Let's Code: Setting Up SSL Encryption Using AWS

It’s been a while since I talked about some of the behind-the-scenes things related to this blog. If for no one else, I need to start documenting this process more. There are so many intricate parts that, if I don’t have them written out in detail for myself, I’ll never be able to replicate it easily.

A while back after I acquired tavon.app, I briefly looked into how to enable HTTPS as security is a must for .app domains. I found out it cost and NOPE‘d out of there pretty quickly. (I just had it loop back to this blog, and still do.) But, after redesigning Gatling.XYZ again before 2019 ended, I kept seeing that my blog wasn’t “secure.” The way to fix that? HTTPS.

Apparently, AWS has a service for everything.

I managed to complete this entire project using only AWS services: Certificate Manager, CloudFront, and Route53 (and technically S3 since that’s where my blog is hosted). I’m not sure of the cost but I’ll update this post when I get the bill (and hopefully I’m not charged an arm and a leg for trying and failing so many times, lol). I do know that I pay about $0.50/month for Route53.

Not much knowledge of how these services work and function is needed. As I mentioned previously, my entire blog is hosted on S3 and I use Route53 to manage all of my website records utilizing the domain I bought elsewhere at https://gen.xyz. You need very little knowledge of Route 53 to complete this, and the static website link from S3.

To start, you want to head to the Certificate Manager in the AWS Console.

From here, Request a Certificate and choose the public certificate option.

You’ll arrive at a page where it tells you to add domain names. Here, you’ll want to enter your domain (for instance, gatling.xyz). I also entered *.gatling.xyz (to protect all of my subdomains in the future) and www.gatling.xyz, though I’m actually not sure all three are needed. I created my certificate before I made about 15 corrections and this may or may not be required for success. When you’re done with your domains, select Next and choose the DNS Validation option. Skip past adding tags, and select Review, then Confirm and Request.

Because I use Route53, Certificate Manager gives me buttons to Create [the] record in Route 53. Easy peasy. Don’t bother waiting for the status to leave In Progress. Once you’ve added each of your domains to Route 53, you can move on to the next step. If you don’t use Route53, create a CNAME record using somename and somevalue (obviously using the values that show up for you).

CLOUDFRONT

Next up is CloudFront. Select Create Distribution, then select Get Started under Web. This is, possibly, the most confusing part due to the sheer number of options presented. And, after some trial and error, I’ve found that… well, there’s not that much to do. The very first box – Origin Domain Name – has a drop-down of all your AWS resources. Do not select any of them! This was my original mistake; I wasted a good hour or two with this.

Instead, hop over to the S3 bucket of your static website and copy the bucket’s static website URL. Use that URL as the Origin Domain Name. Origin ID should auto-fill for you. I kept mine as the default. You can leave Origin Path and Origin Custom Headers blank.

The only option you need to review in Default Cache Behavior Settings is Viewer Protocol Policy. I selected Redirect HTTP to HTTPS, though I ran across an article or two that suggested HTTPS Only. You can leave everything else as is.

Under Distribution Settings, select Custom SSL Certificate, then pick the certificate you made in Certificate Manager.

Once you’re done with that, create your distribution. Again, don’t wait for the status to leave In Progress. You should see a different URL in the Domain Name column that looks something like this: somestringofcharacters1234.cloudfront.net. Copy that URL and bring it over to Route 53.

ROUTE53

This took some trial and error as well, but it’s a pretty simple update here.

Go to your hosted zone and either create new A Records or change your existing ones. Use this CloudFront link as an alias. Save the records and you’re good to go.

No, really. That’s it. You may need to wait for everything to finish deploying and being verified, and Route 53 can sometimes take a few moments to get everything in order. I visited my blog with an Incognito Session to make sure I wasn’t looking at a cached version of my page. I see the lock icon in Chrome now.

I found that the other articles online were focused on a different variation of my set up, so by following those guidelines (as I mentioned above), I ended up doing a lot of unnecessary things when I actually only needed a few simple steps. This was a much simpler, and cheaper, process than I ever thought it was going to be. Let me know if this helped you out!