1. Concatenate the SSL files
2. Prepare private key
3. Upload to certificate files to S3
4. Configure the proxy server to use the SSL certificates
This guide illustrates how to set up an SSL certificate (needed for secure HTTPS connection) on an ElasticBeanstalk environment WITHOUT a load balancer.
That’s not a groundbreaking info and the majority of it is available on the AWS website, but still, it’s not that straightforward nor easy to find. Plus, the majority of the third-party guides focus on setting up certificates using a load balancer so here’s the alternative approach if you don’t use a load balancer.
This guide assumes you have already purchased and obtained all certificate files. If you haven’t, head to a certificate provider and do so. Here are the configuration steps:
1. Concatenate the SSL certificate files
Your certificate provider should’ve emailed you at least two files - the actual certificate and an intermediate certificate. You need to combine these into a single file. To do that execute in the terminal (if you don’t feel like terminals, use your text editor):
cat you_certificate intermediate > server.crt (add all intermediate certificates after your_certificate)
The new file should look something like:
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
Regardless whether you used the terminal or an editor, there shouldn’t be any empty lines in the new file.
2. Prepare private key file
The private key is something that gets generate along the CSR (certificate signing request) and holds some info like the domain name, public key and additional contact information. It would look something like this:
-----BEGIN PRIVATE KEY-----
.....
-----END PRIVATE KEY-----
You need to name this file server.key.
3. Upload the files (certificate + private key) to AWS S3
Once you have the concatenated certificate file server.crt and the private key file server.key, you need to upload them to S3 so that ElasticBeanstalk can fetch them when needed. By default, ElasticBeanstalk must’ve created an S3 bucket for you environment that would look something like this elasticbeanstalk-eu-central-1-1234567891234. You need to upload the two certificate files there.
Remember to keep them private! DO NOT make these files publicly accessible. These files should be available to your environment only and no one else.
4. Configure the ElasticBeanstalk app to use the SSL certificate
To configure your single instance ElasticBeanstalk environment to use SSL, first you must add an ingress rule to the instance’s SecurityGroup to allow traffic on port 443. You can use the config file provided by AWS here: AWS Security Group config or add the rule manually through the AWS console:
Here, you may also consider what to do with port 80:
- remove the rule if you don't want any access to it;
- leave it as it is if you are planning to redirect the traffic to 443 for example.
For Amazon Linux 1
To install the certificates on your environment you can use one of the AWS provided config files here: EB Proxy server config. Select the config that matches your environment’s platform. In the “Parameters” section under “Default” paste the URL of the certificate and private key files you uploaded to S3 in the previous step.
Add both configs to the .ebextensions folder in the root of your application and deploy.