Just a few days ago I spent $200 to purchase a multi-domain wildcard certificate so that I could host multiple secure domains, with multiple subdomains, on a single elastic beanstalk app. It was such a headache to figure out that I needed the multi-domain wildcard cert, then to find one to purchase for a reasonable price.
Now, 5 days later, AWS lets me create one for free in 3 minutes, with zero hassles. I cannot select it in beanstalk yet, but I am sure that will come. I am consistently amazed by how frequently AWS satisfies needs I barely knew (or didn't know) I had.
You can probably manually specify in EB config files for ELB. Haven't touched that in a couple years but support should be able to help. If not reach out and I'll try to reconstruct.
Can anyone think of any advantages LetsEncrypt would provide over this offering from AWS? Or does this basically kill LetsEncrypt's usage on AWS?
The only thing I can think of is that AWS Certificate Manager only validates by email addresses which can be problematic if you don't have MX records or don't have control over it(Maybe a large organization where the people who do control those email addresses won't click simple verification links)
It seems a bit inconsistent as to when it will use the email on the whois record for the validation too. For some subdomains I try it will allow validation using the whois address, other times it's just the common [email protected](which requires an mx record)
So I guess if you're nesting deeper than one subdomain(e.g. abc.def.example.com) then maybe it'd be easier to get letsencrypt set up than try to get mx records for abc.def.example.com.
Shameless Plug/Disclaimer: I had been working on a tool to make it dead simple to use Lets-Encrypt certificates for CloudFront/ELBs and handled autorenewal via Lambda. I'm not sure there is any use for this now that this exists though.
I don't think you have access to the actual private key file so this would be restricted to AWS services like an ELB. With letsencrypt you have the key file as well so you can use it for securing any type of connection (not just a load balancer front end).
I believe this requires the use of cloudfront or their load balancer. So if you want to stick with minimal costs you can use letsencrypt with just an ec2 instance.
My frustration with these offerings is that they tend to only service public-facing HTTPS servers. There are a lot of use cases where valid certificates come into play, and a lot of them aren't facing the public internet or serving HTTP traffic.
FWIW, you don't need to have an MX for example.com to get a certificate for it. The e-mail addresses used for domain validation come from WHOIS and can be, e.g., [email protected].
It depends on your security requirements as well. Some people feel the need for end to end encryption as opposed to SSL termination at the load-balancer tier. If you are one of those people, letsencrypt is the way to go
Are these certificates exclusively for ELB and CloudFront? Does anyone see a way to download a certificate for manual installation on a server (EC2 or otherwise)?
> Currently, ACM Certificates are associated with Elastic Load Balancing load balancers or Amazon CloudFront distributions. Although you install your website on an Amazon EC2 instance, you do not deploy an ACM Certificate there. Instead, deploy the ACM Certificate on your Elastic Load Balancing load balancer or on your CloudFront distribution.
Ideally ACM certificate issuance and deployment would be two separate things, and this would be a general-purpose CA, which just happens to have integrated deployment tools for ELB and CloudFront.
You might be right. Maybe the pricing page 404 was a silly marketing stunt? That would be pretty clever.
BTW, it looks like there might be a lot of people flagging this post (raced to position 1, but then quickly dropped to position 5).
I'm not opposed to people flagging things or anything, but I'm curious as to why a post like this would be heavily flagged, if that is indeed what is happening.
Wow that was super easy. I tried this on one of my sites and it really took me like 2 minutes total to add SSL to it.
The only confusing part was that port 443 was blocked in ELB by default (which made it look like it didn't work but got fixed easily as soon as I figured it out). I've never seen an easier way to do this till date.
Buying SSL Cert through Bluehost (my domain registered, and blog hosted) and figuring out how to apply it my web-app, zejoop.com, hosted on AWS was far and away the most annoying and difficult chore in my development/deployment process as a relatively junior SW developer. If I could solve all inhouse within AWS (at reasonable cost) is be very happy. My cert just renewed, so until I roll change to AWS my https:// is down. If update is as difficult for me as original install was, then I guess it will be about 18 hours of aggravation. So I'll look into this, if the OP title is a reality.
tl;dr - For now, their root CA is Starfield[0], but AWS may become a root CA very soon.
