Skip to content
Adam Learns notes

AWS Certificate Manager (SSL)

Created: 2017-08-31 12:14:11 -0700 Modified: 2017-11-02 12:03:14 -0700

First-time setup

Section titled First-time setup

8/31/2017

Getting the certificate

Section titled Getting the certificate

I’m setting up a certificate for everything to try to get HTTPS.

NOTE: CERTIFICATES FOR CLOUDFRONT MUST BE REQUESTED IN US EAST (“N. VIRGINIA”) (reference)

I clicked “Get started” on their site, typed in *.bot.land for my FQDN, then clicked “review and request”. Note that *.bot.land only applies to subdomains of “bot.land”, not “bot.land” itself. If you want it to apply to both, just add another domain name:

Mail is then sent out to a bunch of addresses:

postmaster@bot.land

admin@bot.land

webmaster@bot.land

hostmaster@bot.land

administrator@bot.land

bot.land@protecteddomainservices.com

Make sure you have email set up for the domain

Section titled Make sure you have email set up for the domain

The problem is that I didn’t have mail set up. I had to set this up through cpanel (specific URL in my “priv” note under “domains”):

  1. Go to Email Accounts
  2. Add “admin@bot.land
  3. Under your email accounts below, click “More” and then “Access Webmail”. Now is probably a good time to test by sending yourself an email.
  4. I then went back to AWS, clicked my domain in the certificate manager, and chose Actions —> Resend validation email
  5. (actually, never mind, I got an email in my Gmail that was to “bot.land@protecteddomainservices.com”; not totally sure how this worked) (I also got the email through cpanel at “admin@bot.land”)

After getting the email

Section titled After getting the email

Click “I approve” via the email and you’ve got a certificate.

Setting up Cloudfront to use the certificate

Section titled Setting up Cloudfront to use the certificate

Remember: you need a US East certificate according to this as of 8/31/2017.

In the AWS console, go to CloudFront. I had an entry set up for botland-assets already.

  • Select it
  • Choose “Distribution Settings”
  • Under “General”, click “Edit”
  • Click “Request or Import a Certificate with ACM”. If you don’t see your certificate from earlier, then perhaps it’s not in US East and you should make one in that region. If you DO see your certificate but can’t select it, then just wait a minute or so and refresh the page.
  • It was at this time I also updated CloudFront to use HTTP/2, which is supported as of September 2016 (and if clients don’t support it, they can still access it using HTTP/1.1).
  • Before, we were in the “General” tab, now go to the “Behaviors” tab.
  • Edit the existing behavior from “HTTP and HTTPS” to “Redirect HTTP to HTTPS”.

Setting up S3 to use the certificate

Section titled Setting up S3 to use the certificate

From what I understand, a statically hosted site on S3 cannot be truly encrypted end-to-end (reference). I think you have to make a CloudFront bucket out of your static content.

I created a new web distribution in CloudFront whose origin was my single HTML file (at play.bot.land).

I made an A record alias in Route53 to dn86bjuvjvuxn.cloudfront.net after setting up an Alternate Domain Name (play.bot.land) for it in the distribution settings and a CNAME record in Route53 pointing at it too.