Enable HTTPS for a web application running on Elastic beanstalk without a load balancer
To enable HTTPS for any website, we need to install and configure an SSL certificate on the server. SSL certificates protect users’ sensitive data such as payment-related info, name, address, email, etc by encrypting the data during transmission from their browsers to your servers. We can get paid SSL certificate from certificate providers or generate using some open-source tools like let’s encrypt or cert-bot.
For self-managed ec2 instance, we can easily configure the SSL certificate by login into the server via SSH. But If we are running a web application on Elastic beanstalk then it manages the instance. EB takes care of auto-scaling, load balancing, etc. So we don’t have control over instances. They can be terminated in case of a scaling event or due to some failure. That’s why, While working with Elastic beanstalk, Most developers find it easy to request a certificate from AWS and attach it to the load balancer. But, Load balancer service is costly. So if you are working on some small project or startup and you don’t really need more instances behind load balancer then having a load balancer is just an overkill to enable HTTPS.
In this blog post, I am going to share a configuration script that I have recently developed and explain what it does.
We can easily use the certbot to generate the certificate. We need to run the following commands on a server via the command line to download and install certbot.
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
sudo /usr/local/bin/certbot-auto --no-bootstrap
The next step is to generate a certificate. The below command will generate a certificate and put it in some specific folder. It takes an admin email and domain name in the argument.
sudo /usr/local/bin/certbot-auto certonly --standalone -m email@example.com --agree-tos -d example.com -n# command will generate certificate files at following path
For applications deployed using Elastic beanstalk, we are not supposed to run the above commands manually via ssh. So we should put this command in a shell script file and run that script via container commands. I have done this for a Django project. To serve the Django app, EB manages apache service. So before running above mentioned command, we need to stop apache and once we are done with that command, we need to start again. So my final shell script will look something like below:
We need to add this script in container commands options as shown below:
command: "sh scripts/generate-certificate.sh"
If we deploy our web application with the above script file and container command, It will generate a certificate with the domain name which we have set in environment variables. Now, One last step is remaining. We need to adjust the apache config to serve HTTPS with SSLEngine on. We can do that by adding a post-deploy hook script which will create a new apache config with HTTPS settings.
That’s it. I hope that this will help someone trying to set up HTTPS without a load balancer with Elastic beanstalk.
Thank you for reading.