Here is how I configured a free SSL certificate issued by Amazon Certificate Manager to my web application
I work for an Indian telecom company but recently was working on a personal project also. It was a web application and I deployed the project that I was working on, on AWS Elastic BeanStalk and shared the URL with some of my friends just to get insights of it.
Deploying a web application on Elastic BeanStalk is pretty simple, you just have to go to the ELB dashboard and create an environment to deploy your web application. You can choose the environment to be a web server or a worker environment, since I was supposed to deploy a web application I created web server environment and deployed the web application there. We can choose every configuration of the web server in the next page that we get after selecting the web server or worker environment, like platform (servers- tomcat, glassfish or others) and the domain name of this ELB environment.
Once you have created the environment you can deploy a packaged application in form of war file on this environment and that will be accessible using the domain name that you chose while creating the environment.
Now the next step is to configure your domain name(website URL that you purchased) in a such a way that it will be redirected to the environment that you just created. I purchased my domain name from third party that’s why I had to configure DNS of the domain to point to ELB environment that I just created. To facilitate this routing domain issue Amazon provides a domain name system Route53(https://aws.amazon.com/route53), to point your URL that you purchased from another provider to the ELB environment you will have to create a hosted zone under the Route53 service. As soon as you create a hosted zone for a domain you will get the “NS” record types and these record types will used to change the domain name server, where you purchased the domain name from.
Once you have successfully configured these NS record types you will now have to create another record set for this hosted zone and the type will be “A”, click on Create Record Set
and fill all the values in the form that you get after that, name will be the domain name and value will be IP address of the ELB environment that you created at very start. We can get this IP address by going services-EC2-Instances and choose the environment that you created in at the very start you will get all the information about that instance or the environment. You have to get “IPv4 Public IP” from there to configure in this value field and you are done, now whenever you access the domain that is mentioned here you will be redirected to the web application that is deployed on the instance that you created in at start.
Please note that if our instance is being handled by a load balancer, we will choose the record set type “A” but will not configure the IP address in the value field because the IP of the instance may change if the request to the instance in coming from the load balancer. In the case of load balancer we will choose Type as “A” and Alias “Yes”, then we will have an option to select the load balancer in the target field.
Once we have set the values of record set type NS that we got after creating the hosted zone, as the name servers for our domain we can easily access our website by going to that domain.
Now, next steps that comes is generating SSL certificates using Amazon Certificate Manager and deploying it so that the domain that you configured lets say abc.com can be served on HTTPS.
Go the certificate manager dashboard and click on Request a certificate to request the certificate for you domain.
Amazon will issue the certificate only once it has verified the domain that you are requesting the certificates for, is owned by you, there are two ways to do it. You can either choose for DNS or Email,
if you choose for DNS you will have to make a record set entry in hosted zone that we created sometime back with the record type as “CNAME”, you can get the name and the value of this record set at after clicking on the review and then request certificate buttons. If the domain that you requested the certificates for is hosted on Amazon’s Route53 you will be having an option to make the entry of record type “CNAME” automatically, you can click on that button and the record set’s entry will be made in Route53 hosted zone. If you are not able to see the button click on the domain you requested the certificates for and you will have an option to download the key and value pair of “CNAME” record type.
If you choose for Email validation they will send a mail(on the domain that you mentioned in the first page while requesting the certificate) to you and once you approve that the certificate will be issued by amazon and it can be used by any of your instance. Once the certificate is issued here is how the dashboard will look like
Now the next step will be configure this certificate to the ELB instance that you have created, the simplest way to do this is create a Load Balancer and then use this certificate in that load balancer.
We can create a load balancer for the instance that we have created earlier and then all the requests to our domain will be redirected to the instance through this Load Balancer.
To create a load balancer you can go to Services-Elastic BeanStalk, there you will be able to see all the applications (environments) created by you, click on one of the environments you want configure the Load Balancer for. After clicking on the application you will be able to see the dashboard of that application like below
Click on Configuration and there you will be able to see all the configuration related details of this application under the headings Web Tier, Network Tier, Data Tier etc. . If you are not able to see the network tier, simply means the load balancer is not configured for that instance.
To configure the load balancer click on settings button for Scaling option under Web Tier and there you will be having an option to choose the Environment Type, with options Single Instance and Load Balancing, you can choose the Load Balancing one and click on Apply to apply the changes. Now you can go the Elastic BeanStalk dashboard and click on the environment you configured the Load Balancer for, now you will be able to see the load balancer under the heading Network Tier.
To add the SSL certificate that we have generated, click on the setting icon next to Load Balancing option and there you will have an option with name SSL Certificate Id under the heading Load Balancer to add the certificate that you have generated. You will be able to see all the certificates that have been issued by the ACM, you can choose any of the certificates you want and you are ready to go.
Now what we have to keep in mind that earlier we didnt have any load balancer and all the requests to the domain were being forwarded to the EC2 instance directly because of the A type record set that we configured in Route53 was pointing to the public IP of EB instance, but now there is a Load Balancer in between and due to this the public IP of the EB instance may change.
So, now we will configure the details of the load balancer in the Route53 where we configured the details of EC2 instance’, to do this go to the Route53 service once again and select the hosted zone that we have already created its record type A is pointing to the Public IP of the Elastic BeanStalk. Click on this record set to modify it choose alias as Yes this time. For target field, you will be able to see all the load balancers and the instances that you have already created, choose the Load Balancer that we have created in the previous step and click on the save record button
you are done you can access the domain my https now.
Please dont mind the mistakes if there are any, (I will appreciate you pointing them out though) I am planning to continuously make the changes in this post to make it better.
