ParseServer – AWS SSL Setup

For the past 2 weeks I’ve been spending my free time with ParseServer and AWS. You can read my previous article on how to setup it up here.

The awesome thing about ParseServer is that you can host it on AWS, Heroku, or your own server. Quite honestly, open source ParseServer is the best thing that ever happened to Parse.

AWS or even ParseServer might not be something big companies are interested in because they are most likely running their own cloud service. For smaller companies or developers like myself who are building apps in their free time just because, having a backend that’s secure, scalable and easy to setup is vital.

Today I am going to write about how to generate and setup SSL certificate on Elastic Beanstalk using Certificate Manager, setup proper permissions using Identity & Access Management, setup custom domain using Route 53 and properly update your name servers to point to your AWS instance. This write up might get a bit complicated and perhaps hard to follow at times, please ask questions in the comments if that’s the case.

First thing’s first; I assume you have a domain name registered. It doesn’t really matter who the registrar is, I am using GoDaddy to host my domains, but it can be any registrar. The next step is to actually deploy ParseServer on Elastic Beanstalk. Please refer to my tutorial here. The important part is to deploy your instance in N. Virginia since that’s the only region that supports self signed SSL certificate generated in Certificate Manager – don’t ask me why. I am not sure.

Assuming you have your instance deployed and ready to go, let’s generate a SSL certificate. Navigate to Certificate Manager.

certificate-manager

Select Request a Certificate. You’ll be asked to provide some crucial pieces of information such as your domain name, etc. Before requesting the actual certificate, please make sure your registrar has your correct email address on file for the domain you are trying to use… you’ll be receiving an email from Amazon to approve your certificate request shortly after submitting the request.

request-certificate

Next, we will need to create a Hosted Zone using Route 53.

route-53

Select Route 53 from the Console Home, select Hosted Zones and then click on Create Hosted Zone button to start the process. You’ll be asked to enter the domain name, an optional comment, and the type (should be set to public). Amazon will setup 4 NS records for your domain name as well as a valid SOA record. This, however, is not enough. We will need to add an A record for your domain to point to your AWS instance as well as a CNAME record for “www”. While your existing record is selected, click on Create Record Set to add A record

a-record

Keep the name field blank. For type, select A – IPv4 address, make sure Alias is chosen and fill in Alias Target with your instance URL.

Next step is to update your domain name to point to your new name servers. For this to happen, make sure your newly created zone is selected. In a new tab, navigate to your registrar website, select the domain name you are trying to update with new NS records and update them with the ones from your AWS console. NS records should look something like this:

If everything went well, your domain should now point to your AWS instance. Your DNS should also be setup correctly (except missing MX records). To check your DNS, use www.intodns.com. Depending on your registrar, it might take a few hours for your NS records to propagate. You’ll know when you have your domain pointing to your AWS instance when visiting your domain brings up:

Final step is to tell your instance to use the SSL certificate you generated earlier. To do so, navigate back to your AWS Console Home, select Identity Access Management, then Roles. Here we will need to modify your service-role so it can list certificates…

edit-policy

Add the following line to the end of your Actions array:

You are now set to start using your SSL certificate. Navigate to Console Home, select EC2, use the menu on the left side to select Load Balancers. Select the load balancer you would like to assign the new SSL certificate to, select Listeners (bottom part of the page), select Edit, and then Add HTTPS connection for your load balancer protocol, keep instance protocol HTTP… select change under SSL certificate and choose your newly generated certificate for your current domain:

ssl-selectioin

Feel free to remove the old HTTP listener and hit “Save”. Believe it or not, you can now access your instance by using HTTPS

To be honest, this tutorial was written for me first. I spent a couple of days learning my way around AWS and how to properly setup ParseServer so that my calls are secure. This was worth it.

ParseServer – AWS SSL Setup