hiring

Set an SSL certificate (HTTPS) on an AWS Elastic Beanstalk environment without a load balancer

Max Max, Mar 2018

This guide illustrates how to set up an SSL certificate (needed for secure HTTPS connection) on an ElasticBeanstalk environment WITHOUT a load balancer.

That’s not a groundbreaking info and the majority of it is available on the AWS website, but still, it’s not that straightforward nor easy to find. Plus, the majority of the third-party guides focus on setting up certificates using a load balancer so here’s the alternative approach if you don’t use a load balancer.

This guide assumes you have already purchased and obtained all certificate files. If you haven’t, head to a certificate provider and do so. Here are the configuration steps:


1. Concatenate the SSL certificate files

Your certificate provider should’ve emailed you at least two files - the actual certificate and an intermediate certificate. You need to combine these into a single file. To do that execute in the terminal (if you don’t feel like terminals, use your text editor):

cat you_certificate intermediate > server.crt (add all intermediate certificates after your_certificate)

The new file should look something like:

      -----BEGIN CERTIFICATE-----         
TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBp
c2NpbmcgZWxpdC4gSW4gdHJpc3RpcXVlIGVsZWlmZW5kIG51bmMgcXVpcyBt
YXhpbXVzLiBEdWlzIGZldWdpYXQgZXggbmliaCwgZmF1Y2lidXMgcmhvbmN1
cyB2ZWxpdCB0cmlzdGlxdWUgc2l0IGFtZXQuIE1hZWNlbmFzIGNvbW1vZG8g
bG9yZW0gZmluaWJ1cyBzYXBpZW4gY29tbW9kbywgc2VkIG1heGltdXMgbGVj
dHVzIGVmZmljaXR1ci4gQ3JhcyB2dWxwdXRhdGUgdHVycGlzIGV1IG5lcXVl
IHVsbGFtY29ycGVyIHZlc3RpYnVsdW0uIE1hZWNlbmFzIGRhcGlidXMgZWZm
aWNpdHVyIHJpc3VzLCBlZ2V0IG1vbGxpcyB2ZWxpdCBpYWN1bGlzIGV1LiBT
dXNwZW5kaXNzZSBmaW5pYnVzIG1hdHRpcyB2ZWhpY3VsYS4gUGhhc2VsbHVz
IHF1YW0gdHVycGlzLCB0aW5jaWR1bnQgdmVsIHNlbSBzaXQgYW1ldCwgYmli
ZW5kdW0gdmFyaXVzIHNhcGllbi4gTW9yYmkgdXQgbGFjaW5pYSBlbGl0LiBQ
ZWxsZW50ZXNxdWUgc2VkIHZlbGl0IHZlbGl0LiBNb3JiaSBncmF2aWRhIG5p
YmggYWMgbGliZXJvIG1vbGxpcywgdXQgdHJpc3RpcXVlIGR1aSBkaWN0dW0u
IFZlc3RpYnVsdW0gbGFvcmVldCBudW5jIGFjIHNjZWxlcmlzcXVlIGZpbmli
dXMuIFV0IGVzdCB1cm5hLCBjb25zZWN0ZXR1ciBuZWMgbmVxdWUgZXUsIHZv
bHV0cGF0IGVsZW1lbnR1bSBuaXNpLg==
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBp
c2NpbmcgZWxpdC4gSW4gdHJpc3RpcXVlIGVsZWlmZW5kIG51bmMgcXVpcyBt
YXhpbXVzLiBEdWlzIGZldWdpYXQgZXggbmliaCwgZmF1Y2lidXMgcmhvbmN1
cyB2ZWxpdCB0cmlzdGlxdWUgc2l0IGFtZXQuIE1hZWNlbmFzIGNvbW1vZG8g
bG9yZW0gZmluaWJ1cyBzYXBpZW4gY29tbW9kbywgc2VkIG1heGltdXMgbGVj
dHVzIGVmZmljaXR1ci4gQ3JhcyB2dWxwdXRhdGUgdHVycGlzIGV1IG5lcXVl
IHVsbGFtY29ycGVyIHZlc3RpYnVsdW0uIE1hZWNlbmFzIGRhcGlidXMgZWZm
aWNpdHVyIHJpc3VzLCBlZ2V0IG1vbGxpcyB2ZWxpdCBpYWN1bGlzIGV1LiBT
dXNwZW5kaXNzZSBmaW5pYnVzIG1hdHRpcyB2ZWhpY3VsYS4gUGhhc2VsbHVz
IHF1YW0gdHVycGlzLCB0aW5jaWR1bnQgdmVsIHNlbSBzaXQgYW1ldCwgYmli
ZW5kdW0gdmFyaXVzIHNhcGllbi4gTW9yYmkgdXQgbGFjaW5pYSBlbGl0LiBQ
ZWxsZW50ZXNxdWUgc2VkIHZlbGl0IHZlbGl0LiBNb3JiaSBncmF2aWRhIG5p
YmggYWMgbGliZXJvIG1vbGxpcywgdXQgdHJpc3RpcXVlIGR1aSBkaWN0dW0u
IFZlc3RpYnVsdW0gbGFvcmVldCBudW5jIGFjIHNjZWxlcmlzcXVlIGZpbmli
dXMuIFV0IGVzdCB1cm5hLCBjb25zZWN0ZXR1ciBuZWMgbmVxdWUgZXUsIHZv
bHV0cGF0IGVsZW1lbnR1bSBuaXNpLg==
      -----END CERTIFICATE-----