Amazon had applied to be a Root Certificate Authority to Mozilla and Android since June 2015 [1]. And it's been in pending for public discussion recently [2], which is one step away from being inclusion by Mozilla[3](aka becoming a root CA).
Once they are vetted and being included in Mozilla's Root CA program, they will be accepted by Firefox browser and on Linux. And after vetted in Android, it will be accepted by Google Chrome/Chromium browsers.[4]
This is fantastic news. Now, let's see Heroku use either this or Let's Encrypt and eliminate their onerous $20 per host SSL fee, which is making the Internet less secure.
How will Amazon's new root certificate be spread to all browsers and mobile devices, so it's made sure that it will be trusted on every possible endpoint? Is the root certificate cross signed with another, already trusted cert?
It is past time. Where was this last month? We just started using Let's Encrypt to get certs onto ELBs. With a few mods to stuff on github we can easily generate certs for multiple domains (up to the 100 domain limit) and put them on the ELB.
I'm glad they are getting into this, competition is always good. With the pricing page giving a 404 I can only guess that it will cost more than Let's Encrypt, but if you haven't already rolled your own, it might be a nice option.
[+] [-] arcdigital|10 years ago|reply
http://aws.amazon.com/certificate-manager/pricing/
https://docs.aws.amazon.com/acm/latest/userguide/acm-certifi...
[+] [-] click170|10 years ago|reply
Still very cool!
[+] [-] Someone1234|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] ttcbj|10 years ago|reply
Now, 5 days later, AWS lets me create one for free in 3 minutes, with zero hassles. I cannot select it in beanstalk yet, but I am sure that will come. I am consistently amazed by how frequently AWS satisfies needs I barely knew (or didn't know) I had.
[+] [-] arcdigital|10 years ago|reply
[+] [-] mentat|10 years ago|reply
[+] [-] Human_USB|10 years ago|reply
option_settings: aws:elb:listener:80: ListenerEnabled: false aws:elb:listener:443: InstancePort: "80" InstanceProtocol: "HTTP" ListenerProtocol: "HTTPS" SSLCertificateID: "<replace with ACM cert ARN>"
[+] [-] dexterdog|10 years ago|reply
[+] [-] derFunk|10 years ago|reply
[+] [-] ubergeek42|10 years ago|reply
The only thing I can think of is that AWS Certificate Manager only validates by email addresses which can be problematic if you don't have MX records or don't have control over it(Maybe a large organization where the people who do control those email addresses won't click simple verification links)
It seems a bit inconsistent as to when it will use the email on the whois record for the validation too. For some subdomains I try it will allow validation using the whois address, other times it's just the common [email protected](which requires an mx record) So I guess if you're nesting deeper than one subdomain(e.g. abc.def.example.com) then maybe it'd be easier to get letsencrypt set up than try to get mx records for abc.def.example.com.
Shameless Plug/Disclaimer: I had been working on a tool to make it dead simple to use Lets-Encrypt certificates for CloudFront/ELBs and handled autorenewal via Lambda. I'm not sure there is any use for this now that this exists though.
https://github.com/ubergeek42/lambda-letsencrypt/
[+] [-] koolba|10 years ago|reply
[+] [-] kevincox|10 years ago|reply
[+] [-] luma|10 years ago|reply
[+] [-] jlgaddis|10 years ago|reply
[+] [-] tal_berzniz|10 years ago|reply
[+] [-] teddythetwig|10 years ago|reply
[+] [-] nik736|10 years ago|reply
Great!
[+] [-] mbesto|10 years ago|reply
http://aws.amazon.com/certificate-manager/pricing/
[+] [-] arcdigital|10 years ago|reply
[+] [-] falcolas|10 years ago|reply
Of course, it does look like they support wildcard certs, so it probably won't be cheap.
