Adam O'Grady

SSL On AWS Static Sites

I’ve previously discussed hosting my site on AWS using a combination of Simple Storage Service (S3), CloudFront, and Route 53. I’m still doing that now and it’s been amazingly responsive and great for a static website (still using Hugo like I posted about previously).

However one of the ultimate goals of the modern web is security and projects like Let’s Encrypt have helped democratise access to SSL certificates, providing a free alternative that lets everyone secure their website without huge costs or slow verification procedures. But not all types of hosting are easily set up for Let’s Encrypt and the ACME protocol. For example, statically hosted sites like those in S3+Cloudfront or GitHub Pages where there’s no “server” that you can host the client on and the 90 day validity period makes manual renewals a pain. Thankfully not all is hopeless or labour intensive.

AWS has a neat solution to this dilemma in their AWS Certificate Manager (ACM). They’ll provide you with SSL certs that can be used to secure your CloudFront distributions. I’ve put together a little tutorial to help you get started.

Verifying Your Domain In SES

One of the major phases of verifying your domain is letting AWS email the domain administrator and having them authorise the issuing of the certificates. AWS will try and email the domain contacts and a few standard contacts but if you use WHOIS obfuscation or don’t have MX records set up for your domain you can follow these steps to get verified. If you can already receive the validation emails from AWS then you can move on to the next section.

For the following steps you’ll need to have your website and domain set up in S3, CloudFront, and Route 53. It’s easiest to do all this in the N. Virginia AWS region as not all features are available in other regions.

Set Up Domain In SES

  1. Open the AWS Management Console.
  2. Go to Simple Email Service (SES) (product, console).
  3. Click “Domains” from left menu.
  4. Click the “Verify a New Domain” bnutton.
  5. Enter your domain and click “Verify This Domain”.
  6. Because you already have Route 53 you can select “Use Route 53”. (If you don’t have Route 53 set up you’ll have to add both the TXT and MX record)
  7. Click “Create Record Sets”.

Create Rule Set

  1. Click “Rule Sets” under Email Receiving in the left menu.
  2. Click “Create A Receipt Rule”.
  3. Add “adminstrator@[domain.name]” as a recipient and click “Next Step”.
  4. Select “S3” for Add action.
  5. Choose an S3 bucket or create a new one for SES with this domain.
  6. Do not add an Object key prefix, do not encrypt messages, do not select an SNS topic. Click “Next Step”
  7. Give the rule a sensible name, make sure it’s enabled but disable TLS and virus scanning. Click “Next Step”.
  8. Click “Create Rule”.

When you get to the phase to validate domain ownership and AWS Certificate Manager emails the admin contact you should find the email in your S3 bucket. If you download it and view it with a text editor (such as Notepad, TextEdit, vim/emacs) it should have instructions to follow.

Setting up AWS Certificate Manager (ACM)

  1. Go to the ACM console.
  2. Select “Request A Certificate”.
  3. Type in the domain and click “Review and Request”.
  4. Click “Confirm and Request”, then “Continue”.
  5. You’ll need to check your email (or S3 bucket if you used the above tutorial) and follow the instructions to approve the request.
  6. When you refresh the ACM console you should see the status has updated to “Issued”.

Using an ACM cert in CloudFront

  1. Go the to CloudFront console
  2. Select the distribution for your domain.
  3. On the “General” tab, click “Edit”.
  4. Under “SSL Certificate”, select “Custom SSL Certificate”.
  5. It should pre-load the dropdown with your new certificate.
  6. Scroll to the bottom and click “Yes, Edit”.

Done.

You should now be able to browse to the HTTPS versions of your site!