Custom tls certificate

This section describes how to setup a TLS certificate to support your custom hostname. This certificate is used in front of the web admin interface and will fix the previous invalid certificate error.

The following steps describe how to setup a TLS certificate issued by the AWS Certificate Manager service. Only AWS ACM is supported. You can also import a certificate issued by another Certificate Authority if you like, but we’ll leave that to you to decide.

Request an AWS ACM certificate

  1. In the AWS console, ensure you are in the same region that you deployed the s3ftp stack to. Then navigate to the AWS ACM service and click the Request Certificate button

  2. On the next screen you have the option to selecte a public certificate or one issued by a private CA. Unless you have a private CA configured, select Request a public certificate and then click the Request a certificate button.

  3. On the next screen, add your custom hostname to the Domain name field. You generally don’t need to add another name to the certificate. We will use as an example. Click Next.

    add a domain name

  4. Next select the certificate validation method. It is alays preferable to use DNS validation because email validation needs manual interaction to renew - and it will expire. DNS validation is setup once and will allow automatic renewal. If your DNS domain is hosted in Route53, validating via DNS is trivial. Select DNS valiadation and click Next.

    select validation method

  5. The next screen allows you to add tags to your certificate. Not required. Click Review to continue.

  6. Next review your certificate details. Check the name and that you are using DNS validation. Click Confirm and request.

    review certificate details

  7. The next screen is for certificate validation. Make sure you expand the details for the domain by clicking on the small black triangle to the left of the requested domain name. This will reveal the required DNS validation configuration. certificate validation

    When your DNS domain is hosted in Route53 in the same AWS account, you can simply click on the Create record in Route53 button and then click Create on the next dialogue. create record in route53

    If your DNS is not hosted in Route53, you can will need to setup a CNAME in your DNS domain with the provided values. You can copy the name and value to your clipboard, or download the configuration as a csv file.

  8. On the Validation screen, you can click Continue and then we wait for AWS ACM to validate the DNS record in your domain. Once DNS validation record is configured, it uusually only takes a few minutes for AWS to detect the change and issue the certificate.

At this point we should have a valid TLS certificate issued by AWS ACM.

Attach the ACM certificate to the s3ftp loadbalancer.

  1. In the AWS ACM console, expand the details for the certificate you issued in the previous step. Copy the ARN of the certificate for use in the next step.

  2. Now navigate to the AWS Cloudformation console. Select the s3ftp stack and then click Update.

  3. You should see the following Update stack screen. Use the current template and click Next. cloudformation update

  4. On the specify stack details page, scroll down to the CertificateArn input field and paste the ARN you retrieved in step 1. Then click Next. certificate arn

  5. Click through the Configure stack options page.

  6. On the Review stack page, check your CertificateArn parameter is correct. Then scroll to the bottom of the page, click the checkbox to acknowledge that AIM resources may be created and finally click Update stack.

  7. The stack should take a few minutes before moving to an UPDATE_COMPLETE state. You should now have a nicely trusted TLS certificate.

Test TLS Certificate

Now you should be able to access the web admin interface using your custom hostname and trusted certificate.

  1. Access the web interface using your new hostname. The url will be of the form https://your.custom.hostname:8443/. Substitute your.custom.hostname with the hostname used in DNS and when issuing your certificate.

  2. You should now have a valid certificate displayed by your browser.

    valid certificate