Get a full-blown HTTPs site from scratch in 10–15 minutes, the AWS way

Here is the how-to for a static website hosted out of AWS S3 via AWS CloudFront, complete with SSL certificates managed via AWS Certificate Manager. Using AWS as registrar to get the domain and AWS Route53 as DNS service. It’s a full package, you see. The site you end up with will get SSL certificate refresh for your custom domain without any need for intervention from your end, so no more worries about expired certificates. Enjoy!

STEP 1 — get the domain

Get a domain via Route53.

Super-straight forward and well explained in the AWS docs, so I’ll not dwell deeper on that matter:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html

Getting the domain directly via AWS gives you a couple of advantages like DNS records auto-created for Route53 and, something not all registrars offer for free, you do not pay extra for hiding your domain ownership details. If you intend to use the whole stack as proposed here you better get your domain via AWS, to make it short.

The process thereafter needs some time to complete, you will see a message like this:

Registering a new domain: what’s next?

  • Domain registration might take up to three days to complete.
  • We’ll send email to the registrant contact when the domain is successfully registered.
  • We’ll also send email to the registrant contact if we aren’t able to register the domain for some reason.
  • You can view the current status of your request on the dashboard in the Route 53 console.

You can check the status here. Usually it does not take three days, not even half a day in fact.

What happens w/ a domain I registered on AWS — auto-renewal or similar? Auto-renewal is turned on per default, can be turned off anytime. Nice thing anyway is that domain owner details are hidden by default at no extra expense.

STEP 2 — get your web contents ready

Create a S3 bucket, set properties to “static website” and last but not least make sure the files in your bucket are public.

This will be the origin for the CDN we are about to set up in the next step.

Create a CloudFront (web) distribution.

CloudFront is one of the services supported by Amazon Certificate Manager (ACM)

(https://docs.aws.amazon.com/acm/latest/userguide/acm-services.htm).

Point it to the S3 bucket you created — and use the “bucket hosting endpoint” url that is generated after you made the S3 bucket a website, which looks something like this:

http://xyz.s3-website.eu-central-1.amazonaws.com

Do not forget to set the alternate domain names for your distribution!

You can configure the distribution to enforce SSL by redirecting HTTP to HTTPS — and that is highly recommendable. We’ll have our SSL certificate in place in a short while anyway.

Creating the distribution will take a while — just proceed in the meantime with the SSL certificate per next step.

STEP 3 — get your ACM certificate

Request an AWS Certificate Manager (ACM) certificate.

First things first.

Be aware of the constraints as follow.

Regions matter for ACM + CloudFront

To use an ACM Certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) region. Again, set the region to N. Virgina in the portal before you continue!

Number of Domain Names per ACM Certificate

The default limit is 10 domain names for each ACM Certificate.

As far as what certificate domain names you need, make sure you have all covered.

Ok, all set?

Then let’s do it — as explained here, go to https://console.aws.amazon.com/acm/home and get that certificate creation process started.

You can use multi-domain, wildcard domains. Since the used DNS is Route53 you can have the CNAME record for domain ownership auto-created. (This is for DNS verification which is an highly advisable way of verifying your domain ownership.)

STEP 4 — last couple of checks

Apply the certificate to CloudFront.

By now hopefully the distribution is ready and you can do as documented here, which is putting the new certificate to good use.

Before you continue it is wise to test the CloudFront distribution endpoint (ending in .cloudfront.net) because configuration errors may occur, e.g. permission related.

If your “custom SSL box” is greyed out the region was not set to N. Virgina, see step before. You’ll have to issue the SSL cert again.

Otherwise — enjoy SSL certificates that are auto-renewed by AWS at no additional cost!

Point the DNS A record to your domain.

To have everything resolve you will need to point Route53 to your domains by setting A records in your hosted zone that deals with your domain. A records for both the www and for the apex (no-www) domain. These records need to point to the CloudFront endpoint, the URL would look like xyz.cloudfront.net.

Does it resolve?

Check with this handy tool if your DNS info is populated and where in the world:

https://dnschecker.org/#A/whatever.com

Re-propagating SSL certificates via CloudFront takes time.

Should you have to change certificates then make sure to give it some time, like 24h. In practice it would be quicker than that. It’s just not immediate, so better plan for it.

Full Disclosure: Using AWS Amplify Console, hosting a static site is even easier.

Visit my GitHub readme: https://github.com/MoBRUEC