Configure https for a web app hosted on AWS beanstalk

AWS elastic beanstalk is a popular way to host a web app (See description below from Beanstalk Introduction). AWS beanstalk documentation gives a brief introduction on steps on configuring https for a web app, it leaves some details for readers to figure out. In this post, we write down steps we went though, and focuses on two missing pieces from the doc: get a custom domain name (from Amazon Route 53); and get a X509 Certificate (from Let’s Encrypt).

With Elastic Beanstalk, you can quickly deploy and manage applications in the AWS cloud without worrying about the infrastructure that runs those applications. AWS Elastic Beanstalk reduces management complexity without restricting choice or control. You simply upload your application, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring.

Get a custom domain name from AWS Route 53

When we upload a web app to AWS elastic beanstalk, we get a url to access the web app in the format of xxx.elasticbeanstalk.com. When the web app is ready for production, we need apply for  a custom domain name (such as example.com) for it. Among many ways to register a custom domain name, we choose AWS route 53 purely because it is part of AWS like our other services.

  • Log on AWS console
  • Go to Services, Networking, Route 53, and follow instructions to apply for a domain name.
  • After Route 53 approves the application, it will automatically create a hosted zone that contains SOA and NS records for the domain.
  • In order to resolve the domain name to the beanstalk web app, Click on the hosted zone, click on “Add Resource Record Set“, and add an entry to map the domain name to ip address of the beanstalk load balancer. Following graph shows an example. Choose “Alias” and put into “Alias Target” the load balancer url (AWS automatically put all load balancer URLs as a drop down for “Alias Target”).

Screen Shot 2016-01-08 at 8.44.50 PM

  • We can now access the web app via the custom domain name (such as example.com)

After setting up a custom domain name for the beanstalk web app, we need configure https for it.

Get a X509 Certificate from “Lets Encrypt”

To configure https for a web app, we need first get a X509 Certificate from a Certificate Authority. We choose lets encrypt  because it is free, and more importantly it automates the process of getting / renewing a certificate via simple commands. (see quote from lets encrypt)

Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.

No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.

However, “lets encrypt” is an ongoing project, and has not fully automated the process of getting a certificate for beanstalk web app yet (as 01/2016). How it works page on “lets encrypt” assumes a user can run commands on the machine where web service runs, while beanstalk web app runs on AWS hosts where we do not have access. Also, “lets encrypt” needs access port 443 (https) of the web app’s host machine (see A blog by Eran Sandler). Here are steps we used to get around the problem.

  • Configure https for beanstalk web app using a self-signed certificate. AWS elastic beanstalk document gives details about steps to generate a self-signed Certificate, and configure https for your web app with a self-signed certificate. By doing so, we open up the port 443 for the host.
  • Follow How it works to install “lets encrypt”, and run it in manual mode like following. You will need replace example.com with your domain name.

./letsencrypt-auto certonly –manual –debug -d example.com -d http://www.example.com

  • The command will pause and prompt user to create a page in the web app with a specified content. “lets encrypt” uses this way to verify that the user has the full control of the domain name and web app. We create the page as instructed, redeploy the web app on beanstalk, and resume the process.  A certificate is created on the local machine.
  • Upload the certificate  to beanstalk and configure https as instructed (Beanstalk Doc). Boom !
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s