Attach SSL to Elastic Load Balancer (ELB) and enable HTTPS

HTTPS enables you to transfer data over the network securely. To be able to use HTTPS with your load balancer you need to do the following steps:

1. Request a certificate
2. Add a CNAME record
3. Attach HTTPS listener to the load balancer

1. Request a certificate

From AWS console, go to "Certificate Manager".

It will take you to the homepage of the AWS Certificate Manager. Select Provision Certificate and click "Get started".

Choose "Request a public certificate" and click on the "Request a certificate" button.

Enter the domain name you are using with your load balancer and click next. If you are using a sub-domain, you will have to enter that sub-domain. Also, you can cover more than one domain in a single certificate like this:

whateverdomain.club
my.whateverdomain.club
abc.whateverdomain.club

or to cover all the sub-domains, you have to use

*.whateverdomain.club
whateverdomain.club

Select "DNS Validation" (learn why) and click "Next"

You can add tags if you want, otherwise, leave them empty and click "Review". On the review page, review the info and click "Confirm and Request". Click "Export DNS configuration to a file" (it will download a csv file) and click "Continue".

Now we need to validate our request (prove that we are authorized to request SSL certificates for our domain). Until the validation is completed you will see "Pending validation" status against the certificate request.

2. Add a CNAME record

To prove our authorization we need to add the CNAME record to our domain's DNS records. To do that go over to route 53 (if your domain's NS are not pointing towards AWS then you will have to do the following steps from your domain registrar's control panel or some other service that you are using).

Select the Hosted Zone for the domain in question.

Click "Create record set", open up the csv file that was downloaded earlier and enter the values accordingly:

Name = From csv's Record Name column
Type = CNAME - Canonical name
Alias = No
Value = From csv's Record Value column

After entering the values click "Save Record Set".

*Note: in the CSV file, the Record Name is completely written, you just need the random string part.

# value in csv
_ab1e89753de00b10b8de785149740feb.whateverdomain.club. 

# value you need to enter in the name field
_ab1e89753de00b10b8de785149740feb

Once the CNAME record has been added (correctly), go back to the AWS Certificate Manager and look for the status. It should be changed to "Issued".

*Note: The status change can take 0-72 hours. However, if ACM (AWS Certificate Manager) is not able to validate within 72 hours, then you will see "Time out" as the status and you will have to regenerate the request.

3.Attach HTTPS listener to the load balancer

Now that we have successfully generated an SSL certificate for our domain, we are ready to attach HTTPS listener to the load balancer. Head over to EC2, from the bottom left section select "Load Balancers". Select the load balancer to whom you intend to attach the SSL. Go the "Listeners" tab from the bottom and click "Add listener".

Select "HTTPS" as protocol. Add default action "Forward to" and select the target group to which you want to forward your requests. Leave "Security Policy" as it is. Select the certificate we generated above in the "Default SSL certificate".

Once the listener has been attached, go back to the load balancer page. From the bottom left select "Security Groups".

Select the security group attached to the load balancer.

Click "Edit inbound rules".

Click "Add Rule". From the "Type" dropdown, select HTTPS. From the source select 0.0.0.0/0. Add another rule, pick HTTPS as the type but ::/0 as the source. Click "Save rules".

That's it. Go to your browser, navigate to your domain and https as the protocol to confirm the set-up.