ParseServer – AWS SSL Setup

For the past 2 weeks I’ve been spending my free time with ParseServer and AWS. You can read my previous article on how to setup it up here.

The awesome thing about ParseServer is that you can host it on AWS, Heroku, or your own server. Quite honestly, open source ParseServer is the best thing that ever happened to Parse.

AWS or even ParseServer might not be something big companies are interested in because they are most likely running their own cloud service. For smaller companies or developers like myself who are building apps in their free time just because, having a backend that’s secure, scalable and easy to setup is vital.

Today I am going to write about how to generate and setup SSL certificate on Elastic Beanstalk using Certificate Manager, setup proper permissions using Identity & Access Management, setup custom domain using Route 53 and properly update your name servers to point to your AWS instance. This write up might get a bit complicated and perhaps hard to follow at times, please ask questions in the comments if that’s the case.

First thing’s first; I assume you have a domain name registered. It doesn’t really matter who the registrar is, I am using GoDaddy to host my domains, but it can be any registrar. The next step is to actually deploy ParseServer on Elastic Beanstalk. Please refer to my tutorial here. The important part is to deploy your instance in N. Virginia since that’s the only region that supports self signed SSL certificate generated in Certificate Manager – don’t ask me why. I am not sure.

Assuming you have your instance deployed and ready to go, let’s generate a SSL certificate. Navigate to Certificate Manager.

certificate-manager

Select Request a Certificate. You’ll be asked to provide some crucial pieces of information such as your domain name, etc. Before requesting the actual certificate, please make sure your registrar has your correct email address on file for the domain you are trying to use… you’ll be receiving an email from Amazon to approve your certificate request shortly after submitting the request.

request-certificate

Next, we will need to create a Hosted Zone using Route 53.

route-53

Select Route 53 from the Console Home, select Hosted Zones and then click on Create Hosted Zone button to start the process. You’ll be asked to enter the domain name, an optional comment, and the type (should be set to public). Amazon will setup 4 NS records for your domain name as well as a valid SOA record. This, however, is not enough. We will need to add an A record for your domain to point to your AWS instance as well as a CNAME record for “www”. While your existing record is selected, click on Create Record Set to add A record

a-record

Keep the name field blank. For type, select A – IPv4 address, make sure Alias is chosen and fill in Alias Target with your instance URL.

Next step is to update your domain name to point to your new name servers. For this to happen, make sure your newly created zone is selected. In a new tab, navigate to your registrar website, select the domain name you are trying to update with new NS records and update them with the ones from your AWS console. NS records should look something like this:

If everything went well, your domain should now point to your AWS instance. Your DNS should also be setup correctly (except missing MX records). To check your DNS, use www.intodns.com. Depending on your registrar, it might take a few hours for your NS records to propagate. You’ll know when you have your domain pointing to your AWS instance when visiting your domain brings up:

Final step is to tell your instance to use the SSL certificate you generated earlier. To do so, navigate back to your AWS Console Home, select Identity Access Management, then Roles. Here we will need to modify your service-role so it can list certificates…

edit-policy

Add the following line to the end of your Actions array:

You are now set to start using your SSL certificate. Navigate to Console Home, select EC2, use the menu on the left side to select Load Balancers. Select the load balancer you would like to assign the new SSL certificate to, select Listeners (bottom part of the page), select Edit, and then Add HTTPS connection for your load balancer protocol, keep instance protocol HTTP… select change under SSL certificate and choose your newly generated certificate for your current domain:

ssl-selectioin

Feel free to remove the old HTTP listener and hit “Save”. Believe it or not, you can now access your instance by using HTTPS

To be honest, this tutorial was written for me first. I spent a couple of days learning my way around AWS and how to properly setup ParseServer so that my calls are secure. This was worth it.

ParseServer – AWS SSL Setup

4 thoughts on “ParseServer – AWS SSL Setup

  1. John says:

    Michael, Greatly appreciate your Parse server tutorials. Your guides have worked better than AWS/Parse tutorials. Thanks.

    I am having problems with “Final step is to tell your instance to use the SSL certificate…” paragraph. I’m having trouble editing the policy for my service role. I don’t believe the option is available to edit the actions policy. Please see attached images of my AWS/IAM.

    1. Jacob Torrence says:

      Did you ever find a solution? This is the same step I am stuck on. I hit “click here” under inline policies to create a new role, and used their steps to set it to Amazon Certificate Manager, List Certificates, and copy / pasted my ARN from the Certificate manager page, but it tells me my ARN is wrong. If the one copied directly from the CM is invalid, idk what would be.

    2. Carl says:

      Personally I did things slightly different in the last step. I had to go to Elastic Beanstalk->{My Parse App)->Configuration->Network Tier->Load Balancer
      There I enabled HTTPS and selected the SSL cert under “SSL certificate ID” and hit Apply.

  2. Jacob Torrence says:

    Seconding Johns’ issue. I follow their steps using the policy generator, select “allow”, “AWS Certificate Manager”, and “List Certificates”, but when I copy the ARN from the details page of my certificate, I get a message saying that this resource could not be found. I even tried signing in to root to do this, no dice. Any help is appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *