skip to Main Content

Is there any way to use HTTPS on a non-route 53 domain used by my Lighsail instance ?

I bought a domain from OVH (french registrar). After that, I’ve added a record to the OVH DNS zone that redirects domain to my AWS Lightsail instance static IP.

This works for HTTP port 80, but I need to use SSL. I thought I could do this via the Lightsail interface, but I don’t see a way. Documentation only suggests it for route 53 domains.

My Lightsail instance hosts a Docker app. I access the app via myDomain.com:3000. Should the SSL certificate be installed from OVH, from the Lightsail instance or from the docker container?

2

Answers


  1. I believe there’s some understanding missing.

    DNS is only a table mapping the hostname to IP address (or another hostname). That’s it. Nothing more. Nothing to do with SSL. The SSL is part of the transport, it means that must be configured on the sever side.

    There are several ways:

    Your own SSL reverse proxy

    This is more complex setup, yet you have it included in the price of the server.

    You can host another docker container on the same server – an http reverse proxy exposing port 443 (SSL).

    Examples:

    for both you will need to buy and configure the SSL certificate separately. Or you can use a free certificate service (like "Letsencrypt").

    AWS Load Balancer

    This is what I’d suggest using even it adds some cost to the hosting.

    AWS LightSail comes with an ALB (application load balancer) if you enable it. There’s a documentation setting up the SSL in the AWS ALB. The ALB is using the AWS Certificate Manager, which takes care of creating and renewing the SSL certificates.

    The only thing you need to do is validate the domain ownership. It means when the Certificate Manager is creating new SSL certificates, you have to add some extra DNS records to your hostname provider (OVH) to prove that you manage the domain.


    Configuring SSL indeed includes extra components, knowledge and administration, once you get hold of it, you will be reusing the knowledge later, it is worth it

    Login or Signup to reply.
  2. Incase it helps someone else, I needed to enable secure 443 for my domain, which is registered elsewhere but with Route 53 NS records.

    The simple route I took was:

    1. Create a hosted zone on R53 for your domain
    2. Update NS records on your registrar as needed
    3. Go ahead and create your Lightsail instance (before/after)
    4. Under networking in Lightsail, create a load-balancer because this is where you’ll enable 443 and assign a certificate.
    5. Under the account section in Lightsail, you’ll need to create a certificate, which will likely be unauthorised as you’ll need to verify the domain using a CNAME record update. Add this to R53, not your registrar (assuming its elsewhere).

    The cert status will eventually become valid, takes a few mins and you can go ahead and assign it to the load-balancer. The changes take a while to propagate thereafter.

    Hope this helps.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search