Using SSL Certificate for Websites hosted in AWS S3

I have been hosting static websites on Amazon’s S3 service for a few years now and it’s been great. It’s affordable, simple, and fast. But what about if you want to use SSL certificates? I found a nice article on how to configure SSL with Cloudfront from https://bryce.fisher-fleig.org/blog/setting-up-ssl-on-aws-cloudfront-and-s3/. It worked until recently. I started running into errors with browsers on Android devices. I found that the error is related to how chained my SSL certificate. Here’s a good reference to what some people were experiencehttp://stackoverflow.com/questions/27892873/ssl-cert-err-cert-authority-invalid-on-mobile-chrome-only/30943304. I will share what I did, but will not go into detail. Please refer to the bryce.fisher-fleig.org article I mentioned above for more details.

Generate A CSR

I will be doing this on a OSX, the instructions should be similar on Linux. Windows users, well, please Google it. The command to generate a CSR is the following.

openssl req -nodes -newkey rsa:2048 -sha256 -keyout mydomain.key -out mydomain.csr

When you run this command, you will be asked a few questions.

  • Country Name
  • State or Province Name
  • Locality Name (eg, city)
  • Organization Name (eg, company)
  • Organizational Unit Name (eg, section)
  • Common Name (e.g. server FQDN or YOUR name)
  • Email Address
  • A challenge password
  • An optional company name

Provide CSR to SSL provider

You will need to provide the generated CSR file to the place where you bought your SSL certificate. I purchased mine from namecheap.com. It asks me to select the web server. I choose nginx for my sites hosted in S3. Then I copy and paste the contents of my csr file. I used the cat command to copy and paste.

cat file_name.csr

It will display the contents of the file. Copy and paste including the line where it says –BEGIN– and –END–.

Check your email

This part of the process may be different depending on what type of SSL certificate you purchased. I will share the process that I go through. I purchased a Comodo PositiveSSL.

The first email you will receive contains a verification link. Click on it to verify and wait for the next email. When the verification is complete, they will email with files you need to compile so it can be installed in your server.

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • mydomain.crt

Compile the files

I would unzip the files in a directory to keep it all in one place. Open terminal and go to that directory. I used the following code to compile the files together.

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

That command should have created a file called ssl-bundle.crt or whatever name you want to call it that contains all of the files listed in the command.

Install certificate in Cloudfront

You will need to use Cloudfront to install the SSL certificate. I will be using AWSCLI to install it. Here is the command to use to install the certificate in Cloudfront.

aws iam upload-server-certificate --server-certificate-name name_to_display_in_cloudfront --certificate-body file://mydomain.crt --private-key file://mydomain.key --certificate-chain file://ssl-bundle.crt --path /cloudfront/mydomain/

If you AWSCLI is using multiple profiles and the default profile doesn’t have appropriate IAM privileges, you can use the –profile profile_name option. If all goes well, you will see a JSON formatted data in your terminal screen.

Cloudfront configuration

If you haven’t already done so, create a new distribution for your website.

  • Select Web
  • Origin Settings
  • Origin Domain Name: When you click on the box, select the S3 bucket you wish to use. It may give you the wrong entry such as bucketname.s3.amazonaws.com. This is inaccurate because it doesn’t contain the region your bucket is in. Instead, you should have something like bucketname.s3-website-myregion.amazonaws.com.
  • Origin Path: leave blank
  • Origin ID: Enter whatever you like or use the same as Origin Domain Name.
  • Leave default settings for the reset of this section.
  • Default Cache Behavior Settings: I left everything default here but I did change the following setting.
  • Viewer Protocol Policy: Redirect HTTP to HTTPS. This option redirects all http request to https. The default “HTTP and HTTPS” means it will use both but it’s up to the user visiting your website to the http or https. Please click on the information links to the right of each option if you wish to know more about them.
  • Distribution Settings
  • Alternate Domain Names (CNAMEs): mydomain.com http://www.mydomain.com (enter on each line)
  • SSL Certificate: Custom SSL Certificate (stored in AWS IAM) and select your name_to_display_in_cloudfront from the dropdown. It’s up to you on what you choose on the rest. I left the rest as default.

Route 53 configuration

You may need to visit your Route 53 configurations. It may still be pointing to your S3 bucket. It really should be pointing to your Cloudfront distribution. You may need to wait until Cloudfront finishes deploying. You can check in your Distribution list and see if the Status is Deployed. Otherwise, it may not show up in Route 53 as an alias target.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s