If you've read my previous blog post, I migrated my entire Ghost blog to AWS utilizing ECS. In the previous post, I only enabled HTTP, now it's time to secure the site and enable HTTPS by using an SSL certificate.

Traditionally to create a certificate, you need to generate a CSR and submit it to a certificate authority to create an SSL certificate. Another way, and my preferred method for a simple blog, is to utilize Let's Encrypt which will create certificates and renew them on your behalf.

Well now that my blog is 100% on AWS, I can leverage AWS Certificate Manager (ACM) and create an SSL certificate for my Ghost blog. I can even leave the renewals up to AWS to handle.

Creating an SSL Certificate

Let's create the certificate! Search and select Certificate Manager within the AWS services. Once in the Certificate Manager console, click on the "Request a certificate" button.

Select "Request a public certificate" and then click on the request a certificate button on the lower right corner.

Now I'm going to request a wildcard certificate. A wildcard is denoted by an * before the domain name. This allows me to create domains such as test.pafable.com and dev.pafable.com.  Click on the next to proceed to certificate validation.

To validate the certificate you have two options, either validate by DNS or email. I'll be going with the email validation. Once you've made your selection, click on review and then request the certificate.

You should get an email with a link that will lead you to a page where you can approve the certificate request. This email may have been sent to your spam box! When you follow the link om the email you should see a page like below.

Once you have clicked the approve button, you can go ahead and check back into Certificate Manager you will see the newly issued wildcard certificate. It may take some time for the status to show "Issued" so don't freak out if yours is not issued yet.

Using the certificate

Now that the certificate is created it's time to apply on the site, however it's not going to do it on it's own. Hop into the EC2 console and navigate to load balancers on the left hand column.

This is where I'll apply the certificate. For those of you who have applied certificates using Nginx will find this familiar, although a very basic version.

First I'll edit the listener for port 80 to redirect to 443. This makes it so that if anyone tries to access http://pafable.com they are immediately redirected to https://pafable.com.

Then add another listener for 443 and create a rule to forward traffic to the target group of the ECS cluster. In my case my target group is named ghost-tg.

Now at the bottom you should see the option to configure an SSL certificate. Make sure to select "From ACM" and then find the certificate you created. Once that is complete you can click on create or update button.

Testing the New Certificate

Alright time to find out if everything I've just done works or not. Open up your web browser and try to access your blog site using http. HTTP should be automatically redirected to HTTPS.

If everything still looks good check out the certificate by clicking on the padlock symbol to the left of the URL. It should bring up details about the certificate. As you can see below the certificate was issued by Amazon and is valid until December 18, 2020.

To conduct further tests go to https://www.ssllabs.com/. SSL Labs will run your site's SSL through it's battery of tests and provide you with a rating on how secure your site really is. Anything with an B or better is a good indication that the site is safe and secure.