Regardless whether you used the terminal or an editor, there shouldn’t be any empty lines in the new file.


2. Prepare private key file

The private key is something that gets generate along the CSR (certificate signing request) and holds some info like the domain name, public key and additional contact information. It would look something like this:

   -----BEGIN PRIVATE KEY-----
TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBp
c2NpbmcgZWxpdC4gSW4gdHJpc3RpcXVlIGVsZWlmZW5kIG51bmMgcXVpcyBt
YXhpbXVzLiBEdWlzIGZldWdpYXQgZXggbmliaCwgZmF1Y2lidXMgcmhvbmN1
cyB2ZWxpdCB0cmlzdGlxdWUgc2l0IGFtZXQuIE1hZWNlbmFzIGNvbW1vZG8g
bG9yZW0gZmluaWJ1cyBzYXBpZW4gY29tbW9kbywgc2VkIG1heGltdXMgbGVj
dHVzIGVmZmljaXR1ci4gQ3JhcyB2dWxwdXRhdGUgdHVycGlzIGV1IG5lcXVl
IHVsbGFtY29ycGVyIHZlc3RpYnVsdW0uIE1hZWNlbmFzIGRhcGlidXMgZWZm
aWNpdHVyIHJpc3VzLCBlZ2V0IG1vbGxpcyB2ZWxpdCBpYWN1bGlzIGV1LiBT
dXNwZW5kaXNzZSBmaW5pYnVzIG1hdHRpcyB2ZWhpY3VsYS4gUGhhc2VsbHVz
IHF1YW0gdHVycGlzLCB0aW5jaWR1bnQgdmVsIHNlbSBzaXQgYW1ldCwgYmli
ZW5kdW0gdmFyaXVzIHNhcGllbi4gTW9yYmkgdXQgbGFjaW5pYSBlbGl0LiBQ
ZWxsZW50ZXNxdWUgc2VkIHZlbGl0IHZlbGl0LiBNb3JiaSBncmF2aWRhIG5p
YmggYWMgbGliZXJvIG1vbGxpcywgdXQgdHJpc3RpcXVlIGR1aSBkaWN0dW0u
IFZlc3RpYnVsdW0gbGFvcmVldCBudW5jIGFjIHNjZWxlcmlzcXVlIGZpbmli
dXMuIFV0IGVzdCB1cm5hLCBjb25zZWN0ZXR1ciBuZWMgbmVxdWUgZXUsIHZv
bHV0cGF0IGVsZW1lbnR1bSBuaXNpLg==
    -----END PRIVATE KEY-----

You need to name this file server.key.

3. Upload the files (certificate + private key) to AWS S3

Once you have the concatenated certificate file server.crt and the private key file server.key, you need to upload them to S3 so that ElasticBeanstalk can fetch them when needed. By default, ElasticBeanstalk must’ve created an S3 bucket for you environment that would look something like this elasticbeanstalk-eu-central-1-409109261823. You need to upload the two certificate files there.

Remember to keep them private. DO NOT make these files publicly accessible. These files should be available to your environment only and no one else.

4. Configure the ElasticBeanstalk app to use the SSL certificate

Continue soon..


Join our newsletter