Elastic Beanstalk
Developer Guide (API Version 2010-12-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Configuring HTTPS for your Elastic Beanstalk Environment

You can configure your Elastic Beanstalk environment to use HTTPS for your application. Configuring HTTPS ensures traffic encryption for client connections to the load balancer in load-balancing autoscaling environments.

Note

For single-instance environments, see Configuring SSL for Single-Instance Environments.

This section walks you through the necessary steps to configure HTTPS for your Elastic Beanstalk application. This section assumes you have already deployed an Elastic Beanstalk application. If you have not already deployed an Elastic Beanstalk application, do this now. For more information, see Getting Started Using Elastic Beanstalk.

To configure HTTPS for your Elastic Beanstalk application, you must perform the following tasks:

Step 1: Create a Custom Domain Name

You must create a custom domain name, such as www.example.com, to obtain a digitally signed SSL certificate. When obtaining a signed SSL certificate, the Certificate Authority (CA) checks the domain name to ensure that you are the owner of that domain. Because your default Elastic Beanstalk URL contains elasticbeanstalk.com, you cannot obtain a certificate for this domain name.

To create a custom domain name, you can use Amazon Route 53 or a third party DNS provider. For more information about using a custom domain name, see Using Custom Domains with Elastic Beanstalk.

Step 2: Create an X509 Certificate

After you have created your custom domain name, you must create an X509 certificate. To create a certificate, perform the following tasks:

Install and Configure OpenSSL

To create your private key and certificate signing request, you will need a tool, such as OpenSSL, that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA key and certificate signing request.

If you already have OpenSSL or another SSL tool installed, you can proceed to Create a Private Key. If you do not already have OpenSSL installed, perform the following steps.

  1. Install OpenSSL:

    To install OpenSSL On Linux and UNIX:

    1. Go to OpenSSL: Source, Tarballs.

    2. Download the latest source.

    3. Build the package.

    To install OpenSSL On Windows:

    1. Go to OpenSSL: Binary Distributions.

    2. Choose OpenSSL for Windows. A new page displays with links to the Windows downloads.

    3. Follow the instructions in the OpenSSL Setup Wizard. Install OpenSSL in a folder on your local machine.

  2. Set the OpenSSL_HOME environment variable.

    To set the OpenSSL_HOME variable on Linux and UNIX, open a terminal and enter the following command:

    & export OpenSSL_HOME=path_to_your_OpenSSL_installation

    To set the OpenSSL_HOME variable on Windows, open a comamnd prompt and enter the following command:

    > set OpenSSL_HOME=path_to_your_OpenSSL_installation

    Note

    Any changes you make to the environment variables are valid only for the current command-line session.

Create a Private Key

You need to create an RSA private key that is used to create your certificate signing request (CSR). To create your private key, use the openssl genrsa command:

PROMPT> openssl genrsa 2048 > privatekey.pem
privatekey.pem

The name of the file to save the private key to. Normally, the openssl genrsa command prints the private key contents to the screen, but this command pipes the output to a file. This can be any file name you choose. You must store this file in a secure place so that you can retrieve it later. If you lose your private key, your certificate will become useless.

Create a Certificate Signing Request

A certificate signing request (CSR) is a file you send to a certificate authority (CA) to apply for a digital server certificate. To create a CSR, use the openssl req command:

PROMPT> openssl req -new -key privatekey.pem -out csr.pem
privatekey.pem

Your private key.

csr.pem

The file to save the certificate signing request to. This can be any file name you choose. You send this file to the CA to have your certificate created.

The output of the openssl req will look similar to the following example:

You are about to be asked to enter information that will be incorporated 
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.

The following table can help you create your certificate request.

NameDescriptionExample
Country NameThe two-letter ISO abbreviation for your country.US = United States
State or ProvinceThe name of the state or province where your organization is located. This name cannot be abbreviated.Washington
Locality NameThe name of the city where your organization is located.Seattle
Organization NameThe full legal name of your organization. Do not abbreviate your organization name.CorporationX
Organizational UnitOptional, for additional organization information.Marketing
Common NameThe fully qualified domain name for your site. This is your custom domain name created previously. You will receive a certificate name check warning if this is not an exact match. www.example.com
Email addressThe server administrator's email addresssomeone@example.com

Note

The Common Name field is often misunderstood and completed incorrectly. The common name is typically your domain name. It will look like www.example.com or example.com. You need to create a CSR using the correct common name.

Submit the CSR to Certificate Authority

Normally, at this stage, you would submit your CSR to a certificate authority (CA) to apply for a digital server certificate. However, you can also generate a self-signed certificate for testing purposes only. For this example, you'll generate a self-signed certificate.

To generate a self-signed certificate, use the openssl x509 command:

PROMPT> openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out server.crt
365

The number of days until the certificate expires.

csr.pem

The file containing the certificate signing request.

privatekey.pem

Your private key.

server.crt

The name of the file to save the certificate to.

The output will look similar to the following example:

Loading 'screen' into random state - done
Signature ok
subject=/C=us/ST=washington/L=seattle/O=corporationx/OU=marketing/CN=example.com/emailAddress=someone@example.com
Getting Private key

Step 3: Upload the Certificate to IAM

To enable you to use your certificate with AWS services such as Elastic Beanstalk, you must upload the certificate and private key to IAM. After you upload the certificate to IAM, the certificate is available for other AWS services to use. The IAM console does not provide a way to upload a certificate, so you must use the AWS Command Line Interface (AWS CLI) to upload your certificate.

