Aktualisiert: 17. März 2019
Configuring https on EC2 instance is actually not that difficult... after you have done it once. If doing it the very first time, it can get frustrating after couple of hours of looking through aws documentations, youtube tutorials and stackoverflow answers for trying to piece together every single step you need to configure ec2 with https. At least, it did for me.
So to spare you some of the frustration, I put together this guide.
Step 1 The entrypoint is a running EC2 instance, in my case with a java app listening on port 8080
Step 2 - Create/Request AWS Certificate
Background: AWS has its own service Certificate Manager to make the process of requesting a certificate from the certificate authority easier. It also automatically updates the certificates for you.
With AWS certificate manager service, you can request a public certificate for “example.com”, “www.example.com” and “*.example.com”
In the next step you need to validate that the domain name really belongs to you. Preferable way is DNS validation. So according to AWS instructions in the validation step, I added in Godaddy (where my domain is registered) cname records for all domains (“example.com”, “www.example.com”, “*example.com”)
Public certificates requested on AWS certificate manager are free. You only pay for the resources using the certificate.
Certificate approval takes time. For me, it was approved by the next day.
As long as those cname records stay for your domain on Godaddy (or other register), aws will automatically manage the issued certificates for you.
You can not directly install the certificate on EC2 instance. You need either Elastic Load Balancer or Beanstalk or some other service. Here the full list: https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
Step 3 - Create a load balancer (ELB)
So from the list of services integrated with AWS Certificate Manager, I chose to create an application load balancer to use https certificate
Create Application Load Balancer
When creating the load balancer, add listeners for BOTH http and https. Select the received aws certificate for https
Choose at least 2 availability zones that have public subnets.
In Register Targets step, select your EC2 instance and click “Add to Registered”. This will create target group and add my ec2 instance to this target group, so eventually the load balancer directs the traffic through target group to my ec2
Once the load balancer is created, check out your target groups. Under tab, Target, you can see if load balancer was able to connect to ec2 app by health status.
By default Load balancer checks health of ec2 by querying http port 80
In my case, my app was running on 8080, so I had to start it on port 80
Ports under 1024 can only be run with root user, so start your app using sudo
You don’t have to configure your app to enable ssl, for example in spring application properties. You can leave the port at 80, since the communication between the load balancer and ec2 happens over http
Step 4 - Create a Route 53 hosted zone for the domain name
I already had a domain on Godaddy. So, for my domain, I created a hosted zone in Route 53 service, which automatically gives you 4 records for name servers
Take all 4 generated name servers and set them as user-defined/custom name servers in your domain registrar (Godaddy, etc)
Step 5 - Configure the hosted zone to point domain name to load balancer IP
In your hosted zone, add a Cname record Name: “www.example.com” pointing to Value: “example.com"
Add an A record Name: “example.com” pointing to Alias: “loadbalancer-x-y-z"
So, now when typing example.com in browser:
Godaddy forwards it to one of 4 DNS on Route 53
DNS on Route 53 forwards it to load balancer
Load balancer forwards it to the target group listener
Target group forwards it to EC2