Elastic Beanstalk
Developer Guide (API Version 2010-12-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Configuring HTTPS for your Elastic Beanstalk Environment

You can configure your Elastic Beanstalk environment to use HTTPS for your application. Configuring HTTPS ensures traffic encryption for client connections to the load balancer in load-balancing autoscaling environments.

Note

For single-instance environments, see Configuring SSL for Single-Instance Environments.

To configure HTTPS, you will need to do the following high-level steps:

  1. Create a custom domain with your DNS provider.

  2. Create and upload an SSL certificate to AWS Identity and Access Management (AWS IAM).

  3. Update your Elastic Beanstalk environment to use HTTPS.

This section walks you through the necessary steps to configure HTTPS for your Elastic Beanstalk application. This section assumes you have already deployed an Elastic Beanstalk application. If you have not already deployed an Elastic Beanstalk application, do this now. For instructions, see Getting Started Using Elastic Beanstalk.

Step 1: Create a Custom Domain

You must create a custom domain name to obtain a digitally signed SSL certificate. When obtaining a signed SSL certificate, the Certificate Authority (CA) checks the domain name to ensure that you are the owner of that domain. Because your Elastic Beanstalk URL contains elasticbeanstalk.com, you will not be able to obtain a certificate for this domain name.

To create a custom domain name, you can use Amazon Route 53 or a third party. For instructions, see Using Custom Domains with Elastic Beanstalk.

Step 2: Create and Upload an SSL Certificate to AWS IAM

After you have created your custom domain, you use AWS Identity and Access Management (AWS IAM) to create and upload your certificate. This enables you to use your certificate with AWS services such as Elastic Beanstalk. The following steps walk you through an example of how to create and upload your SSL certificate to AWS IAM. For more information, go to Creating and Uploading Server Certificates in the AWS Identity and Access Management Using IAM User Guide.

Install and Configure OpenSSL

Creating and uploading server certificates requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key.

The following procedure assumes that your computer does not already have OpenSSL installed.

To install OpenSSL

  • Get the package from www.ssl.org:

    On Linux and UNIX:

    1. Go to OpenSSL: Source, Tarballs (http://www.openssl.org/source/).

    2. Download the latest source.

    3. Build the package.

    On Windows:

    1. Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).

    2. Click OpenSSL for Windows.

      A new page displays with links to the Windows downloads.

    3. If not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.

    4. After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.

    5. Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.

You must create an environment variable that points to the OpenSSL install point.

To set the OpenSSL_HOME variable

  • Enter the path to the OpenSSL installation:

    On Linux and UNIXOn Windows
    & export OpenSSL_HOME=path_to_your_OpenSSL_installationc:\ set OpenSSL_HOME=path_to_your_OpenSSL_installation

    Note

    Any changes you make to the environment variables are valid only for the current command-line session.

You must add the path to the OpenSSL binaries to your computer's path variable.

To include OpenSSL in your path

  • Open a terminal or command interface and enter the appropriate command for your operating system:

    On Linux and UNIXOn Windows
    & export PATH=$PATH:$OpenSSL_HOME/bin c:\ set Path=OpenSSL_HOME\bin;%Path%

    Note

    Any changes you make to the environment variables are valid only for the current command-line session.

Create a Private Key

You need a unique private key to create your Certificate Signing Request (CSR).

To create a private key

  • Use the genrsa command to create a key:

    PROMPT>openssl genrsa 2048 > privatekey.pem

Create a Certificate Signing Request

A Certificate Signing Request (CSR) is a file sent to a Certificate Authority (CA) to apply for a digital server certificate.

To create a CSR

  • Use the req command to create a CSR:

    PROMPT>openssl req -new -key privatekey.pem -out csr.pem

    The output will look similar to the following example:

    You are about to be asked to enter information that will be incorporated 
    	into your certificate request.
    	What you are about to enter is what is called a Distinguished Name or a DN.
    	There are quite a few fields but you can leave some blank
    	For some fields there will be a default value,
    	If you enter '.', the field will be left blank.

The following table can help you create your certificate request.

