Hello everyone, a real noobie here, trying my best to wrap my head around this.
I have an AWS Elastic Beanstalk domain that runs on a single EC2 instance (running Linux) without a load balancer. It’s a fairly simple site: http://gg-audio.com
I also have a subdomain that’s housed in an S3 bucket for some file downloads: downloads.gg-audio.com
I tried again with just gg-audio and www.gg-audio.com, installed it and it works, put Chrome shows that my main page references and unsafe page, the downloads.
So, is it possible to put a cert on the S3 subdomain along with my main site? Separately?
Any advice would be appreciated. I’m relatively clueless.
With some work, you can get a downloads.gg-audio.com certificate, but the problem is using it.
This is more of an AWS architectural issue than a Let’s Encrypt thing.
The S3 website endpoint doesn’t support HTTPS. If you create a certificate, you can’t upload it to Amazon and make S3 use it. You have to do something else.
You can swap the website endpoint for the REST API endpoint, changing http://downloads.gg-audio.com/ to https://s3.dualstack.us-east-1.amazonaws.com/downloads.gg-audio.com/ or https://s3.amazonaws.com/downloads.gg-audio.com/ (or one of the other us-east-1 URLs).
(Of course, the website endpoint and REST endpoint aren’t entirely equivalent.)
You can set up a CloudFront distribution with HTTPS support. (Oddly enough, CloudFront + S3 can sometimes even be cheaper than S3 alone.)
With CloudFront, you could use the https://d111111abcdef8.cloudfront.net/ URL, or obtain and set up a certificate for downloads.gg-audio.com and use https://downloads.gg-audio.com/. For a certificate, you can upload a Let’s Encrypt certificate, but it would be difficult to set up. It would be easier to use Amazon’s own CA.
Only S3 can’t provide you any https certificate except the s3 itself’s
which is https://s3.amazonaws.com/your s3 bucket/ file path for example: https://s3.amazonaws.com/general-storage-s3.server.stevenz.net/server/composer.phar
If you are okay with this, just use it.
If you want to use your own domain with s3 and https, signup a CloudFront instance would be better.
Also, S3 and CloudFront (I personally believe it’s going to be cheaper since my cost without CF is around $100, with CF it’s $80, due to internal caching etc…).
P.S. if CloudFronting your download domain, you won’t need to get a certificate from LE since Amazon require to upload the certificate & key to AWS Certificate manager, which is going to kill you if you do it every 3 months, get an Amazon internal certificate and save you time & energy)
P.S.2 You can also set your EC2 instance for Cloudfront, this can save you from renewing (or auto-renew) your certificate every three months with speed benefit… (But will cost a little bit more…)
P.S.3 If you use CloudFront with EC2 & S3, just apply a wildcard cert for gg-audio.com @ AWS Certificate Manager.