To upload a signed certificate

  • Use the IAM upload-server-certificate command to upload your certificate:

    PROMPT>aws iam upload-server-certificate \
    --server-certificate-name <certificate_name> \
    --certificate-body file://<certificate_file> \
    --private-key file://<private_key_file> \
    --certificate-chain file://<certificate_chain_file>
    <certificate_name>

    The name to apply to the certificate object. This can be any name you choose. The name can only contain alphanumeric and hyphen characters.

    <certificate_file>

    Your certificate file.

    <private_key_file>

    Your private key.

    <certificate_chain_file>

    The chain file for the certificate.

    Note

    If you are uploading a self-signed certificate and it's not important that browsers implicitly accept the certificate, you can omit the --certificate-chain option and upload just the server certificate and private key.

The response will look similar to the following:

{
  "ServerCertificateMetadata" :
  {
    "ServerCertificateId" : "<certificate_id>",
    "ServerCertificateName" : "<certificate_name>",
    "Expiration" : "<cert_expriation_date>",
    "Path" : "/",
    "Arn" : "arn:aws:iam::<account_id>:server-certificate/<certificate_name>",
    "UploadDate" : "<cert_upload_date>"
  }
}

Make note of the Amazon resources name (ARN) for your certificate, which you will use when you update your load balancer configuration settings to use HTTPS.

If you have a certificate that results in an error when you upload it, ensure that it meets the criteria, and then try uploading it again.

To see sample certificates that are valid with IAM, go to Sample Certificates in the AWS Identity and Access Management Using IAM User Guide.

Step 4: Update Your Elastic Beanstalk Environment to Use HTTPS

After you upload your certificate to IAM, you need to complete the following tasks to configure your application to use HTTPS.

Update Your Security Group

You must add a rule to your security group that allows inbound traffic from 0.0.0.0/0 to port 443. You do this by adding a Resources key to a configuration file in the .ebextensions directory for your application. For information about configuration files, see Using Configuration Files.

Alternatively, you can add this rule manually. For more information about manually adding rules to a security group, see Adding Rules to a Security Group in the Amazon EC2 User Guide for Linux Instances.

Important

If at any point you decide to redeploy your application using a load-balanced environment, you risk opening port 443 to all incoming traffic from the Internet. In that case, delete the configuration file from your .ebextensions directory. Then create a load-balanced environment and set up SSL using the Load Balancer section of the Configuration page of the Elastic Beanstalk management console.

The following configuration file example adds an ingress rule to the AWSEBSecurityGroup security group that opens port 443 to all traffic. This snippet is used for EC2-Classic (non-VPC) security groups. Note the use of GroupName to identify the security group.

Example .ebextensions snippet opening port 443 for an EC2-Classic security group

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName: {Ref : AWSEBSecurityGroup}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

The following configuration file example adds an ingress rule to the AWSEBSecurityGroup security group that opens port 443 to all traffic. This snippet is used for VPC security groups. Note the use of GroupId to identify the security group.

Example .ebextensions snippet opening port 443 for a VPC security group

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {Ref : AWSEBSecurityGroup}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

Configure Your Load Balancer

You need to update the load balancer configuration settings for your Elastic Beanstalk environment to enable HTTPS. To do this, you need to set the following options on the environment:

  • Load Balancer HTTP Port

  • Load Balancer Port Protocol

  • Load Balancer HTTPS Port

  • Load Balancer SSL Port Protocol

  • SSL Certificate ID

How you set these options varies depending on the method you user to update your environment. There are several methods you can use to update your environment. The following list provides links to the relevant instructions.

  • Elastic Beanstalk console

  • Elastic Beanstalk API. With this method, you need to set the following option values on the environment:

    LoadBalancerHTTPPort
    OFF

    The load balancer does not listen to HTTP requests.

    80

    The load balancer listens to HTTP requests.

    LoadBalancerPortProtocol

    HTTP

    LoadBalancerHTTPSPort

    443 or 8443.

    Note

    If you are using Amazon VPC with Elastic Beanstalk, you must set LoadBalancerHTTPSPort to 443.

    LoadBalancerSSLPortProtocol

    HTTPS

    SSLCertificateId

    The ARN of the certificate you uploaded to IAM.

  • AWS Toolkit for Eclipse

  • AWS Toolkit for Visual Studio

Configure HTTPS With the Elastic Beanstalk Console

To configure HTTPS for your load balancer with the Elastic Beanstalk console

  1. Open the Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

  2. From the Elastic Beanstalk console applications page, choose the environment that you want to modify.

  3. In the console navigation pane, choose Configuration.

  4. In the Network Tier section, choose the gear icon next to Load Balancing.

  5. Update the Load Balancer section with the following information and choose Apply.

    Listener port
    OFF

    The load balancer does not listen to HTTP requests.

    80

    The load balancer listens to HTTP requests.

    Protocol (Listener port)

    HTTP

    Secure listener port

    443 or 8443.

    Note

    If you are using Amazon VPC with Elastic Beanstalk, you must set this to 443.

    Protocol (Secure listener port)

    HTTPS

    SSL certificate ID

    Select the certificate you uploaded to IAM.

It will take a few minutes to update your Elastic Beanstalk environment. Once your environment is Green and Ready, enter the HTTPS address for your application, such as https://www.example.com, in your web browser to verify that it is working with HTTPS. For instructions on how to check your environment status, see Health Colors.

Note

If you used a self-signed certificate, your web browser does not recognize you as a CA, so you will see a warning message asking you if you want to proceed to the website. Choose to proceed, and then you can view your application.