9

Will it be possible to have https on the my static Amazon S3 website with Let's Encrypt?

Even I have Let's Encrypt Closed Beta Invite now. But how to use it with Amazon S3?

Dmitry Ponomarev
  • 111
  • 2
  • 5
  • You didn't ask anything about how to use the service offered by Let's Encrypt. Your question appears to ask how to use what they provide (SSL certificates) with S3... which can't be done directly. – Michael - sqlbot Dec 05 '15 at 23:37
  • [Hosting a HTTPS static websites using S3 and Lets Encrypt](https://medium.com/@deepak13245/hosting-a-https-static-websites-using-s3-and-lets-encrypt-6f3e53014ff2) – Dmitry Ponomarev Feb 24 '20 at 08:38
  • [Hosting a HTTPS website using AWS S3 and CloudFront](https://medium.com/@itsmattburgess/hosting-a-https-website-using-aws-s3-and-cloudfront-ee6521df03b9) – Dmitry Ponomarev Feb 24 '20 at 08:43

5 Answers5

7

The answer to the question comes in two parts.

First, though, using "Let's Encrypt" is not actually relevant to the question: it's a Certificate Authority (CA). It issues SSL (TLS) certificates, just like all the others, except that it apparently will only issue domain validation (DV) certificates and those certs will apparently be issued without charge. But those last two points (while interesting) are also not relevant to the question.

So, "can I use an SSL certificate from Let's Encrypt on a static web site hosted on S3?" is not the correct question to ask. The only question is "can I use HTTPS for my domain, with a certificate I provide, on my static site hosted on S3?"

First answer: No.

The website endpoints do not support https.

http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html

Second answer: Yes.

How?

CloudFront in front of S3. You can configure a CloudFront distribution pointing to the bucket's web site hostname as a "Custom" origin, then load your new SSL cert into CloudFront, and change the DNS to point to CloudFront instead of directly to the bucket.

This is the only solution using all-native-AWS-managed components for "installing" your own SSL cert for your own domain on a static web site hosted in S3. The S3 service doesn't support this directly, not with Let's Encrypt certificates, or certificates from any other CA.

Michael - sqlbot
  • 1,222
  • 7
  • 10
6

You can store files of your website on S3, but to publish it you need to use CloudFront. And there you'll be able to select custom certificate which you have to upload at AWS IAM certificate store. How to upload custom server certificate: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs_manage.html

Norman Bauer
  • 101
  • 6
-1

You could create your own ssl cert using OpenSSL and applying it through apache config (assuming you're using apache). Beware, however, that home-grown certificates and https makes effectively all browsers give the user a warning that your site may be 'insecure' or 'compromised' when using said home-grown certificate. You could get an ssl cert from a certification authority, although that has a turnaround and usually cost some amount of money.

Bilfred
  • 663
  • 9
  • 19
  • 1
    This does not answer the question the author asked. Signing your own certificate has significant downsides. The most obvious downside is every browser will generate a SSL error out of the box. This is not true with the Let's Encrypt 90-day DV certificates. Let's Encrypt is a CA, so your last sentence, seems to indicate you don't understand that fact. [Quality over quantity.](http://superuser.com/users/399673/bilfredkerman?tab=answers) – Ramhound Nov 24 '15 at 13:42
  • So you saved 10 Bucks on an self made certificate. If you are doing at home that is OK, but in a production environment NEVER do that –  Nov 24 '15 at 13:56
-1

As I understand it, the let's encrypt system requires that you provide proof that you control the website by writing a json file containing a nonce in a well-known location. Once you've done that, your agent has a key that it can use to update the SSL certificate. The agent must be able to write the certificate to the right location somehow, but I don't believe it has to run on the machine serving the website.

As such, you could have the agent write it to a location which you occasionally check from some script that then uses the correct amazon API calls to update the certificate. It's probably even possible to have the agent directly call that script.

Disclaimer: I haven't actually looked at let's encrypt in detail; this is just what I grasped from the "how does it work" documentation.

Wouter Verhelst
  • 366
  • 2
  • 8
-1

First question --> No.

Second question --> There's the option to add another service like CloudFront in front of S3 but you still need to get the certificate (CloudFront will not do it for you). There are some tools and services which will help you get the Let's Encrypt (LE) certificate but it's not a one-click solution. It's still a little bit a hassle. But there are other services that you can put in front of S3 and they offer one-click LE integration where you don't need to deal with certificates at all (they will do it for you).

Jonas Krummenacher
  • 1
  • 1