NameDescriptionExample
Country NameThe two-letter ISO abbreviation for your country.US = United States
State or ProvinceThe name of the state or province where your organization is located. This name cannot be abbreviated.Washington
Locality NameThe name of the city where your organization is located.Seattle
Organization NameThe full legal name of your organization. Do not abbreviate your organization name.CorporationX
Organizational UnitOptional, for additional organization information.Marketing
Common NameThe fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match.www.example.com
Email addressThe server administrator's email addresssomeone@example.com

Note

The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.example.com" or "example.com". You need to create a CSR using your correct common name.

Submit the CSR to Certificate Authority

Normally, at this stage you would submit your CSR to a Certificate Authority (CA) to apply for a digital server certificate. However, you can also generate a self-signed certificate for testing purposes only. For this example, you'll generate a self-signed certificate.

To generate a self-signed certificate

  • Use the req command to create a CSR:

    PROMPT>openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out server.crt

    The output will look similar to the following example:

    Loading 'screen' into random state - done
    Signature ok
    subject=/C=us/ST=washington/L=seattle/O=corporationx/OU=marketing/CN=example.com/emailAddress=someone@example.com
    Getting Private key

Upload the Signed Certificate

Next, upload the certificate along with the private key to IAM. After you upload the certificate to IAM, the certificate is available for other AWS services to use. You use the AWS Command Line Interface (AWS CLI) to upload your certificate.

To upload a signed certificate

  • Use the IAM upload-server-certificate command to upload a signed certificate:

    PROMPT>aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file

    Note

    If you are uploading a self-signed certificate and it's not important that browsers implicitly accept the certificate, you can omit the --certificate-chain option and upload just the server certificate and private key. For more information about the upload-server-certificate command, see upload-server-certificate in the AWS Command Line Interface Reference.

You should see an Amazon Resources Name (ARN) for your SSL certificate, which you will use when you update your load balancer configuration settings to use HTTPS. The ARN should look similar to the following:

arn:aws:iam::123456789012:server-certificate/cert

If you have a certificate that results in an error when you upload it, ensure that it meets the criteria, and then try uploading it again.

To see sample certificates that are valid with IAM, go to Sample Certificates in the AWS Identity and Access Management Using IAM User Guide.

Step 3: Update Your Elastic Beanstalk Environment to Use HTTPS

After you receive your Amazon Resources Name (ARN), you need to update your load balancer configuration settings in your Elastic Beanstalk environment with the following information:

  • HTTP port — set this port to OFF or 80

  • HTTPS port — set this port to 443 or 8443

    Note

    If you are using Amazon VPC with Elastic Beanstalk, you must set your HTTPS port to 443 instead of 8443.

  • SSL certificate ID — set this to your ARN

You must also add a rule to your security group that allows inbound traffic from 0.0.0.0/0 to port 443. You do this by using the resources key in the configuration file to add the AWSEBSecurityGroup to your Amazon EC2 security group ingress rules. For more information about security groups and ingress rules, see Amazon EC2 Security Groups.

Important

If at any point you decide to redeploy your application using a load-balanced environment, you risk opening port 443 to all incoming traffic from the Internet. In that case, delete the configuration file from your .ebextensions directory. Then create a load-balanced environment and set up SSL using the Load Balancer section of the Configuration page of the Elastic Beanstalk management console.

The following snippet opens port 443 on Amazon EC2 instances in the EC2-Classic platform by specifying the GroupName of the (non-VPC) Amazon EC2 security group:

Example .ebextensions snippet opening port 443 for EC2-Classic

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName: {Ref : AWSEBSecurityGroup}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

The following snippet opens port 443 on Amazon EC2 instances in the EC2-VPC platform by specifying the GroupID of the VPC security group. For security groups that are in a VPC, you must use the GroupId property. For instructions to open port 443 using the VPC console, see Adding and Removing Rules in the Security Groups for Your VPC topic in the Amazon Virtual Private Cloud User Guide.

Example .ebextensions snippet opening port 443 for EC2-VPC

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {Ref : AWSEBSecurityGroup}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

There are several methods you can use to update your environment. The following list provides links to the relevant instructions.

It will take a few minutes to update your Elastic Beanstalk environment. Once your environment is Green and Ready, type your https address in your web browser to verify it worked. For instructions on how to check your environment status, see Monitoring Your Environment. For this example, we type the following:

https://www.example.com

Note

Because you used a self-signed certificate and your web browser does not recognize you as a CA, you will see a warning message asking you if you want to proceed to the website. Choose to proceed, and then you can view your application.