Configure AWS Route53 and CloudFront with PositiveSSL

Over the past week and a half I've come to realize the power that is Amazon Web Services and I can't believe I'm behind the drivers seat of this Formula 1 car. Thinking about the infrastructure that anyone with a bit of knowledge can setup is beyond amazing to me.

The Plan

I'm personally working on a project that will utilize AngularJS in the wild. The idea is that the site will be hosted on S3 and interact with an external REST API. With further research it seems that the best way to not compromise the API key will be to setup a small NodeJS server with Express that will allow AngularJS to consume the REST API securely through a small EC2 instance (more on this in another post). A majority of the site will be static content with the sole booking feature relying on another service.

Journey to the Cloud

I setup the domain that I registered through Namecheap with Route53 as the DNS. And of course I also purchased a cheap $9 per year PositiveSSL certificate from Namecheap as well. We will compile the PositiveSSL certificate chain and transfer it to CloudFront and CloudFront will serve up our S3 endpoint.

To the terminal!

Generate keys for the PositiveSSL certificate

Navigate to a directory where you want to store your keys. Run the following command:
openssl genrsa 2048 > mydomain.com.key

Generate a Certificate Signing Request

Next we need to generate a CSR, this is what we send to NameCheap to request our certificate from the authority.
openssl req -new -key mydomain.com.key -out mydomain.com.csr

Request from Certificate Authority

Sign in to your Domain Registrar or wherever you purchased the SSL certificate from and request the certificate to be issued. The questions they might ask about the web server aren't critical. You will want to copy the ouput of the following command and place it in the text box that will be provided.
cat mydomain.com.csr

Please wait...

The CA will email you a zip archive with the individual certificate files. You will need to extract these to a directory and concatenate them to create the correct chain that will work on mobile browsers and regular browsers. If you get the chain out of order your visitors will recieve a certificate error.

Concatenate the Certificate for IAMS

You will need the files named AddTrustExternalCARoot.crt, COMODORSAAddTrustCA.crt, and COMODORSADomainValidationSecureServerCA.crt. The PositiveSSL chain is as follows:
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > www.mydomain.com.crt

The result of this step is the file that we will upload to IAMS.

Prepping for IAMS
  1. You will need to create a new user and give this user AdministrativeAccess policy rights.
  2. You will have the option to download the login credentials which contain a Access Key Id, and Secret Access Key. You will need both of these shortly.
  3. Download or make sure you have the aws cli installed.

If you're on Ubuntu:
sudo apt-get install python python-pip

sudo pip install awscli

Upload the Certificate to IAMS

We need to feed the command below with some information of our certificate locations. The certificate body is a file we recieved directly from the CA. The private key file is one we generated on our system earlier. The certificate chain takes all the certificate information we generated in the previous step. The CloudFront path is required and this will simply be the name you see when configuring CloudFront. Also file:// is important and required to be included in the path you enter.
aws iam upload-server-certificate --server-certificate www.overlakemaids.com --certificate-body file://www_mydomain_com.crt --private-key file://mydomain.com.key --certificate-chain file://www.mydomain.com.crt --path /cloudfront/www.mydomain.com/

You will then be promted to enter the user information from when we created the IAMS user earlier. Enter the Access Key Id, and Secret Access Key as required.

Setup Route53 DNS

Navigate to Route53 in AWS and create a new Hosted Zone. Enter the domain that you are using and select Public Hosting. The next page will give you the DNS information (about 4 different entries) that you will then update at your Domain Registrar (NameCheap).

Once this is successfully propagated you will see changes made on Route53 be accessible through your browser. I started seeing the changes after the In Progress status on Route53 was completed.

Into the CloudFront

In AWS, navigate to CloudFront and create a new Web distribution.

How To Setup Hosted Zone in CloudFront

You will be able to pull in S3 or ELB instances and manage traffic sent to them through CloudFront. Configure your settings as you see fit. You will have the option to select HTTPS Only and force SSL through to your visitors. All our steps above come down to selecting the SSL Certificate that we generated at the very beginning.