Certificates and Load Balancers: WordPress in AWS


Following the initial WordPress setup, I need to give the site an SSL certificate, Google doesn’t like sites without certificates. I already have a wildcard cert from CloudFlare, however, I want to keep this as much AWS’d as I can, therefore I want to use the Amazon Certificate Services for this sites certificates. However, EC2 on it’s own does not work with the certificates created in AWS. So, we need to go a bit further and set up an elastic load balancer to sit in front of the website, which will allow us to use the certificates.

Getting certificates from AWS Certificate Manager

To start getting your certificate, head over to https://console.aws.amazon.com/acm/home?region=us-east-1#/.

Request AWS Certificates
Click on Request a Certificate.
Public AWS Certificates
Select “Request a public certificate”.
certificate name
Enter the domain name and click Next.
AWS Certificate validation
Select the validation method in order to get your certificates. I tried using a CNAME first, but it did not work and stayed in a pending state. Email validation worked better (just make sure that one of the accounts used will get forwarded to the right place (such as admin@domain.com, or postmaster@domain.com). Click review.

Requesting an AWS Certificate
Click Confirm and request.
completed AWS Certificate
There we have a properly assigned certificate.

The next step is to start using it.

We can’t use the certificate in an EC2 instance, there is no option to download it for a start. We can use it with with a few services though,(https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html) and a load balancer is one of these compatible services.

AWS Elastic Load Balancer

From the EC2 main page and select Load Balancers, then click on Create Load Balancer.

Create AWS Elastic Load Balancer
Select the type of load balancer, the options are application load balancer, network load balancer, or classic load balancer. I chose the application load balancer.
Create AWS Elastic Application Load Balancer
The next page is the start of our configuration. Give it a name, select whether it is internet-facing or internal and the address type (IPv4 or IPv6):
Naming the AWS Elastic Load Balancer
We need to assign some listeners, so I added HTTP and HTTPS. It’s a website, so that’s all I need.
AWS Elastic Load Balancer listeners
Next, select the availability zones.

AWS Elastic Load Balancer availability zones
Click on the option to take you the security settings.
AWS Elastic Load Balancer security settings
Here we get to use the certificate created earlier:

AWS Elastic Load Balancer certificate
We need a security group. As one was already created by our WordPress install, it makes sense to use that.
AWS Elastic Load Balancer security groups
In step 4, we set the load balancer up to route HTTPS traffic to an instance.

AWS Elastic Load Balancer routing
In the next step we select the instance we want to route the traffic to.

Create AWS Elastic Load Balancer targets
You need to click on “Add to Registered” for it to be added to the targets:

Registering AWS Elastic Load Balancer targets
Next, we review the settings.
AWS Elastic Load Balancer settings Create AWS Elastic Load Balancer final
If all is good, then click on Create:
Creating AWS Elastic Load Balancer
It takes a short while to provision the load balancer.

AWS Elastic Load Balancer provisioning
Browsing to the DNS name shows that the certificate is applied, but invalid (as the name does now match):

AWS Elastic Load Balancer DNS access AWS Elastic Load Balancer certificate
However, if I go to the proper URL, the cert is issued by CloudFlare (this is after settings a CNAME entry in the DNS to the load balancer DNS name):

AWS Load balance wrong certificate
This is because CloudFlare are doing all the DNS and CDN stuff, as well as the SSL termination.

CloudFlare DNS only
Clicking on the orange cloud icon will switch it to DNS only mode though, and it switches to use the Amazon certificate instead:

AWS correct load balancer certificate
In doing so, I have lost the benefits of using CloudFlare as a CDN, which has affected my GTMetrix score (I didn’t check the other ones). Here is the before (with CloudFlare):

CloudFlare GTMetrix
And now:

AWS CloudFlareQuite a drop, and most of it because of a lack of CDN:

Well, this gives me a chance to set up Amazon CloudFront in the next post.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.