Motivation:
To obtain a free SSL certificate (by Let's Encrypt) for your web application without the hassle of renewing it every three months, consider the following approach.
The simplest solution is to use a Load Balancer and attach an SSL certificate from AWS Certificate Manager (ACM) to it. However, relying on a Load Balancer solely for HTTPS may be costly. To address this, I’ve outlined a much more affordable alternative that requires a bit of configuration.
Additionally, in this post, I explain how to configure SSL for an Elastic Beanstalk instance, as I found the existing documentation and available resources to be somewhat outdated.
Keyword of the solution is Cloudflare.
Cloudflare offers a proxy feature that enables you to set up a free SSL certificate while securely proxying traffic to your host.
In Flexible mode, the communication between Cloudflare and AWS is not encrypted. If you prefer end-to-end encryption, you can opt for Full mode instead.
Steps
1. Add your domain to Cloudflare.
- In the DNS settings, configure your domain as proxied.
- In the SSL/TLS settings, select Full (strict) mode for end-to-end encryption.
2. Generate an Origin Certificate in Cloudflare
- Go to the SSL/TLS > Origin Server section in Cloudflare.
- Generate a certificate valid for up to 15 years.
- Use this certificate to configure SSL in AWS Elastic Beanstalk.
3. Store Certificates in AWS Secrets Manager:
- Save the
server.crtandserver.keyfiles as secrets in AWS Secrets Manager. - Use the following secret names:
/app/ssl/server-crtand/app/ssl/server-key
4. Grant IAM Role Access to Secrets:
- In AWS IAM add a new policy named
ReadSSLSecretKeysfor the roleaws-elasticbeanstalk-ec2-rolewith the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:region:account_id:parameter/app/ssl/server-crt"
},
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:region:account_id:parameter/app/ssl/server-key"
}
]
}
5. Configure your Elastic Beanstalk deployment to listen on port 443 and use the Origin Certificate generated in Cloudflare (stored in AWS Secrets Manager) do changes in the following files:
-
.ebextensions/01_https-instance-securitygroup.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
-
.ebextensions/02_https-instance.config
files:
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents # See note below.
-----END RSA PRIVATE KEY-----
container_commands:
01_fetch_server_crt:
command: |
aws ssm get-parameter --name "/app/ssl/server-crt" --with-decryption --query "Parameter.Value" --output text > /etc/pki/tls/certs/server.crt
02_fetch_server_key:
command: |
aws ssm get-parameter --name "/app/ssl/server-key" --with-decryption --query "Parameter.Value" --output text > /etc/pki/tls/certs/server.key
-
.platform/nginx/conf.d/https.conf
server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
Top comments (0)