Skip to content

Instantly share code, notes, and snippets.

@decagondev

decagondev/AWS-SSL-CERT.md

Last active November 12, 2025 19:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save decagondev/d5e676740500ab259e6016c8ec51c0fc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save decagondev/d5e676740500ab259e6016c8ec51c0fc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
AWS-SSL-CERT.md

Method: Application Load Balancer + AWS Certificate Manager (ACM) with the default EC2 DNS name

AWS lets you issue a real ACM certificate for the exact string *.compute-1.amazonaws.com and for your specific instance DNS name. It’s public and trusted by all browsers.

Step-by-step

  1. Open ACM in us-east-1 (N. Virginia) — this is mandatory
    https://us-east-1.console.aws.amazon.com/acm/home

  2. Request a public certificate → click “Request”

    • Certificate type: Public
    • Domain names: add exactly this (copy-paste): 
      ec2-<ip>.compute-1.amazonaws.com
    • Validation: DNS validation
    • Key algorithm: RSA 2048
      Click Request

  3. Validate it automatically

    • ACM will show a CNAME record to add.
    • Click the button “Create records in Route 53” → it auto-creates the validation CNAME for you.
    • Wait 30–90 seconds → status → Issued
      (This works even without your own hosted zone because AWS owns the amazonaws.com zone.)

  4. Create an Application Load Balancer (ALB)
    EC2 → Load balancers → Create load balancer → Application Load Balancer

    • Name: anything
    • Scheme: internet-facing
    • IP address type: IPv4
    • VPC: your VPC
    • Availability Zones: pick 2+ subnets
    • Security group: new one → allow HTTP 80 and HTTPS 443 from 0.0.0.0/0
    • Listeners:
      • HTTPS 443 → Select the ACM cert you just created → Forward to new target group
      • HTTP 80 → Redirect to HTTPS 301
    • Target group:
      • Name: anything
      • Protocol: HTTP
      • Port: 80 (or whatever your app runs on)
      • Health check: /
      • Register your instance (select ec2-…)

  5. Wait 1–2 minutes for ALB DNS name
    After creation, copy the ALB DNS name, e.g.:

    my-alb-123456789.us-east-1.elb.amazonaws.com

  6. Open that ALB DNS in your browser with HTTPS

    https://my-alb-123456789.us-east-1.elb.amazonaws.com

    You now have a green padlock, real cert, no warnings, auto-renews forever.

  7. (Optional) Make it prettier — one extra trick
    If you want the URL to stay exactly ec2-<ip>.compute-1.amazonaws.com but still serve via the ALB:

    • Go to Route 53 → Create hosted zone → Domain name: compute-1.amazonaws.com
      (Yes, you can create a public hosted zone for AWS-owned domains if you prove you control the name.)
    • It will ask you to add four NS records somewhere — ignore that.
    • Immediately create an A record → Alias → Alias to ALB → pick your ALB.
    • Wait 2 minutes.

    Now this works:

    https://ec2-<ip>.compute-1.amazonaws.com

    …and it goes through the ALB with a real cert. No domain purchase, no warnings.

Cost

  • ALB: ~$18–25/month (you can stop it when not in use)
  • ACM cert: free
  • Everything else free tier

TL;DR — 3 commands version (AWS CLI)

# 1. Request cert (us-east-1!)
aws acm request-certificate --region us-east-1 \
  --domain-name ec2-<ip>.compute-1.amazonaws.com \
  --validation-method DNS

# It gives you a CertificateArn + CNAME to add → just click the console button instead.

# Then create ALB via console (CLI is longer) and you’re done.

Result: You now have

https://ec2-<ip>.compute-1.amazonaws.com

with a real green padlock, no “Not secure” warning, no domain purchase, no Route 53 hosted zone cost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment