How to get a free SSL certificate from Amazon and move to HTTPS on Amazon S3

At the end of the summer, we received a message from Google that warnings would be appearing in Chrome about a possible danger when switching to our site “ I love IP ”. This applies to pages with text forms ( <input type="text"> or <input type="email"> ). The changes were to take effect from October, and we decided that finally it was time to move to HTTPS, which we had planned for a long time.

There are many instructions online on how to move to HTTPS, so I will try not to repeat them and tell you how to get a free SSL certificate from Amazon and install it on the site. The whole process took us no more than two hours. But I hope with this instruction you will be able to make everything even faster.

So, here is a summary of the article:

1) Preparing the site for the move

2) Free SSL Certificate from Amazon

3) Certificate installation

4) Domain Setup

5) Redirect to a domain on https without www

6) SEO recommendations

The article assumes that you already have a static site on Amazon S3. If not yet, then you can use this instruction from Amazon (in English).

Preparing the site for the move

The most time consuming part, as described in many articles, is the preparation of the site for the move. Its meaning is to change absolute references to relative ones. This applies to the internal links of the site, pictures and external files.

For internal links, we used relative links without a domain, for example, /kb/insurance-deductions/ . For external resources, relative links without a protocol, for example, <script src="//ajax.googleapis.com/ajax/libs/angularjs/1.5.7/angular.min.js"> .

After checking the links, you can proceed to the installation of the certificate.

Amazon Free SSL Certificate

There are several types of SSL certificates:

• Domain Validation (DV),
• Organization Validation (OV),
• Extended Validation (EV).

Also, SSL certificates differ in functionality. They can be issued only to the domain itself (regular certificates), to the domain and all subdomains (Wildcard certificates) or to several domains on one server (SAN or Multi Domain certificates).

If you are not a bank or an online store, then a regular SSL certificate with domain verification (DV) will suit you.

Amazon provides free Domain Validation certificates for a period of 13 months. Certificates are updated automatically. The certificate can be used for subdomains and other domains (but no more than 10). On one account, you can issue no more than 100 certificates.

The process of issuing a certificate is quite simple.

The first thing to do is to get mail on the domain:

• administrator@domain.ru
• webmaster@domain.ru
• hostmaster@domain.ru
• postmaster@domain.ru
• admin@domain.ru

Next, go to the Certificate Manager section of the AWS console and click the Request a Certificate button.

In the next step specify the name of the domain (or several domains). For subdomains, as well as a domain with www, you can use the asterisk *.domain.ru . For the certificate to cover the domain with www and without, you need to specify both domains.

Click Review and request and then Confirm.

To confirm the domain, you need to follow the link in the letter from Amazon, which will come to one of the addresses listed above. (If there are several domains, then each domain must be confirmed.)

Certificate installation

To install the certificate, you must create a CloudFront distribution.

Our site is powered by Jekyll, and we use gem s3_website to send it to S3. To add support for CloudFront with it, just enter s3_website cfg apply at the command line, and to the question if you want to connect CloudFront, answer yes.

If you will create the CloudFront distribution manually, keep in mind that as the Origin Domain Name you need to specify not the basket (S3 bucket) where the site is located, but the final URL (Endpoint) of the basket without http:// . It can be found in Properties → Static website hosting.

In the CloudFront distribution settings, in the General section, specify a Custom SSL Certificate and select your certificate. In the field of CNAME enter your domain with www, leave the other settings by default.

Deploying CloudFront distribution will take some time. If everything was done correctly, then your site will be available at the address on cloudfront.net. You can check this with the cURL command:

 $ curl -I -H 'Host: www.iloveip.ru' https://df7vbe7u5dhq3.cloudfront.net HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 10784 Connection: keep-alive Date: Sat, 07 Oct 2017 08:44:03 GMT Cache-Control: no-cache, no-store Content-Encoding: gzip Last-Modified: Sat, 07 Oct 2017 08:33:04 GMT ETag: "53b8ab65638f649f57c3cb0802754d5a" Server: AmazonS3 X-Cache: Miss from cloudfront Via: 1.1 b94d547106622a98842a2c4a2d0cbf2b.cloudfront.net (CloudFront) X-Amz-Cf-Id: 4qQ_fAFAA4TJji9DlVQwNrCZpfqi8fefW4SZdCgTbdFecvw8Kwm_3Q== 

Domain Setting

For a site with HTTPS to open on your domain, you need to add a new entry in Route 53 for it . Click Create Record Set, in the Name field, specify www, select Type A (A - IPv4 address) and in the Alias ​​field, click Yes. Next in the Alias ​​Target field, select the CloudFront distribution and click Create.

If everything is correct, the site will be available on your domain.

 $ curl -I https://www.iloveip.ru HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 10784 Connection: keep-alive Date: Sat, 07 Oct 2017 08:44:03 GMT Cache-Control: no-cache, no-store Content-Encoding: gzip Last-Modified: Sat, 07 Oct 2017 08:33:04 GMT ETag: "53b8ab65638f649f57c3cb0802754d5a" Server: AmazonS3 Age: 963 X-Cache: Hit from cloudfront Via: 1.1 1b8e55abce35b88e0cbce7d177d84d20.cloudfront.net (CloudFront) X-Amz-Cf-Id: UZO3W6qiJWlcSJcEVBYkFnixuU_GIBQbUQNHG9EULEr78hTtzV_k3Q== 

Redirect to a domain on https without www

To set a redirect from a domain to HTTPS without www to a domain with www, you need to create a new S3 basket, CloudFront distribution and an entry in Route 53. But their settings will be slightly different.

In the S3 section, create a new basket and specify your domain name without www.

Go to the basket, in the Properties → Static website hosting section, select Redirect requests, in the Target bucket or domain field, enter the domain with www, in the Protocol field - https.

Copy Endpoint, you will need it to create a CloudFront distribution.

In CloudFront, click Create Distribution → Web → Get Started. As the Origin Domain Name, specify the URL of the basket that you copied in the previous step, without http:// .

In the Cache Based On Selected Request Headers and Forward Cookies field, select All, in the Query String Forwarding and Caching field, select Forward all, cache based on all. (I don’t quite understand what these settings mean, but without them it’s impossible to configure the redirect.)

Next in the field of CNAME specify your domain without www, select the Custom SSL Certificate and your certificate. Leave the rest of the default settings.

If everything is correct, then the site without www on cloudfront.net will give the status of 301 Moved Permanently.

 $ curl -I -H 'Host: iloveip.ru' https://d21b1cny7kphd.cloudfront.net HTTP/1.1 301 Moved Permanently Content-Length: 0 Connection: keep-alive Date: Sun, 08 Oct 2017 13:08:57 GMT Location: https://www.iloveip.ru/ Server: AmazonS3 X-Cache: Miss from cloudfront Via: 1.1 f2a927b7000cd52484f674ad25ccd8ff.cloudfront.net (CloudFront) X-Amz-Cf-Id: gbGS646vty5zzTX7tmhOhBt7tFXfZ2FpQIFvVgFb3PukkIF8ducA0g== 

Now it remains to configure the domain. To do this, add another entry to Route 53 . Click Create Record Set, leave the Name field empty, select Type A (A - IPv4 address) and click Yes in the Alias ​​field. Next in the Alias ​​Target field, select the CloudFront distribution and click Create.

We are checking.

 $ curl -I https://iloveip.ru HTTP/1.1 301 Moved Permanently Content-Length: 0 Connection: keep-alive Date: Sun, 08 Oct 2017 13:15:13 GMT Location: https://www.iloveip.ru/ Server: AmazonS3 X-Cache: Miss from cloudfront Via: 1.1 11a727876922c83c000e3ada668fa181.cloudfront.net (CloudFront) X-Amz-Cf-Id: k9zlvicvxcxh3peyaXxn-KHlwNYPwwZwV4F_wfOclXxK9WnDoY6pCw== 

SEO recommendations

You probably noticed that in the CloudFront settings in the Viewer Protocol Policy field we left the default value: HTTP and HTTPS. This means that the site will be accessible by both protocols. This is necessary until the mirrors are glued together in Yandex.

What else needs to be done on SEO in connection with the move to HTTPS?

1. Update robots.txt file. Add https in the Host directive and in the Sitemap address.

   
   
   

   User-agent: *
   
   Sitemap: https://www.iloveip.ru/sitemap.xml

   
   
   

   User-agent: Yandex
   
   Host: https://www.iloveip.ru
   
   Sitemap: https://www.iloveip.ru/sitemap.xml

   
   
   

2. Update all links in the site map. As I said, our site is powered by Jekyll. To generate a site map, we use the jekyll-seo-tag plugin. To update all the links in the site map, it is enough to specify the URL with HTTPS in the _config.yml file:

   
   
   

   title: I love FE
   
   description: Everything for self-registration of individual entrepreneurs and business
   
   url: https://www.iloveip.ru

   
   
   
3. Set <link rel="canonical" href="" /> with https for all pages. The jekyll-seo-tag plugin will do this automatically if clause 2 is executed.
4. Add a site with HTTPS in the Google Search Console. To do this, add a resource and confirm rights. You don’t need to do anything else for Google
5. Add a site with HTTPS in Yandex Webmasters (similar to paragraph 4). For Yandex, you need to perform one more item.
6. Make the site move to Yandex Webmasters for the version with HTTP. To do this, in the Indexing → Moving site section, check the Add HTTPS checkbox.

After a message appears in Yandex Webmasters that the main mirror of your site has changed, configure 301 redirects from HTTP to HTTPS. To do this, in CloudFront, select a distribution for the site from www. In the Behaviors section, in the Viewer Protocol Policy field, select Redirect HTTP to HTTPS.

That's all.

Conclusion

In the process of moving, we made a few mistakes. First, we did not immediately report the new site to the search engines (paragraphs 4 and 5), but did so on about the third day. Secondly, in Yandex Webmasters, we noted the move of the site to HTTPS (p. 6) simultaneously with the launch of the HTTPS version of the site. It is usually recommended to do this only after Yandex has indexed most pages.

Maybe it was a mistake, maybe not, but Yandex changed the main mirror for our site in exactly 6 days and managed it even faster than Google.

How a move to HTTPS will affect traffic, we will find out later.

Useful links:

• Yandex recommendations for moving to https
• Answers to questions on moving from Yandex
• Yandex Help about moving to a new domain
• Google Help about relocating a site with changing URL