
Enable HTTPS for a web application running on Elastic beanstalk without a load balancer

Dec 31, 2020
To enable HTTPS for any website, we need to install and configure an SSL certificate on the server. SSL certificates protect users’ sensitive data such as payment-related info, name, address, email, etc by encrypting the data during transmission from their browsers to your servers. We can get paid SSL certificate from certificate providers or generate using some open-source tools like let’s encrypt or cert-bot.

For self-managed ec2 instance, we can easily configure the SSL certificate by login into the server via SSH. But If we are running a web application on Elastic beanstalk then it manages the instance. EB takes care of auto-scaling, load balancing, etc. So we don’t have control over instances. They can be terminated in case of a scaling event or due to some failure. That’s why, While working with Elastic beanstalk, Most developers find it easy to request a certificate from AWS and attach it to the load balancer. But, Load balancer service is costly. So if you are working on some small project or startup and you don’t really need more instances behind load balancer then having a load balancer is just an overkill to enable HTTPS.

In this blog post, I am going to share a configuration script that I have recently developed and explain what it does.

Setting Up Certbot for SSL Certificate Generation

We can easily use the certbot to generate the certificate. We need to run the following commands on a server via the command line to download and install certbot.

sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
sudo /usr/local/bin/certbot-auto --no-bootstrap

The next step is to generate a certificate. The below command will generate a certificate and put it in some specific folder. It takes an admin email and domain name in the argument.

sudo /usr/local/bin/certbot-auto certonly --standalone -m --agree-tos -d -n
# command will generate certificate files at following path
# /etc/letsencrypt/live/
# /etc/letsencrypt/live/

Automating SSL Setup in Elastic Beanstalk

For applications deployed using Elastic beanstalk, we are not supposed to run the above commands manually via ssh. So we should put this command in a shell script file and run that script via container commands. I have done this for a Django project. To serve the Django app, EB manages apache service. So before running above mentioned command, we need to stop apache and once we are done with that command, we need to start again. So my final shell script will look something like below:

1source /opt/python/current/env
2# set domain name in the environment variable as DOMAIN
3# echo $DOMAIN
5if test -f "$CERT_FILE"; then
6    exit
10sudo mv certbot-auto /usr/local/bin/certbot-auto
11sudo chown root /usr/local/bin/certbot-auto
12sudo chmod 0755 /usr/local/bin/certbot-auto
13sudo /usr/local/bin/certbot-auto --no-bootstrap
14sudo /usr/local/bin/supervisorctl -c /opt/python/etc/supervisord.conf stop httpd
15sudo /usr/local/bin/certbot-auto certonly --standalone -m --agree-tos -d $DOMAIN -n
16sudo /usr/local/bin/supervisorctl -c /opt/python/etc/supervisord.conf start httpd

We need to add this script in container commands options as shown below:

2    100_generate_certificate:
3        command: "sh scripts/"

Adjusting Apache Configuration for HTTPS

If we deploy our web application with the above script file and container command, It will generate a certificate with the domain name which we have set in environment variables. Now, One last step is remaining. We need to adjust the apache config to serve HTTPS with SSLEngine on. We can do that by adding a post-deploy hook script which will create a new apache config with HTTPS settings.

2  "/opt/elasticbeanstalk/hooks/appdeploy/post/":
3    mode: "000755"
4    owner: root
5    group: root
6    content: |
7      #!/usr/bin/env bash
8      source /opt/python/current/env
10      ssl_conf="LoadModule wsgi_module modules/
11        WSGIPythonHome /opt/python/run/baselinenv
12        WSGISocketPrefix run/wsgi
13        WSGIRestrictEmbedded On
14        Listen 443
15        <VirtualHost *:443>
16          SSLEngine on
17          SSLCertificateFile \"/etc/letsencrypt/live/$DOMAIN/cert.pem\"
18          SSLCertificateKeyFile \"/etc/letsencrypt/live/$DOMAIN/privkey.pem\"
20          Alias /static/ /opt/python/current/app/static/
21          <Directory /opt/python/current/app/static>
22          Order allow,deny
23          Allow from all
24          </Directory>
26          WSGIScriptAlias / /opt/python/current/app/clearago/
28          <Directory /opt/python/current/app>
29          Require all granted
30          </Directory>
32          WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
33            python-path=/opt/python/current/app \
34            python-home=/opt/python/run/venv \
35            home=/opt/python/current/app \
36            user=wsgi \
37            group=wsgi
38          WSGIProcessGroup wsgi-ssl
40        </VirtualHost>"
42        echo "$ssl_conf" | tee /etc/httpd/conf.d/ssl.conf
43        /usr/local/bin/supervisorctl -c /opt/python/etc/supervisord.conf restart httpd

That’s it. I hope that this will help someone trying to set up HTTPS without a load balancer with Elastic beanstalk.

