AWS with Elastic Beanstalk working, how to add an S3 subdomain?


#1

Hello everyone, a real noobie here, trying my best to wrap my head around this.

I have an AWS Elastic Beanstalk domain that runs on a single EC2 instance (running Linux) without a load balancer. It’s a fairly simple site: http://gg-audio.com

I also have a subdomain that’s housed in an S3 bucket for some file downloads: downloads.gg-audio.com

I created a letsencrypt certificate for gg-audio.com, www.gg-audio.com and downloads.gg-audio.com, but it failed…I’m guessing because the downloads subdomain is not on the same ip address.

I tried again with just gg-audio and www.gg-audio.com, installed it and it works, put Chrome shows that my main page references and unsafe page, the downloads.

So, is it possible to put a cert on the S3 subdomain along with my main site? Separately?

Any advice would be appreciated. I’m relatively clueless.

Thank you.


#2

With some work, you can get a downloads.gg-audio.com certificate, but the problem is using it.

This is more of an AWS architectural issue than a Let’s Encrypt thing.

The S3 website endpoint doesn’t support HTTPS. If you create a certificate, you can’t upload it to Amazon and make S3 use it. You have to do something else.

You can swap the website endpoint for the REST API endpoint, changing http://downloads.gg-audio.com/ to https://s3.dualstack.us-east-1.amazonaws.com/downloads.gg-audio.com/ or https://s3.amazonaws.com/downloads.gg-audio.com/ (or one of the other us-east-1 URLs).

(Of course, the website endpoint and REST endpoint aren’t entirely equivalent.)

You can set up a CloudFront distribution with HTTPS support. (Oddly enough, CloudFront + S3 can sometimes even be cheaper than S3 alone.)

With CloudFront, you could use the https://d111111abcdef8.cloudfront.net/ URL, or obtain and set up a certificate for downloads.gg-audio.com and use https://downloads.gg-audio.com/. For a certificate, you can upload a Let’s Encrypt certificate, but it would be difficult to set up. It would be easier to use Amazon’s own CA.

https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/MigrateS3ToCloudFront.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html

https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html


#5

I would agree with @mnordhoff.

Only S3 can’t provide you any https certificate except the s3 itself’s
which is https://s3.amazonaws.com/your s3 bucket/ file path for example: https://s3.amazonaws.com/general-storage-s3.server.stevenz.net/server/composer.phar

If you are okay with this, just use it.

If you want to use your own domain with s3 and https, signup a CloudFront instance would be better.
Also, S3 and CloudFront (I personally believe it’s going to be cheaper since my cost without CF is around $100, with CF it’s $80, due to internal caching etc…).

P.S. if CloudFronting your download domain, you won’t need to get a certificate from LE since Amazon require to upload the certificate & key to AWS Certificate manager, which is going to kill you if you do it every 3 months, get an Amazon internal certificate and save you time & energy)

P.S.2 You can also set your EC2 instance for Cloudfront, this can save you from renewing (or auto-renew) your certificate every three months with speed benefit… (But will cost a little bit more…)

P.S.3 If you use CloudFront with EC2 & S3, just apply a wildcard cert for gg-audio.com @ AWS Certificate Manager.

Thank you


#6

Forgive my ignorance…

Are you saying that instead of using links to my downloads on my main page like http://downloads.gg-audio.com/myDownload.zip, I could just use the bucket’s real address, like https://s3.amazon.com/downloads.gg-audio.com/myDownload.zip and then it’s all https safe?

That would certainly simplify the whole thing.


#7

Yup!

The S3 REST and website endpoints don’t work exactly the same, though. In particular, if you’ve configured redirects in S3, you can’t use them.

For most purposes, it’s not a problem.

https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff

Edit: And it’s s3.amazonaws.com, not s3.amazon.com.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.