Install AWS SSL Certificate to EC2 instance without load balancer

I'm new with AWS and facing some confusion with ACM SSL certificate installation to an EC2 instance.

Is it possible to install the certificate without using ELB or Cloudfront. I don't need load balancer because the app is running on a single instance.

Do I have any other option to install the AWS SSL cert? If load balaner is the only option, is it possible for a single instance only?

Thanks in advance for your answers


Solution 1:

Certificates obtained through Amazon Certificate Manager (ACM) can only be installed on Elastic Load Balancers, CloudFront, API Gateway, and other AWS services. They cannot be exported or installed directly onto EC2 instances.

If you want to install an SSL certificate directly on your EC2 instance, you cannot use ACM. Instead, you will need to obtain an SSL certificate through a third-party (such as Lets Encrypt, GoDaddy, ec.) and install it following the instructions for your web server.

It is 100% valid to put an ELB in front of a single EC2 instance, especially for the purpose of letting the ELB manage the SSL certificate.

Other benefits of using ELB in front of your EC2 instance:

  • You'll gain the protection of AWS Shield (which provides some levels of DDoS protection),
  • You can replace the EC2 instance or scale out more easily if needed in the future,
  • The ELB will handle the encryption/decryption of the HTTPS connections (freeing your EC2 instance's CPU to do other work)

Solution 2:

You will have to install the certificate for any server software that you are running on your instance. e.g apache, nginx, tomcat, nodejs. Each of these have their own mechanism for using the certificates. Read their documentation.

Also if you have setup DNS resolution for your instance public ip (make sure you are using elastic IP) then you can use certbot from let's encrypt to automate this process. check https://certbot.eff.org/. It supports multiple environments out of the box. and its free ssl certificates.

Solution 3:

You can use a service like nip.io which acts like on the fly DNS and forwards all requests from <IP>.nip.io to <IP>.

You can then use a service like Caddy to setup TLS certificates.

This is what your configuration will look like if your application is running on port 3000

<EC2 Public IP>.nip.io {
    reverse_proxy localhost:3000
}

Once you run Caddy, you will be able to access the site using the link https://<IP>.nip.io

I wrote an article on this, HTTPS on AWS EC2 without a Load Balancer