Configure Wildcard SSL to Amazon EC2 with Amazon Route 53 + NGINX + Docker

7 min readMay 1, 2020

Hi everyone! With me again and again to share some experience, though or opinion about technology related with software engineering field. On previous story, we learn about configuring domain and subdomain to Amazon EC2 with Amazon Route 53. Both of the story can be found here: https://medium.com/@bismobaruno/4832900e353b and https://medium.com/@bismobaruno/1cb956c6a542

Nowadays, configuring domain mostly have SSL inside it. What is SSL? SSL (Secure Sockets Layer) is an encryption-based Internet security protocol. In a short way, SSL would secure our connection to the server because it was encrypted.

There are ton of Free SSL and Paid SSL Certificate. The difference is Paid SSL maybe have more support, warrant and long validity. And the Free SSL doesn’t have it.

It’s mean sometimes we will facing the expired of SSL and our connection become insecure. Make sure we remember when the SSL expired or make real-time notification. In this part we will use Free SSL by https://www.sslforfree.com/ on our NGINX proxy.

Because we already use Docker for running NGINX, we will setup the SSL inside the Docker as well. We will use Docker Compose for this part for easily configure multiple port and mount the volume.

What’s Compose?

Compose is a tool for defining and running multi-container Docker applications. With Compose, we use a YAML file to configure our application’s services. Then, with a single command, we create and start all the services from your configuration.

1. Setup Docker Compose

Following the installation from official Docker web https://docs.docker.com/compose/install/#install-compose

Download the current stable release of Docker Compose:

sudo curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

Apply executable permissions to the binary:

sudo chmod +x /usr/local/bin/docker-compose

Test installation:

docker-compose --version

2. Setup SSL Certificate

Visit this link https://www.sslforfree.com/ and fill the domain into the form then click Create Free SSL Certificate button.

Choose Manual Verification and Manually Verify Domain button will be appear. Just click it.

We will have 2 files that should be downloaded. Just click the Download File #1 and Download File #2. The file would begin downloaded shortly.

Move the downloaded files into AWS Key Pair directory for easily movement

cd [INTO AWS KEY PAIR LOCATION]

Copy the downloaded file into server (I’m using SCP)

scp -i "aws_go_app.pem" dqaj9QX60Ia06dpgAWTSq23QgYFyJvsKTLgxk6mMhAk pRO0QTAWVCFNuY9P-t6UvZmvwjz2Ik4eljvDZKIRZyY ec2-user@ec2-34-212-76-173.us-west-2.compute.amazonaws.com:/home/ec2-user/

Connect to the instance

ssh -i "aws_go_app.pem" ec2-user@ec2-34-212-76-173.us-west-2.compute.amazonaws.com

Create directory for the verification file in the server, let say .well-known/acme-challenge inside nginx directory

mkdir -p nginx/.well-known/acme-challenge
mv dqaj9QX60Ia06dpgAWTSq23QgYFyJvsKTLgxk6mMhAk pRO0QTAWVCFNuY9P-t6UvZmvwjz2Ik4eljvDZKIRZyY nginx/.well-known/acme-challenge/

Modify NGINX configuration for serve those file by adding this line on domain config serve.

location /.well-known/acme-challenge/ {
   alias /var/www/practice-aws.site/.well-known/acme-challenge/;
}

The full config will be like this

We will move into docker compose file, then create docker-compose.yml file with contain this code

We need stop the NGINX current service, and re-run using docker compose. First find the container id user docker ps

docker ps

Stop the container with docker stop command

docker stop [CONTAINER ID]

Run the service by docker-compose command

docker-compose up -d

For generating the certificates, back to the SSL For Free webpage, and click Download SSL Certificate button.

Picture 5 Download SSL Certificate

If certificates successfully generated, we will redirected to the page that show our certificates. Next, click Download All SSL Certificate Files button.

Picture 6 Download All SSL Certificate Files

3. Config SSL Certificate

Don’t forget to allow HTTPS incoming traffic for our instance. Go to https://aws.amazon.com/console/ and choose EC2 service. On instances list, choose the row on Security Groups column

We will redirected to Security Groups list. Click the row on the Security Group ID column

Edit inbound rules by clicking the button

Add HTTPS rule with source form anywhere. Then Save rules.

Back to the downloaded certificates, we will have zip file that contain 3 certificates: ca_bundle.crt, certificate.crt and private.key

Extract and copy those directory into instance like we did on verification files.

scp -i "aws_go_app.pem" -r sslforfree ec2-user@ec2-34-212-76-173.us-west-2.compute.amazonaws.com:/home/ec2-user/nginx/cert

Last step, we should modify our NGINX conf for supporting ssl and put the certificate. Also modify the docker-compose.yml for mounting the certificates.

Yeah, we almost done! We should restart the NGINX service, find the container id with docker ps command

docker ps

Stop the container with docker stop command

docker stop [CONTAINER ID]

Run the service by docker-compose command

docker-compose up -d

And Yes, it’s works! Now we can access the domain and subdomain with HTTPS ! But, oops?! When we try to accessing our subdomain, seems the SSL not working properly. And the solution is using Wildcard SSL.

4. Setup Wildcard SSL Certificate

Wildcard SSL Certificate saves our time and money from managing separate SSL certificate for each sub-domain, our cheap Wildcard SSL certificates can secure the fully qualified domain name and its all sub-domains

Luckily, https://www.sslforfree.com/ supported Wildcard SSL for free. So we can modify our certificate for also implement SSL to all our subdomain. Let’s go back to the site. We should input 2 data separated by space, the second is for Wildcard SSL.

practice-aws.site
*.practice-aws.site

Picture 14 Create Wildcard SSL Certificate

In this step, we just have 1 option compared to when doesn’t included Wildcard SSL. Click the button for proceed to the next step.

The next step will be a little bit different. We should add some TXT record to our DNS. Because we use Amazon Route 53, we will input the data there.

Open Amazon Route 53. Go to Hosted zones. Choose the domain for adding the TXT record.

Click on Create Record Set button, fill the information based on https://www.sslforfree.com/. We need to input:

Name with _acme-challenge
Type with TXT -Text
TTL (Seconds) with 1
Value with two data from sslfofree, in this part we can input multiple values on separate lines

Last, click Create button for generating the record.

Back to https://www.sslforfree.com/ we can verify the TXT record by clicking some link. And if TXT records was found, we can continue to download the certificates.