Skip to content

Instantly share code, notes, and snippets.

@vishnumitraha
Last active July 24, 2024 06:07
Show Gist options
  • Save vishnumitraha/7c4fa85bf09e8c5a9384c875468420cb to your computer and use it in GitHub Desktop.
Save vishnumitraha/7c4fa85bf09e8c5a9384c875468420cb to your computer and use it in GitHub Desktop.
Let's Encrypt SSL certificate to an Amazon S3 static site

To add a Let's Encrypt SSL certificate to an Amazon S3 static site, you will need to use Amazon CloudFront as an intermediary, since S3 does not support SSL certificates directly. Here are the detailed steps to achieve this:

Step 1: Set Up Your S3 Bucket

  1. Create an S3 Bucket:

    • Go to the AWS Management Console.
    • Create a new S3 bucket with a unique name (this will be your static website).
    • Enable static website hosting in the bucket properties.
  2. Upload Your Website Files:

    • Upload your static website files (HTML, CSS, JavaScript, etc.) to the S3 bucket.
  3. Set Permissions:

    • Ensure that your bucket allows public access to serve the website. You can adjust permissions in the Permissions tab of the bucket settings.

Step 2: Create a CloudFront Distribution

  1. Set Up CloudFront:

    • In the AWS Management Console, navigate to CloudFront and create a new distribution.
    • Set the origin domain to your S3 bucket's website endpoint.
  2. Configure Distribution Settings:

    • Under the "Default Cache Behavior Settings", ensure that "Viewer Protocol Policy" is set to "Redirect HTTP to HTTPS".
    • Enable "Compress Objects Automatically" for better performance.
  3. Set Alternate Domain Names (CNAMEs):

    • Add your custom domain (e.g., www.example.com) in the "Alternate Domain Names (CNAMEs)" section.

Step 3: Obtain a Let's Encrypt SSL Certificate

  1. Set Up an EC2 Instance:

    • Launch a temporary EC2 instance (e.g., t2.micro) to generate the SSL certificate.
    • Ensure that the instance has a public IP and security group rules allowing HTTP (port 80) and HTTPS (port 443) traffic.
  2. Install Certbot:

    • SSH into your EC2 instance and install Certbot:
      sudo apt update
      sudo apt install certbot
  3. Generate the SSL Certificate:

    • Run Certbot to obtain the certificate using the HTTP-01 challenge:
      sudo certbot certonly --standalone -d www.example.com
    • Replace www.example.com with your actual domain name.
  4. Locate the Certificate Files:

    • After successful generation, the certificate files will be stored in /etc/letsencrypt/live/www.example.com/.

Step 4: Import the SSL Certificate into AWS

  1. Import the Certificate to AWS Certificate Manager (ACM):

    • Go to the AWS Certificate Manager in the AWS Management Console.
    • Click on "Import a certificate".
    • Copy the contents of the cert.pem, privkey.pem, and chain.pem files into the respective fields in ACM.
  2. Note the ARN:

    • After importing, note the ARN (Amazon Resource Name) of the certificate as you will need it for CloudFront.

Step 5: Configure CloudFront to Use the SSL Certificate

  1. Update CloudFront Distribution:

    • Go back to your CloudFront distribution settings.
    • Under "SSL Certificate", choose "Custom SSL Certificate" and select the certificate you imported into ACM.
  2. Save Changes:

    • Save the changes to the CloudFront distribution. This may take a few minutes to propagate.

Step 6: Update DNS Settings

  1. Point Your Domain to CloudFront:
    • In your domain registrar's DNS settings, create a CNAME record pointing your domain (e.g., www.example.com) to the CloudFront distribution domain name (e.g., d123456abcdef8.cloudfront.net).

Step 7: Automate Certificate Renewal

  1. Set Up a Cron Job:
    • To automate the renewal of your Let's Encrypt certificate, you can set up a cron job on your EC2 instance:
      crontab -e
    • Add the following line to run the renewal command monthly:
      0 0 1 * * /usr/bin/certbot renew --quiet && aws acm import-certificate --certificate file:///etc/letsencrypt/live/www.example.com/cert.pem --private-key file:///etc/letsencrypt/live/www.example.com/privkey.pem --certificate-chain file:///etc/letsencrypt/live/www.example.com/chain.pem --region us-east-1

Summary

By following these steps, you can successfully add a Let's Encrypt SSL certificate to your Amazon S3 static site using CloudFront. This setup ensures that your static website is served securely over HTTPS, leveraging the benefits of both Let's Encrypt and AWS services.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment