: The status change can take 0-72 hours. However, if ACM (AWS Certificate Manager) is not able to validate within 72 hours, then you will see "Time out" as the status and you will have to regenerate the request.

3.Attach HTTPS listener to the load balancer

Now that we have successfully generated an SSL certificate for our domain, we are ready to attach HTTPS listener to the load balancer. Head over to EC2, from the bottom left section select "Load Balancers". Select the load balancer to whom you intend to attach the SSL. Go the "Listeners" tab from the bottom and click "Add listener".
Alt Text

Select "HTTPS" as protocol. Add default action "Forward to" and select the target group to which you want to forward your requests. Leave "Security Policy" as it is. Select the certificate we generated above in the "Default SSL certificate".
Alt Text

Once the listener has been attached, go back to the load balancer page. From the bottom left select "Security Groups".
Alt Text

Select the security group attached to the load balancer.
Alt Text

Click "Edit inbound rules".
Alt Text

Click "Add Rule". From the "Type" dropdown, select HTTPS. From the source select 0.0.0.0/0. Add another rule, pick HTTPS as the type but ::/0 as the source. Click "Save rules".
Alt Text

That's it. Go to your browser, navigate to your domain and https as the protocol to confirm the set-up.
Alt Text

Discussion

pic
Editor guide
Collapse
jondedoe profile image
JonDeDoe

Nice article! keep it up.

By the way, If you want to use SSL for another resources like EKS, you can follow my guidance here: dev.to/iilness2/practical-way-to-s...