AWS with Elastic Beanstalk working, how to add an S3 subdomain?

Hello everyone, a real noobie here, trying my best to wrap my head around this.

I have an AWS Elastic Beanstalk domain that runs on a single EC2 instance (running Linux) without a load balancer. It’s a fairly simple site:

I also have a subdomain that’s housed in an S3 bucket for some file downloads:

I created a letsencrypt certificate for, and, but it failed…I’m guessing because the downloads subdomain is not on the same ip address.

I tried again with just gg-audio and, installed it and it works, put Chrome shows that my main page references and unsafe page, the downloads.

So, is it possible to put a cert on the S3 subdomain along with my main site? Separately?

Any advice would be appreciated. I’m relatively clueless.

Thank you.

1 Like

With some work, you can get a certificate, but the problem is using it.

This is more of an AWS architectural issue than a Let’s Encrypt thing.

The S3 website endpoint doesn’t support HTTPS. If you create a certificate, you can’t upload it to Amazon and make S3 use it. You have to do something else.

You can swap the website endpoint for the REST API endpoint, changing to or (or one of the other us-east-1 URLs).

(Of course, the website endpoint and REST endpoint aren’t entirely equivalent.)

You can set up a CloudFront distribution with HTTPS support. (Oddly enough, CloudFront + S3 can sometimes even be cheaper than S3 alone.)

With CloudFront, you could use the URL, or obtain and set up a certificate for and use For a certificate, you can upload a Let’s Encrypt certificate, but it would be difficult to set up. It would be easier to use Amazon’s own CA.

1 Like

I would agree with @mnordhoff.

Only S3 can’t provide you any https certificate except the s3 itself’s
which is s3 bucket/ file path for example:

If you are okay with this, just use it.

If you want to use your own domain with s3 and https, signup a CloudFront instance would be better.
Also, S3 and CloudFront (I personally believe it’s going to be cheaper since my cost without CF is around $100, with CF it’s $80, due to internal caching etc…).

P.S. if CloudFronting your download domain, you won’t need to get a certificate from LE since Amazon require to upload the certificate & key to AWS Certificate manager, which is going to kill you if you do it every 3 months, get an Amazon internal certificate and save you time & energy)

P.S.2 You can also set your EC2 instance for Cloudfront, this can save you from renewing (or auto-renew) your certificate every three months with speed benefit… (But will cost a little bit more…)

P.S.3 If you use CloudFront with EC2 & S3, just apply a wildcard cert for @ AWS Certificate Manager.

Thank you

Forgive my ignorance…

Are you saying that instead of using links to my downloads on my main page like, I could just use the bucket’s real address, like and then it’s all https safe?

That would certainly simplify the whole thing.


The S3 REST and website endpoints don't work exactly the same, though. In particular, if you've configured redirects in S3, you can't use them.

For most purposes, it's not a problem.

Edit: And it's, not


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.