Serve an Elastic Beanstalk application over HTTPS using a Custom Domain

eb-with-custom-domain-and-ssl.md

For this gist I assume you are working with an Elastic Beanstalk Application Environment set up with an Application Load Balancer. I also assume you are wanting to point a subdomain of your custom domain to your EB application. If you have a different setup then this process may not work for you, though there may still be some useful parts. As with most guides on the internet, your mileage may vary.

You will need

• A running application environment in Elastic Beanstalk
• Access to modify the DNS records on your custom domain
• Access to AWS Console with the relevant IAM permissions

Pointing your custom domain to your Elastic Beanstalk Application Environment

Navigate to the DNS Records manager for your domain and add a new CNAME record:

1. Set the "host" to your chosen subdomain (i.e, for "login.example.com", it would be "login")
2. Set the "value" to your current Elastic Beanstalk's Application Environment domain, for example: "login.eba-xxxyyyzz.us-east-2.elasticbeanstalk.com" (you can find this in the "Environment overview" panel in Elastic Beanstalk)
3. Set the "TTL" to "1 min" and save

Once the record has been processed, going to http://login.example.com, should show your elastic beanstalk application. It can take a while before the DNS record has processed so you’ll need to be patient.

At this point you will only be able to access your application on the unsecure "HTTP" protocol. Continue with this guide to be able to serve your application securely over "HTTPS".

Creating the SSL Certificate

In AWS, navigate to the AWS Certificate Manager (ACM)

1. Click "Request" to create a new certificate
2. Select "Request a public certificate" and click Next
3. Enter the fully qualified domain name, for example "login.example.com"
4. Select "DNS validation" as the validation method
5. Leave "Key algorithm" as the default
6. Set any tags if you wish
7. Click "Request"

Validating the SSL Certificate

1. On the same ACM page, once the certificate is ready (which may require a page refresh), click on it's ID in the list to view more details.
2. Scroll down to the "Domains" section. You will need the CNAME name and value for the next steps.
3. Navigate back to your custom domain's DNS records and create a new CNAME record
4. Set the "host" value in the DNS record to the "CNAME name" value on the ACM page

Note
You will probably need to remove the apex domain from the "CNAME name" string. For example the full string might be like this in ACM: "_ac99de995b3684610896a128107a237f.login.example.com", you will only need the string up until the end of the subdomain like this: "_ac99de995b3684610896a128107a237f.login"

5. Set the "value" in the DNS record to the "CNAME value" on the ACM page
6. Set the "TTL" to "1 Min" and save
7. Keep refreshing the ACM page until you can see that the certificate is no longer "Pending validation". This might be a good time to go grab a coffee as it can take a while.

Applying the SSL Certificate to your Elastic Beanstalk Environment

In the AWS Console, navigate to your Elastic Beanstalk Environment and then:

1. Go to "Configuration"
2. Scroll to "Instance traffic and scaling" and click "Edit"
3. Scroll to the "Listeners" section and click "Add listener"
4. For "Listener port", enter 443
5. For "Listener protocol", select "HTTPS"
6. For "SSL certificate", select the certificate you made earlier in the dropdown
7. For "SSL policy", select "ELBSecurityPolicy-2016-08"
8. Leave the "Default process" as "default"
9. Click save to close the modal
10. Scroll to the bottom of the page and click "Apply"

Done

At this point you should be able to navigate to your now secure custom domain to access your application, for example "https://login.example.com".