EDIT: Removed EV reference, these are DV only.
[+] [-] nitinics|10 years ago|reply
[+] [-] _alex_|10 years ago|reply
Certs are free
[+] [-] ademarre|10 years ago|reply
https://docs.aws.amazon.com/acm/latest/userguide/setup-websi...
> Currently, ACM Certificates are associated with Elastic Load Balancing load balancers or Amazon CloudFront distributions. Although you install your website on an Amazon EC2 instance, you do not deploy an ACM Certificate there. Instead, deploy the ACM Certificate on your Elastic Load Balancing load balancer or on your CloudFront distribution.
Ideally ACM certificate issuance and deployment would be two separate things, and this would be a general-purpose CA, which just happens to have integrated deployment tools for ELB and CloudFront.
[+] [-] breadtk|10 years ago|reply
[+] [-] mivv|10 years ago|reply
[+] [-] iancarroll|10 years ago|reply
[+] [-] mangeletti|10 years ago|reply
BTW, it looks like there might be a lot of people flagging this post (raced to position 1, but then quickly dropped to position 5).
I'm not opposed to people flagging things or anything, but I'm curious as to why a post like this would be heavily flagged, if that is indeed what is happening.
[+] [-] arcdigital|10 years ago|reply
[+] [-] supersan|10 years ago|reply
The only confusing part was that port 443 was blocked in ELB by default (which made it look like it didn't work but got fixed easily as soon as I figured it out). I've never seen an easier way to do this till date.
[+] [-] lukeadams|10 years ago|reply
[+] [-] draven|10 years ago|reply
They probably are going to roll out this feature everywhere.
[+] [-] michaelZejoop|10 years ago|reply
[+] [-] tlianza|10 years ago|reply
[+] [-] philip1209|10 years ago|reply
[+] [-] cagenut|10 years ago|reply
[+] [-] _alex_|10 years ago|reply
EDIT: Just got a cert from the new service. Here's a screenshot of the cert chain. Amazon is issuing them: https://imgur.com/VGos0eY
[+] [-] devy|10 years ago|reply
Amazon had applied to be a Root Certificate Authority to Mozilla and Android since June 2015 [1]. And it's been in pending for public discussion recently [2], which is one step away from being inclusion by Mozilla[3](aka becoming a root CA).
Once they are vetted and being included in Mozilla's Root CA program, they will be accepted by Firefox browser and on Linux. And after vetted in Android, it will be accepted by Google Chrome/Chromium browsers.[4]
[0] http://i.imgur.com/s2Uijes.png
[1] http://www.geekwire.com/2015/amazon-wants-to-be-your-ssl-cer...
[2] https://mozillacaprogram.secure.force.com/CA/PendingCACertif...
[3] https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
[4] https://www.chromium.org/Home/chromium-security/root-ca-poli...
[+] [-] arcdigital|10 years ago|reply
[+] [-] Human_USB|10 years ago|reply
option_settings: aws:elb:listener:80: ListenerEnabled: false aws:elb:listener:443: InstancePort: "80" InstanceProtocol: "HTTP" ListenerProtocol: "HTTPS" SSLCertificateID: "<replace with ACM cert ARN>"
[+] [-] nodesocket|10 years ago|reply
As long as AWS provides an API to provision certificates, that would be awesome. I use Nginx, and need access to the private key and cert.
[+] [-] ajsharp|10 years ago|reply
[+] [-] dankohn1|10 years ago|reply
[+] [-] kujjwal|10 years ago|reply
[+] [-] jsnk|10 years ago|reply
[+] [-] derFunk|10 years ago|reply
[+] [-] fragsworth|10 years ago|reply
[+] [-] twothamendment|10 years ago|reply
I'm glad they are getting into this, competition is always good. With the pricing page giving a 404 I can only guess that it will cost more than Let's Encrypt, but if you haven't already rolled your own, it might be a nice option.