Ankit

Managing Certificates in Cloudfront Distribution

Managing Certificates in Cloudfront Distribution

Managing SSL/TLS certificates for any web or mobile App platform is an essential part of the overall solution delivery these days. Ensuring that the communication within the App or across the network is encrypted and brings the necessary compliance into the overall product architecture is very much required for any enterprise be it in services or for a product based company.

Now, With the increasing penetration of Containers and the rise of distributed architectures of products the requirements of having SSL certificates is now not limited to the customer-facing applications.

Question is How do we solve the need of having SSL based certificates when we deliver Serverless Applications or any services with Amazon Web Services(AWS). We are in this blog would be talking about the integration of SSL based certificates into CloudFront distributions.

There are two ways CloudFront allows to manage the certificates of its distribution, either using Amazon Certificate Manager(ACM) or using custom SSL certificates. For Custom SSL certificates we would be evaluating Let’s Encrypt a Free SSL certificate initiative.

Managing Certificates with ACM(Amazon Certificate Manager)

ACM

  • Goto CloudFront Distribution and under General click “Edit”.
  • Click on “Request of Import a certificate with ACM” Step-1
  • Enter the Domain Name for which Certificate needs to be validated and Click Next. Step-2
  • Select the mode of Validation. You can validate the authority of that domain either by adding a DNS record or by Email Validation. In our case, we would be going ahead with DNS validation and click on Review. Step-3
  • In the next step, you would be given the DNS record which needs to be added into your domain’s DNS. In case you are using Route53, it can be done automatically in ACM.
  • Once the Certificate Status is in ISSUED mode. You can go back to CloudFront Distribution and update the Certificate under ‘SSL Certificate’ section.

ACM is a free service and it doesn’t charge anything to manage the certificates. The charges would incur on the services like Cloudfront or ELB on which you would be deploying these certificates. One advantage of using ACM if you are using CloudFront is that you would be able to renew the certificates easily and at ease.

Managing Certificates with Let’s Encrypt

LetsEncrypt

  • Start the Ubuntu Docker Image locally
  • Install certbot using the following command
      $ sudo apt-get update
      $ sudo apt-get install software-properties-common
      $ sudo add-apt-repository universe
      $ sudo add-apt-repository ppa:certbot/certbot
      $ sudo apt-get update
      $ sudo apt-get install certbot
    
  • Create a new certificate
      root@1e6e13dc47f3:/# certbot certonly --manual --preferred-challenges dns -d datavizz.in
      Saving debug log to /var/log/letsencrypt/letsencrypt.log
      Plugins selected: Authenticator manual, Installer None
      Obtaining a new certificate
      Performing the following challenges:
      dns-01 challenge for datavizz.in
    
      -------------------------------------------------------------------------------
      NOTE: The IP of this machine will be publicly logged as having requested this
      certificate. If you're running certbot in manual mode on a machine that is not
      your server, please ensure you're okay with that.
    
      Are you OK with your IP being logged?
      -------------------------------------------------------------------------------
      (Y)es/(N)o: y
    
      -------------------------------------------------------------------------------
      Please deploy a DNS TXT record under the name
      _acme-challenge.datavizz.in with the following value:
    
      <<Some Code>>
    
      Before continuing, verify the record is deployed.   
      -------------------------------------------------------------------------------
      Press Enter to Continue
      Waiting for verification...
      Cleaning up challenges
    
      IMPORTANT NOTES:
      - Congratulations! Your certificate and chain have been saved at:
      /etc/letsencrypt/live/datavizz.in/fullchain.pem
      Your key file has been saved at:
      /etc/letsencrypt/live/datavizz.in/privkey.pem
      Your cert will expire on 2019-07-20. To obtain a new or tweaked
      version of this certificate in the future, simply run certbot
      again. To non-interactively renew *all* of your certificates, run
      "certbot renew"
      - If you like Certbot, please consider supporting our work by:
    
      Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
      Donating to EFF:                    https://eff.org/donate-le
    
  • Copy the generated certificates from docker image to local machine
      $ root@1e6e13dc47f3:/# cd /etc/letsencrypt/live/datavizz.in/
      $ root@1e6e13dc47f3:/etc/letsencrypt/live/datavizz.in# ls -l
          total 4
          -rw-r--r-- 1 root root 543 Apr 21 10:46 README
          lrwxrwxrwx 1 root root  35 Apr 21 10:46 cert.pem -> ../../archive/datavizz.in/cert1.pem
          lrwxrwxrwx 1 root root  36 Apr 21 10:46 chain.pem -> ../../archive/datavizz.in/chain1.pem
          lrwxrwxrwx 1 root root  40 Apr 21 10:46 fullchain.pem -> ../../archive/datavizz.in/fullchain1.pem
          lrwxrwxrwx 1 root root  38 Apr 21 10:46 privkey.pem -> ../../archive/datavizz.in/privkey1.pem
      $ Ankitss-MacBook-Air:datavizz.in ankitsmacbook$ docker cp 1e6e13dc47f3:/etc/       letsencrypt/archive/datavizz.in/ .
      $ Ankitss-MacBook-Air:datavizz.in ankitsmacbook$ ls -l
          total 8
          -rw-r--r--  1 ankitsmacbook  staff  543 Apr 21 16:16 README
          drwxr-xr-x  6 ankitsmacbook  staff  192 Apr 21 16:16 datavizz.in
      $ Ankitss-MacBook-Air:datavizz.in ankitsmacbook$ cd datavizz.in/
      $ Ankitss-MacBook-Air:datavizz.in ankitsmacbook$ ls
      cert1.pem    chain1.pem    fullchain1.pem    privkey1.pem
    
  • Uploading certificate into IAM Certificate Store on AWS.
      $ Ankitss-MacBook-Air:datavizz.in ankitsmacbook$ aws iam upload-server-certificate  --server-certificate-name datavizz_in_April --certificate-body file://cert1.pem     --private-key file://privkey1.pem --certificate-chain file://chain1.pem --path /cloudfront/<<CDNID>>/ --profile=DV
      {
      "ServerCertificateMetadata": {
          "ServerCertificateId": "<<SOME ID>>", 
          "ServerCertificateName": "datavizz_in_April", 
          "Expiration": "2019-07-20T09:46:51Z", 
          "Path": "/cloudfront/<<CDNID>>/", 
          "Arn": "<<ARN>>", 
          "UploadDate": "2019-04-21T11:24:32Z"
          }
      } 
    
  • Goto CloudFront and update the Certificate by removing the existing one and use the new certificate Name.

Let’s Encrypt is also free service available to manage SSL certificates for your applications.

If you’re looking to see how Serverless Application design could make an impact in your organization, We are an Cloud Native Application Development Company, we’d love to talk.

comments powered by Disqus