Is there any way to use HTTPS on a non-route 53 domain used by my Lighsail instance ?
I bought a domain from OVH (french registrar). After that, I’ve added a record to the OVH DNS zone that redirects domain to my AWS Lightsail instance static IP.
This works for HTTP port 80, but I need to use SSL. I thought I could do this via the Lightsail interface, but I don’t see a way. Documentation only suggests it for route 53 domains.
My Lightsail instance hosts a Docker app. I access the app via myDomain.com:3000. Should the SSL certificate be installed from OVH, from the Lightsail instance or from the docker container?
2
Answers
I believe there’s some understanding missing.
DNS is only a table mapping the hostname to IP address (or another hostname). That’s it. Nothing more. Nothing to do with SSL. The SSL is part of the transport, it means that must be configured on the sever side.
There are several ways:
Your own SSL reverse proxy
This is more complex setup, yet you have it included in the price of the server.
You can host another docker container on the same server – an http reverse proxy exposing port 443 (SSL).
Examples:
for both you will need to buy and configure the SSL certificate separately. Or you can use a free certificate service (like "Letsencrypt").
AWS Load Balancer
This is what I’d suggest using even it adds some cost to the hosting.
AWS LightSail comes with an ALB (application load balancer) if you enable it. There’s a documentation setting up the SSL in the AWS ALB. The ALB is using the AWS Certificate Manager, which takes care of creating and renewing the SSL certificates.
The only thing you need to do is validate the domain ownership. It means when the Certificate Manager is creating new SSL certificates, you have to add some extra DNS records to your hostname provider (OVH) to prove that you manage the domain.
Configuring SSL indeed includes extra components, knowledge and administration, once you get hold of it, you will be reusing the knowledge later, it is worth it
Incase it helps someone else, I needed to enable secure 443 for my domain, which is registered elsewhere but with Route 53 NS records.
The simple route I took was:
The cert status will eventually become valid, takes a few mins and you can go ahead and assign it to the load-balancer. The changes take a while to propagate thereafter.
Hope this helps.