AWS Certificate Manager (SSL)
Created: 2017-08-31 12:14:11 -0700 Modified: 2017-11-02 12:03:14 -0700
First-time setup
Section titled First-time setup8/31/2017
Getting the certificate
Section titled Getting the certificateI’m setting up a certificate for everything to try to get HTTPS.
NOTE: CERTIFICATES FOR CLOUDFRONT MUST BE REQUESTED IN US EAST (“N. VIRGINIA”) (reference)
I clicked “Get started” on their site, typed in *.bot.land
for my FQDN, then clicked “review and request”. Note that *.bot.land
only applies to subdomains of “bot.land”, not “bot.land” itself. If you want it to apply to both, just add another domain name:
Mail is then sent out to a bunch of addresses:
bot.land@protecteddomainservices.com
Make sure you have email set up for the domain
Section titled Make sure you have email set up for the domainThe problem is that I didn’t have mail set up. I had to set this up through cpanel (specific URL in my “priv” note under “domains”):
- Go to Email Accounts
- Add “admin@bot.land”
- Under your email accounts below, click “More” and then “Access Webmail”. Now is probably a good time to test by sending yourself an email.
- I then went back to AWS, clicked my domain in the certificate manager, and chose Actions —> Resend validation email
- (actually, never mind, I got an email in my Gmail that was to “bot.land@protecteddomainservices.com”; not totally sure how this worked) (I also got the email through cpanel at “admin@bot.land”)
After getting the email
Section titled After getting the emailClick “I approve” via the email and you’ve got a certificate.
Setting up Cloudfront to use the certificate
Section titled Setting up Cloudfront to use the certificateRemember: you need a US East certificate according to this as of 8/31/2017.
In the AWS console, go to CloudFront. I had an entry set up for botland-assets already.
- Select it
- Choose “Distribution Settings”
- Under “General”, click “Edit”
- Click “Request or Import a Certificate with ACM”. If you don’t see your certificate from earlier, then perhaps it’s not in US East and you should make one in that region. If you DO see your certificate but can’t select it, then just wait a minute or so and refresh the page.
- It was at this time I also updated CloudFront to use HTTP/2, which is supported as of September 2016 (and if clients don’t support it, they can still access it using HTTP/1.1).
- Before, we were in the “General” tab, now go to the “Behaviors” tab.
- Edit the existing behavior from “HTTP and HTTPS” to “Redirect HTTP to HTTPS”.
Setting up S3 to use the certificate
Section titled Setting up S3 to use the certificateFrom what I understand, a statically hosted site on S3 cannot be truly encrypted end-to-end (reference). I think you have to make a CloudFront bucket out of your static content.
I created a new web distribution in CloudFront whose origin was my single HTML file (at play.bot.land).
I made an A record alias in Route53 to dn86bjuvjvuxn.cloudfront.net after setting up an Alternate Domain Name (play.bot.land) for it in the distribution settings and a CNAME record in Route53 pointing at it too.