8

We are creating a Content Management System for our company. It is important that this CMS support dynamic domain names on a dynamic number of servers. After many hours of research we felt that Amazon's Elastic Beanstalk was the way to go. One thing that we also require is the ability to dynamically enable SSL for the domains associated with our system.

So in our system, we can create a "site" which will be associated with a domain. When the site is created, we should also have the ability to choose if the domain will be hosted over SSL/TLS. We plan on white-labeling the system and anticipate a large number of domains being associate with it.

I have been exploring the different possibilities for being able to get SSL set up on the servers (or the load balancer) and be able to change what domains are secured on the fly. Here is where I am at:

  • Using Amazon's Certificate Manager: this would be the most desired way to go about it. It is integrated with AWS and very easy to use. However, it has several debilitating limitations: 1. You have to verify every domain by email every time you request a new certificate. No big deal except that 2. It cannot apply certs to EC2 instances, only load balancers and load balancers can only be assigned one cert. This means you have to re-verify every domain whenever you want another domain to be secured. No good.
  • Using Let's Encrypt on the Load Balancer: this would be the next best way (that I can see) to secure our sites. Whenever a new site needs to be secured we will request a new certificate for all the domains that need SSL. Once the cert is created, we push it to IAM and tell EBS to associate the Load Balancer with the new Cert. The only problem I see with this is that LetsEncrypt limits their certs to 100 domains, as does the non-free but relatively inexpensive SSL provider, SSLMate. Might work for now, but it doesn't scale. Is there an automated SSL provider that has no limit on the number of domains on the cert?
  • Using Passthrough SSL: Amazon's Elastic Beanstalk allows you to set it up in such a way so that the load balancer will pass the encrypted traffic straight to the EC2 instances. Then you can allow the EC2 instances to handle the certificates. I can then utilize LetsEncrypt and assign an individual cert for each domain. I run into an issue when considering autoscaling: we will need to duplicate the certs across instances. My solution would be to store the certs in a secured S3 bucket, then have a cron running on all the EC2 instances to pull the new/updated certs over.

Are there any concerns with the last idea? Is there a better solution to what I am trying to do? Am I missing something? A concern? Or maybe a super simple solution to my problem?

Note that I am using docker, so I can set anything up on the server that I need to.

Patrick Stephan
  • 211
  • 2
  • 8
  • where did you end up on this? I'm looking at this too, lets encrypt + ELB seems viable and if the 100 name limit gets hit creating another ELB would potentially solve that I think ? – Ashtonian Jun 28 '17 at 17:03
  • I ended up moving to a new job before completing the project, however, before I left, I was testing the possibility of using Caddy Server as a load balancer and utilizing Caddy's "On Demand TLS" feature. – Patrick Stephan Jun 28 '17 at 20:19

1 Answers1

0

Elastic Load Balancer can now have up to 26 certificates (as seen here).

If you need more than 26 certificates per ELB and you want to use AWS services you could use a CloudFront distribution per certificate/domain.

Also you can use CNAME based DNS validation in CertificateManager in order to automatically renew the certificates without email validation.

ritt0r
  • 1