Setting Up Free SSL for Static Sites on AWS
Setting up SSL is a pain. Even using free certificate authorities like Let’s Encrypt are difficult to get working. For some time now, I’ve been looking for a cheap and easy way to set up SSL for static sites.
AWS Certficate Manager
I recently discovered AWS Certificate Manager (ACM). Among other things, ACM allows you to easily issue free certificates for any static site hosted on Cloudfront with a custom domain. This is really cool!
Below are some things I like about ACM:
- You get to use certificates issued by Amazon’s own certificate authority (Amazon Trust Services) on your domain
- Unlike Let’s Encrypt, ACM certificates are automatically renewed for you
- You can easily manage your certificates in ACM’s web interface
- Certificates provisioned by ACM are free! No charges whatsoever
Setting up free SSL using ACM and Cloudfront is pretty easy but there are a few things to watch out for. This guide assumes you already have a static site running on Cloudfront (you can find many other walkthroughs for setting that up).
Step 1: Get your WHOIS in order
Because ACM does WHOIS verification, you need to make sure that an accessible email address is on your domain’s WHOIS record. You can do a lookup here to make sure.
ACM will send an email to 3 contact addresses from the WHOIS record and 5 common system addresses for your domain. Remember to turn off WHOIS Privacy if you have it enabled! I use name.com and they make it super easy to toggle WHOIS Privacy on and off on the domains list.
Step 2: Set up Amazon Certificate Manager
Regardless of what region your S3 bucket is, make sure that you set up ACM in the N. Virginia (us-east-1) region! This feature is not yet available in all regions so using other regions may not work.
- Go to the ACM console (make sure you are in N. Virginia)
- Click the Request A Certificate button
- Type in your domain and click Review and Request
- Click Confirm and Request, then Continue
- Then check your email and follow the link to approve the request
After completing the steps above and refeshing the ACM console, you should see the status of your certificate update to “Issued”. Woohoo! You now have an Amazon certificate!
Step 3: Set up your Cloudfront Distribution
Set up Cloudfront to use your freshly issued certificate with the steps below:
- Go to the CloudFront console
- Select the distribution for your domain
- On the General tab, click Edit
- Under SSL Certificate, select Custom SSL Certificate
- It should pre-populate the dropdown with your new certificate
- Scroll to the bottom and click Yes, Edit
Step 4: Enjoy!
Sit back and enjoy your new SSL website.