AWS Elastic Beanstalk with GoDaddy SSL

This is a step by step walk-though on how to install an SSL certificate on AWS Elastic Beanstalk. We will use a GoDaddy SSL certificate. The official documentation is on the AIM Creating and Uploading Server Certificates page, but that example is only for a 1024 bit certificate. This post also assumes you already have a CNAME for your Elastic Beanstalk instance.

1. You need OpenSSL. Our Amazon EC2 image already has OpenSSL by default. Try running openssl version on the command line to verify if you have OpenSSL installed.

2. You will need the IAM Command Line Toolkit to be able to upload the SSL certificate. We will be using the iam-servercertupload command later in the process. You will also need to create an aws-credential.properties file with the keys AWSAccessKeyId and AWSSecretKey populated with your AWS keys.

3. Now generate the CSR (Certificate Signing Request) by running the following command. This will generate a 2048 bit CSR.

openssl req -new -newkey rsa:2048 -nodes -out csr.pem -keyout private-key.pem -subj "/C=yourcountry/ST=yourstate/L=yourcity/O=yourcompany/OU=yourdepartment/CN=yourdomain"

Replace yourcountry, yourstate, yourcity, yourcompany, yourdepartment, yourdomain with the appropriate values. You should get two files from this step, csr.pem and private-key.pem.

4. Go to the GoDaddy Manage Certificates page, and copy paste the CSR. Once the certificate is ready, download the certificate. Unzip the downloaded file and you will get gd_bundle.crt and yourdomain.crt.

5. Before uploading the certificate, we need to decrypt our private key by running the following openssl command.

openssl rsa -in private-key.pem -out decrypted-private-key.pem

6. Now we are ready to upload our certificate. Run the following command.

iam-servercertupload --aws-credential-file aws-credential.properties -b yourdomain.crt -c gd_bundle.crt -k decrypted-private-key.pem -s yourcertificatename

Make sure the file paths are correct. yourcertificatename is the name of the certificate that you specify.

7. To get your SSL Certificate ID, which you need to enable SSL on Elastic Beanstalk, run the following command

iam-servercertgetattributes --aws-credential-file aws-credential.properties -s yourcertificatename

Take note of your certificate ID, which starts with arn:aws:iam::.

8. Go to the AWS Elastic Beanstalk Management Console and edit the environment configuration. Go to the Load Balancer tab and set the HTTPS Listener Port to 443, and the SSL Certificate Id. If you have a wildcard SSL, you can repeat this step on every Elastic Beanstalk application on different subdomains.

9. Test your new configuration by going to https://yourdomain.


10 Comments

  1. Yegor says:

    Short and nice instructions, thanks!

  2. Catherine says:

    Yes – great instructions! Thanks so much.

    I did not have godaddy certificates, but geotrust ones. The only thing I had to do differently was in step 4. The web server certificate and intermediate CA came embedded in an email from my certificate authority, so I used them to created my own yourdomain.crt and gd_bundle.crt. Note that you can name these anything actually just as long as you use .crt, and call them by these names when you upload in step 6.

  3. You are a life saver mate. Thanks a ton! In-case you get time – do write a tutorial on version control for Elastic Beanstalk – it would just be great!

  4. weichengchu says:

    Thanks for the instruction!
    But maybe you should mention that the domain name in the CSR can NOT be the elastic beanstalk domain name, but have to be your own domain name. I spent quit some time on this thing cause I couldn’t figure out how to select the approver email when submitting the CSR….

  5. jason says:

    Something else to note is that in step 4, you have to choose “Apache” as the format to download your cert, even if you’re using another web server on your machines.

    this will produce the gd_bundle.crt file. Choosing IIS, for example, will give you a file with a different name and format.

  6. Catherine says:

    I used these instructions again for the renewal this year, and have to thank you again for this post. 🙂 One thing that might help anyone who is doing more than one SSL certificate (and who knows as little command line as I) – if your terminal session closes or times out before you start an additional SSL certificate request and installation, in Step 2 you might have to export and set variables again for JAVA_HOME and AWS_IAM_HOME before proceeding…

  7. Catherine says:

    With the new AWS CLI utility replacing IAM CLI there are a few changes. In step 2 instead of downloading the IAM Command Line Toolkit (no longer maintained), you’d download AWS Command Line Toolkit (http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-set-up.html) then, in step 6, you’d use this command instead:

    aws iam upload-server-certificate –server-certificate-name certificate_object_name –certificate-body file://public_key_certificate_file –private-key file://privatekey.pem

    You would add the full path to each certificate file name after the “file://” part, which has to be there intact; for example, “file://~/Documents/yourfolder”. If you look at the AWS documentation (http://docs.aws.amazon.com/IAM/latest/UserGuide/InstallCert.html) you’ll see it suggests including “–certificate-chain file://certificate_chain_file” at the end of the command above, but this is optional. I got our certificates from RapidSSL which didn’t include a certificate chain file. I tried to make one by concatenating what certificates I did have and could not get the AWS server to accept the upload. Then I finally remembered that the IAM CLI method above does not ask for a certificate chain file either – so I ran the command again omitting that entire section, and it worked perfectly.

  8. Catherine says:

    I should mention that the reason why the command works even without certificate-chain is because when you create the certificate-body .pem file, it should include the intermediate ca. So this file includes first the certificate, then the intermediate ca, which essentially provides the chain information to the server also. There’s some info on converting your .crt files to .pem files… http://www.digicert.com/ssl-support/pem-ssl-creation.htm

  9. BTW – Now you can add new key while you click on ELB listener tab and click on add/change the SSL key. It opens up a dialog wherein you can key in private key, public key and chain certificate. So no need to install IAM CLI command line tools.
    Besides, when you download the key from godaddy.com choose Apache for Amazon ELB sites.


Leave a Reply

Your email address will not be published. Required fields are marked *