How to Setup Free SSL Certificates Using AWS Load Balancers
Amazon offers free SSL certificates for use with many of their services. If you’re already using EC2 for web hosting, you can add a Load Balancer in front of your server to secure your traffic over HTTPS.
What is an SSL Certificate?
SSL is the encryption method used to secure HTTPS connections, and if your site is encrypted with it, your user’s browsers will show the padlock symbol in the URL bar. An SSL certificate is required to use SSL, and you can get one from a Certificate Authority (CA). The CA acts as a third party to verify that your connection is legitimate and that you are who you claim to be (i.e., no one is trying to budge in on your connection).
Many CAs will charge hundreds of dollars for certificates, but you can get them for free from a few places. Amazon Web Services offers them for free if you use their Load Balancers, but the Load Balancers themselves cost $16+ a month. If this isn’t an option, you can still get free SSL certificates from LetsEncrypt, which you’ll have to install manually into your webserver.
There’s nothing stopping you from using LetsEncrypt with AWS EC2 instances, or even Load Balancers, but AWS’s certificates are more configurable, and work with other AWS services. For example, if you’re using AWS Cloudfront, you can use the same SSL certificate that you generate for the load balancer, without having to worry about renewing them individually.
Create a New SSL Certificate From AWS Certificate Manager
For the purposes of this guide, we’ll assume you’re already using EC2 to some degree, and have a web server running. It doesn’t matter what type of web server you’re running, since the certificate will only be installed into the Load Balancer, but you’ll still need something behind it to serve content.
You’ll also need access to your domain name settings, both to add new records to verify your domain, and point your domain to the new Load Balancer once it’s done.
From the EC2 Management Console, click “Services” in the top bar and search for “certificate.” Open the Certificate Manager.
Click on “Get Started” under “Provision Certificates.”
This certificate will be used for securing connections over the internet, so it should be public. Select “public” and click “Request.”
Now you can add your domain name to the certificate. AWS certificates support wildcards, so it might be useful to include
"*.yourdomain.com" as well, to secure any subdomains you may have. Add any domain you need, then click “Next.”
Now, you’ll need to verify your domain. AWS offers two types of verification: DNS, and Email.
DNS will require you to add a CNAME record to your domain name. If you’re using AWS Route 53 as your DNS provider, this is easy, but if you’re using something else, the process can take hours to verify.
Email only takes a few minutes. AWS will send an email to the registered WHOIS contact, as well as
"email@example.com" and a few other common webadmin emails. If you don’t have private email for your domain, you can usually set up email forwarding to a public Gmail account from your registrar’s settings, which will work just as well.
If you’re going with DNS verification, copy the “Name” and “Value” from the domain dropdown. If you’re verifying multiple domains, check if the values are different, as you may have to verify them individually.
From your DNS provider’s settings, add a new CNAME record, and paste the name and value into the form (this interface will vary depending on your provider).
While DNS only takes a few minutes to propagate, AWS may take a few hours to validate the domain, so maybe grab some lunch. If you’re using email verification, it should only take a few minutes after clicking the link in your email.
Once it’s done, you should see the orange “Pending validation” switch to a green “Issued.” You won’t have to download anything; the certificate is automatically usable in other AWS services.
Set Up a Load Balancer With Your New Certificate
Once the certificate is made, it’s ready to be installed into a Load Balancer. AWS Load Balancers work like proxies with multiple endpoints, able to forward traffic from one public IP address to many private IP addresses, and balance the load between them.
We will set one up to listen on the public HTTPS port 443, and forward traffic to port 443 on your web server. The web server port can be different, like port 8080, since the connection between load balancer and web server is internal, but we’re assuming your web server already has port 443 open. If not, you’ll need to open it from your EC2 instance’s security rules.
From the EC2 Management Console, scroll down the sidebar to find “Load Balancers” and click “Create Load Balancer.”
There are a few types of Load Balancer that work at different levels, but for simplicity we’ll choose “Application Load Balancer,” which balances basic HTTP and HTTPS.
From the options, give it an internal name, and add an HTTPS listener. It should default to port 443, the standard for HTTPS.
1 – Click next to go to “Configure Security Settings” and you’ll be presented with an option to choose a certificate (or upload your own, if you’re using a different SSL service). Select “Choose a certificate from ACM,” and select your certificate from the dropdown. If you don’t see it, try hitting the green refresh icon, and if it still isn’t there, you should check your settings in the Certificate Manager.
2 – Click next to go to “Configure Security Groups,” and make a new security group. It will default to having port 80 and 443 open, which is what you likely want.
3 – Click next to go to “Configure Routing,” and enter a internal name for the target group. Make sure the protocol is set to HTTPS.
4- Click next to go to “Register Targets,” and enter the private IP address of your EC2 instance(s), which you can find from the EC2 Management Console. If you entered them correctly, the interface should show the instance ID and the zone it’s in.
5 – Click next to go to the review, and if everything looks good, click “Create” to set up your Load Balancer.
6 – Go back to the EC2 Management Console and click the Load Balancers tab. It will take a few minutes, but once your balancer is set up you will be able to copy the DNS address. The actual IP address of your Load Balancer will change, but the DNS address will always point to it.
You’ll want to replace your existing IP your domain name with this address, so that visitors will be pointed towards your Load Balancer, which will secure the connection and point them towards your EC2 web server (or servers).
This same certificate will work with many other AWS services; for example, if you registered
*.yourdomain.com with the certificate, you would be able to serve S3 content through Cloudfront at
media.yourdomain.com using the same certificate. You can’t download them manually, so they’ll always be locked to AWS services and managed by Amazon.