Setup Let's Encrypt SSL Certificate on Amazon CloudFront

Switch to HTTPS, for free.

Google recently announced that they are not only giving a ranking boost to HTTPS sites but now also indexing HTTPS by default. Besides that, there are other benefits to using HTTPS — even for static sites.

Let’s Encrypt entered public beta earlier this month and provides valid SSL certificates at no cost. They provide an API where you can request and renew certificates, and their organisation is backed by big companies such as Facebook, Mozilla and Cisco.

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

My own site is static, hosted on Amazon S3 and served through CloudFront. Today I managed to setup a free SSL certificate on CloudFront in just a few minutes. This is how I did it:

Install the Let’s Encrypt command line client and the S3/CloudFront plugin from Diego Lapiduz:

$ pip install letsencrypt && pip install letsencrypt-s3front

Generate and upload the cert to Amazon:

$ AWS_ACCESS_KEY_ID=<ACCESS_KEY> \
AWS_SECRET_ACCESS_KEY=<SECRET_ACCESS_KEY> \
letsencrypt --agree-tos -a letsencrypt-s3front:auth \
-i letsencrypt-s3front:installer \
--letsencrypt-s3front:auth-s3-bucket <BUCKET> \
--letsencrypt-s3front:auth-s3-region <REGION> \
--letsencrypt-s3front:installer-cf-distribution-id \<DISTRIBUTION_ID> -d <DOMAIN>

Replace the following variables:

  • ACCESS_KEY AWS Access Key ID
  • SECRET_ACCESS_KEY AWS Secret Access Key
  • BUCKET S3 bucket
  • REGION S3 region
  • DISTRIBUTION_ID CloudFront Distribution ID
  • DOMAIN Domain name

Sign in to the AWS Management Console and your SSL certificate should show up in your CloudFront distribution settings.

Select the SSL certificate, save your settings and wait for the distribution to be redeployed. In about 10–15 minutes HTTPS should be activated on your website.