To add a Let's Encrypt SSL certificate to an Amazon S3 static site, you will need to use Amazon CloudFront as an intermediary, since S3 does not support SSL certificates directly. Here are the detailed steps to achieve this:
-
Create an S3 Bucket:
- Go to the AWS Management Console.
- Create a new S3 bucket with a unique name (this will be your static website).
- Enable static website hosting in the bucket properties.
-
Upload Your Website Files:
- Upload your static website files (HTML, CSS, JavaScript, etc.) to the S3 bucket.
-
Set Permissions:
- Ensure that your bucket allows public access to serve the website. You can adjust permissions in the Permissions tab of the bucket settings.
-
Set Up CloudFront:
- In the AWS Management Console, navigate to CloudFront and create a new distribution.
- Set the origin domain to your S3 bucket's website endpoint.
-
Configure Distribution Settings:
- Under the "Default Cache Behavior Settings", ensure that "Viewer Protocol Policy" is set to "Redirect HTTP to HTTPS".
- Enable "Compress Objects Automatically" for better performance.
-
Set Alternate Domain Names (CNAMEs):
- Add your custom domain (e.g., www.example.com) in the "Alternate Domain Names (CNAMEs)" section.
-
Set Up an EC2 Instance:
- Launch a temporary EC2 instance (e.g., t2.micro) to generate the SSL certificate.
- Ensure that the instance has a public IP and security group rules allowing HTTP (port 80) and HTTPS (port 443) traffic.
-
Install Certbot:
- SSH into your EC2 instance and install Certbot:
sudo apt update sudo apt install certbot
- SSH into your EC2 instance and install Certbot:
-
Generate the SSL Certificate:
- Run Certbot to obtain the certificate using the HTTP-01 challenge:
sudo certbot certonly --standalone -d www.example.com
- Replace
www.example.comwith your actual domain name.
- Run Certbot to obtain the certificate using the HTTP-01 challenge:
-
Locate the Certificate Files:
- After successful generation, the certificate files will be stored in
/etc/letsencrypt/live/www.example.com/.
- After successful generation, the certificate files will be stored in
-
Import the Certificate to AWS Certificate Manager (ACM):
- Go to the AWS Certificate Manager in the AWS Management Console.
- Click on "Import a certificate".
- Copy the contents of the
cert.pem,privkey.pem, andchain.pemfiles into the respective fields in ACM.
-
Note the ARN:
- After importing, note the ARN (Amazon Resource Name) of the certificate as you will need it for CloudFront.
-
Update CloudFront Distribution:
- Go back to your CloudFront distribution settings.
- Under "SSL Certificate", choose "Custom SSL Certificate" and select the certificate you imported into ACM.
-
Save Changes:
- Save the changes to the CloudFront distribution. This may take a few minutes to propagate.
- Point Your Domain to CloudFront:
- In your domain registrar's DNS settings, create a CNAME record pointing your domain (e.g., www.example.com) to the CloudFront distribution domain name (e.g., d123456abcdef8.cloudfront.net).
- Set Up a Cron Job:
- To automate the renewal of your Let's Encrypt certificate, you can set up a cron job on your EC2 instance:
crontab -e
- Add the following line to run the renewal command monthly:
0 0 1 * * /usr/bin/certbot renew --quiet && aws acm import-certificate --certificate file:///etc/letsencrypt/live/www.example.com/cert.pem --private-key file:///etc/letsencrypt/live/www.example.com/privkey.pem --certificate-chain file:///etc/letsencrypt/live/www.example.com/chain.pem --region us-east-1
- To automate the renewal of your Let's Encrypt certificate, you can set up a cron job on your EC2 instance:
By following these steps, you can successfully add a Let's Encrypt SSL certificate to your Amazon S3 static site using CloudFront. This setup ensures that your static website is served securely over HTTPS, leveraging the benefits of both Let's Encrypt and AWS services.