Using SSL Certificate for Websites hosted in AWS S3

I have been hosting static websites on Amazon’s S3 service for a few years now and it’s been great. It’s affordable, simple, and fast. But what about if you want to use SSL certificates? I found a nice article on how to configure SSL with Cloudfront from https://bryce.fisher-fleig.org/blog/setting-up-ssl-on-aws-cloudfront-and-s3/. It worked until recently. I started running into errors with browsers on Android devices. I found that the error is related to how chained my SSL certificate. Here’s a good reference to what some people were experiencehttp://stackoverflow.com/questions/27892873/ssl-cert-err-cert-authority-invalid-on-mobile-chrome-only/30943304. I will share what I did, but will not go into detail. Please refer to the bryce.fisher-fleig.org article I mentioned above for more details.

Generate A CSR

I will be doing this on a OSX, the instructions should be similar on Linux. Windows users, well, please Google it. The command to generate a CSR is the following.

openssl req -nodes -newkey rsa:2048 -sha256 -keyout mydomain.key -out mydomain.csr

When you run this command, you will be asked a few questions.

  • Country Name
  • State or Province Name
  • Locality Name (eg, city)
  • Organization Name (eg, company)
  • Organizational Unit Name (eg, section)
  • Common Name (e.g. server FQDN or YOUR name)
  • Email Address
  • A challenge password
  • An optional company name

Provide CSR to SSL provider

You will need to provide the generated CSR file to the place where you bought your SSL certificate. I purchased mine from namecheap.com. It asks me to select the web server. I choose nginx for my sites hosted in S3. Then I copy and paste the contents of my csr file. I used the cat command to copy and paste.

cat file_name.csr

It will display the contents of the file. Copy and paste including the line where it says –BEGIN– and –END–.

Check your email

This part of the process may be different depending on what type of SSL certificate you purchased. I will share the process that I go through. I purchased a Comodo PositiveSSL.

The first email you will receive contains a verification link. Click on it to verify and wait for the next email. When the verification is complete, they will email with files you need to compile so it can be installed in your server.

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • mydomain.crt

Compile the files

I would unzip the files in a directory to keep it all in one place. Open terminal and go to that directory. I used the following code to compile the files together.

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

That command should have created a file called ssl-bundle.crt or whatever name you want to call it that contains all of the files listed in the command.

Install certificate in Cloudfront

You will need to use Cloudfront to install the SSL certificate. I will be using AWSCLI to install it. Here is the command to use to install the certificate in Cloudfront.

aws iam upload-server-certificate --server-certificate-name name_to_display_in_cloudfront --certificate-body file://mydomain.crt --private-key file://mydomain.key --certificate-chain file://ssl-bundle.crt --path /cloudfront/mydomain/

If you AWSCLI is using multiple profiles and the default profile doesn’t have appropriate IAM privileges, you can use the –profile profile_name option. If all goes well, you will see a JSON formatted data in your terminal screen.

Cloudfront configuration

If you haven’t already done so, create a new distribution for your website.

  • Select Web
  • Origin Settings
  • Origin Domain Name: When you click on the box, select the S3 bucket you wish to use. It may give you the wrong entry such as bucketname.s3.amazonaws.com. This is inaccurate because it doesn’t contain the region your bucket is in. Instead, you should have something like bucketname.s3-website-myregion.amazonaws.com.
  • Origin Path: leave blank
  • Origin ID: Enter whatever you like or use the same as Origin Domain Name.
  • Leave default settings for the reset of this section.
  • Default Cache Behavior Settings: I left everything default here but I did change the following setting.
  • Viewer Protocol Policy: Redirect HTTP to HTTPS. This option redirects all http request to https. The default “HTTP and HTTPS” means it will use both but it’s up to the user visiting your website to the http or https. Please click on the information links to the right of each option if you wish to know more about them.
  • Distribution Settings
  • Alternate Domain Names (CNAMEs): mydomain.com http://www.mydomain.com (enter on each line)
  • SSL Certificate: Custom SSL Certificate (stored in AWS IAM) and select your name_to_display_in_cloudfront from the dropdown. It’s up to you on what you choose on the rest. I left the rest as default.

Route 53 configuration

You may need to visit your Route 53 configurations. It may still be pointing to your S3 bucket. It really should be pointing to your Cloudfront distribution. You may need to wait until Cloudfront finishes deploying. You can check in your Distribution list and see if the Status is Deployed. Otherwise, it may not show up in Route 53 as an alias target.

Developing on Windows

I recently started running Microsoft’s latest operating system Windows 10. As a developer, I have preferred developing on OSX or a Linux VM – it’s just easier unless you’re developing for a Windows platform. But for web development, Windows has never been an option for me. I’ve tried in the past but I always hated the experience. Lately, I have found resources and articles on how I can use a Windows OS for web development. I’d like to share how I have my environment set up.

Laravel / PHP

Laravel is a PHP framework that I have been using for a couple of years now. In order for you to get this to work, you will need to install PHP. The version of Laravel I currently use is 5.1 and it requires PHP5.5.9 or higher. That version of PHP has a built-in web server which eliminates having to run IIS, Apache, Nginx, or any other web server. To install it, I use Microsoft Web Platform Installer. Just search for PHP. It will install not only PHP but the PHP IIS Manager and PHP MSSQL driver – for those that want to connect to SQL Server. I will be using this with IIS so I also installed URL Rewrite 2.0. Also, note that even though you are installing PHP5.5 or higher, it will also install PHP5.3x.

web platform installer

If you are running Windows 10 like I am, you may encounter an error when trying to install PHP IIS Manager. You don’t have to install it but if you’re using IIS with PHP, it does allow you to use a GUI for the settings. Until Microsoft fixes the issue, you will need to edit your registry. Make sure you do the necessary precautions to cover yourself if something goes wrong. You can find some information about it athttps://phpmanager.codeplex.com/workitem/2653. Here is a screenshot I took when I ran into the error.

php iis manager error

Once PHP is installed, you should be able to run the PHP command and use the web server. If it doesn’t work, you may need to adjust your environment variables. Of course, you don’t have to use Web Platform Installer, you can just use the files from the PHP website.

Composer

Composer isn’t necessary for Laravel to work but it makes things easier. It is a dependency manager. It’s easy to install in Windows. You just download the Windows installer and make sure it’s part of your environment variables – this usually is automatic. To create a new Laravel project, just type the following.

composer create-project laravel/laravel [project_name]

If you are running IIS, the next step is to add IUSR IIS_IUSRS to the project directory and add the write permission. That should eliminate any permission related issues.

node.js / npm

I use node.js and npm so I can use grunt.js compile CSS with LESS along with other things. It’s easy to install in Windows as well. Just download the installer from http://nodejs.org/download/. Again, make sure your environment variables are set, usually it’s done automatically.

Ruby / Jekyll

I use a static site generator called Jekyll. You will need to install Ruby and the devkit. You can download both from http://rubyinstaller.org/downloads/. The Ruby installer is simple but the devkit is not as self-explanitory but not too difficult either. I unzipped the devkit into my C:ruby_devkit directory. Within this directory, run the following command.

ruby dk.rb init
ruby dk.rb install

This will install the devkit. Once you do this, do not move or rename the devkit folder. Otherwise, you’ll have to do the process again. You can find out more from https://github.com/oneclick/rubyinstaller/wiki/Development-Kit

Once Ruby is install, you can install Jekyll with the following command.

gem install jekyll

The default syntax highlighter for Jekyll 2.5.3 is Pygments. This requires Python. Python is not installed by default on Windows so if you won’t be using Python or don’t want to install Python, then you can use Ruby’s syntax highlighter called Rogue. You can install it through gem.

gem install rogue

In a Jekyll project, you will need to edit the _config.yaml file with the following.

highlighter: rogue

You must explicitly have this. Otherwise, it will use the default pygments highlighter even though you don’t have it in your config file. If you don’t have Python installed, you will get an error. Maybe in a future version of Jekyll, they will drop the pygments dependency and switch to rogue.

git / Sourcetree

I use git for my source code and though I can install it for Windows, I’d much prefer to use a GUI. The application I use is Sourcetree. It’s easy to use and it works well.

So that’s a brief summary of how I have my development environment configured on Windows 10. It has been working well, a lot better than how I remembered it before switching to OSX and Linux. The reason why I needed this set up is my main desktop at home is running Windows. I still run Windows for gaming. It’s not always work, got to have time for play as well. And my Windows machines are both running Hexacore processors, so it would be a waste if I didn’t develop off it. I could run Linux in a VM but I don’t like the multi-monitor support or lack there of. Hope you find it useful. If you have any questions or run into an issue, let me know and I’ll try and help.

sherwinm.com is back

I finally decided to bring back my old domain sherwinm.com. I have been contemplating on this for a couple of years now. Since 2006, my wife and I started a blog abbyandwin.net and have been writing posts there since. According to archive.org, 2003 was the last time I managed the website. I don’t even remember. Although I’m seeing some versions from 2005 but I don’t believe I was as active anymore. I used e107 CMS to run that version of the website. I also wrote plugins for it. Those were the days. I can’t believe it’s been this long since I’ve been active online.

So it’s coming back, why? Well, I figured I want to have a professional presence where I can showcase and share my skills. I’m turning abbyandwin into more of a personal blogging site. The articles I wrote will continue to remain there. Also, there are over 300 articles there and it’s taking longer and longer to compile with Jekyll every time I have an update. One of these days, I may archive it but it will be a huge task if I want to keep the SEO intact.

I will start off new here and I hope to continue to bring content that is helpful to my visitors.