Go to this link to create a free ssl certificate
Create folders .well-known > acme-challenge and put the file which you got while creating a ssl above eg. 2elaFuIeUlvdNUGhnGa3A4NLSPYM21AyK7uHHZNc_s0
The website will need to confirm that you are the legitimate user of the domain for which you are claiming the ssl certificate. To verify, you can go to your node server and add
app.get('/.well-known/acme-challenge/2elaFuIeUlvdNUGhnGa3A4NLSPYM21AyK7uHHZNc_s0', function (req, res) {
res.sendFile(__dirname + '/.well-known/acme-challenge/2elaFuIeUlvdNUGhnGa3A4NLSPYM21AyK7uHHZNc_s0');
});
Download the certificates
Create a folder .ebextensions
Inside this folder, create a file called https-instance.config and put the following contents
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
files:
/etc/nginx/conf.d/https.conf:
mode: "000644"
owner: root
group: root
content: |
# HTTPS server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
/etc/nginx/conf.d/000_my_config.conf:
mode: "000755"
owner: root
owner: root
content: |
server {
listen 8080;
return 301 https://$host$request_uri;
}
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
*your certificate*
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
*your private key*
-----END RSA PRIVATE KEY-----
Replace the certificate and private key in above file and zip the application and upload to beanstalk environment and you are done
For security reasons you can upload the private key to aws s3 bucket and add the following snippet of code to grant EBS's instance to access the bucket to read the private key.
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["elasticbeanstalk-us-east-1-xxxxxxxxxxx"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
source: https://s3.amazonaws.com/elasticbeanstalk-us-east-1-xxxxxxxxxx/server.key
- sslforfree - create your free ssl certificate
- AWS documentation