1 00:00:00,530 --> 00:00:02,680 ‫Okay, so first I'm going to open ACM, 2 00:00:02,680 --> 00:00:06,110 ‫also called certificates manager in the console. 3 00:00:06,110 --> 00:00:07,100 ‫And in here, 4 00:00:07,100 --> 00:00:09,330 ‫I can see that I can provision certificates 5 00:00:09,330 --> 00:00:11,090 ‫and these are public certificates, 6 00:00:11,090 --> 00:00:13,120 ‫or I can provision private certificates 7 00:00:13,120 --> 00:00:14,250 ‫and they're a bit more advanced 8 00:00:14,250 --> 00:00:15,340 ‫and they're not in scope for the exam. 9 00:00:15,340 --> 00:00:18,490 ‫So just remember that ACM can be used to manage public 10 00:00:18,490 --> 00:00:19,700 ‫and private, but in this case, 11 00:00:19,700 --> 00:00:22,130 ‫we're just going to deal with public certificates. 12 00:00:22,130 --> 00:00:23,190 ‫Okay, we'll get started. 13 00:00:23,190 --> 00:00:25,530 ‫Here, we can either import a certificate 14 00:00:25,530 --> 00:00:27,610 ‫if you already had one from before, 15 00:00:27,610 --> 00:00:29,680 ‫and we just want it to be managed by ACM, 16 00:00:29,680 --> 00:00:33,080 ‫or we can even request a public certificate directly 17 00:00:33,080 --> 00:00:33,913 ‫from Amazon. 18 00:00:33,913 --> 00:00:34,746 ‫So let's do this. 19 00:00:34,746 --> 00:00:36,970 ‫We'll request a certificates and the domain name 20 00:00:36,970 --> 00:00:41,970 ‫is going to be acm-demo.stephanetheteacher.com. 21 00:00:42,320 --> 00:00:43,900 ‫We could add as many domain names as we want, 22 00:00:43,900 --> 00:00:45,350 ‫but I'll just keep this one. 23 00:00:45,350 --> 00:00:47,530 ‫And I own stephanetheteacher.com. 24 00:00:47,530 --> 00:00:48,930 ‫It's in my Route 53. 25 00:00:48,930 --> 00:00:50,260 ‫So that's perfect. 26 00:00:50,260 --> 00:00:51,630 ‫I'll click on next. 27 00:00:51,630 --> 00:00:53,590 ‫And we'll choose DNS validation 28 00:00:53,590 --> 00:00:56,900 ‫to validate that we do own the domain name 29 00:00:56,900 --> 00:00:58,610 ‫because we already have Route 53. 30 00:00:58,610 --> 00:00:59,920 ‫So that'll be very easy. 31 00:00:59,920 --> 00:01:01,410 ‫I'll click on review and say yes, 32 00:01:01,410 --> 00:01:02,680 ‫confirm and request. 33 00:01:02,680 --> 00:01:05,780 ‫Okay, so now the validation is in progress. 34 00:01:05,780 --> 00:01:07,470 ‫And if I expand this, 35 00:01:07,470 --> 00:01:09,730 ‫it says you need to create a CNAME record 36 00:01:09,730 --> 00:01:12,810 ‫in your DNS configuration for this to work. 37 00:01:12,810 --> 00:01:14,850 ‫Very easy though, we can directly click 38 00:01:14,850 --> 00:01:18,560 ‫on create record in Route 53 for having AWS create 39 00:01:18,560 --> 00:01:20,090 ‫that DNS record for us. 40 00:01:20,090 --> 00:01:22,550 ‫So it says, okay, we're going to add this CNAME 41 00:01:22,550 --> 00:01:24,010 ‫with this name and this value. 42 00:01:24,010 --> 00:01:25,740 ‫And all these things looks very random 43 00:01:25,740 --> 00:01:28,220 ‫because this is how SSL verification works 44 00:01:28,220 --> 00:01:29,960 ‫and we'll say, okay create. 45 00:01:29,960 --> 00:01:30,793 ‫Great. 46 00:01:30,793 --> 00:01:34,370 ‫So now the DNS record was written to Route 53 hosted zone, 47 00:01:34,370 --> 00:01:36,180 ‫and it may take up to 30 minutes for the changes 48 00:01:36,180 --> 00:01:38,770 ‫to propagates and AWS to validate the domain. 49 00:01:38,770 --> 00:01:40,060 ‫So I'll click on next. 50 00:01:40,060 --> 00:01:42,700 ‫And right now we're pending validation. 51 00:01:42,700 --> 00:01:46,113 ‫So we'll just pause the video until this is fully completed. 52 00:01:47,260 --> 00:01:50,360 ‫Okay, so my certificate has now be issued. 53 00:01:50,360 --> 00:01:53,020 ‫And so what I'm going to do now is use it. 54 00:01:53,020 --> 00:01:56,340 ‫And for this, we'll go to Beanstalk and we'll try to create 55 00:01:56,340 --> 00:02:00,210 ‫an environment that leverages that certificate. 56 00:02:00,210 --> 00:02:02,740 ‫So I'm going to do action, create environment. 57 00:02:02,740 --> 00:02:05,350 ‫It's going to be a web server environment, 58 00:02:05,350 --> 00:02:07,430 ‫click on select and for the domain, 59 00:02:07,430 --> 00:02:10,530 ‫I'll just keep the auto-generated value. 60 00:02:10,530 --> 00:02:14,330 ‫And I will choose a Node.js and I will choose 61 00:02:14,330 --> 00:02:17,620 ‫a simple application, but I will configure more options. 62 00:02:17,620 --> 00:02:19,610 ‫And in there, I'm going to go the paid route, 63 00:02:19,610 --> 00:02:21,260 ‫so I'm going to choose high availability 64 00:02:21,260 --> 00:02:24,390 ‫so that a load balancer is provisioned for me. 65 00:02:24,390 --> 00:02:26,020 ‫And in the load balancer configuration, 66 00:02:26,020 --> 00:02:27,350 ‫I'm going to modify it. 67 00:02:27,350 --> 00:02:29,400 ‫I'll choose an application load balancer. 68 00:02:29,400 --> 00:02:31,110 ‫And here I will add listeners. 69 00:02:31,110 --> 00:02:32,440 ‫So, add a listener. 70 00:02:32,440 --> 00:02:34,120 ‫The port is going to be 443, 71 00:02:34,120 --> 00:02:36,800 ‫and the protocol is going to be HTTPS. 72 00:02:36,800 --> 00:02:38,790 ‫And this is how we're going to load a certificate. 73 00:02:38,790 --> 00:02:41,060 ‫So it says, okay, which SSL certificate 74 00:02:41,060 --> 00:02:42,090 ‫would you like to load? 75 00:02:42,090 --> 00:02:44,390 ‫I would like to load the one that was just provisioned, 76 00:02:44,390 --> 00:02:46,960 ‫acm-demo.stephanetheteacher.com. 77 00:02:46,960 --> 00:02:47,860 ‫Excellent. 78 00:02:47,860 --> 00:02:50,770 ‫And the SSL policy is how strong do you want 79 00:02:50,770 --> 00:02:52,930 ‫your SSL policy to be. 80 00:02:52,930 --> 00:02:53,970 ‫I will choose the strongest, 81 00:02:53,970 --> 00:02:55,560 ‫which is the very last one. 82 00:02:55,560 --> 00:02:57,960 ‫But if you want it to support older clients 83 00:02:57,960 --> 00:03:00,030 ‫like Internet Explorer 5 or whatever, 84 00:03:00,030 --> 00:03:02,780 ‫you would choose a lower SSL security policy. 85 00:03:02,780 --> 00:03:03,613 ‫So in this one, 86 00:03:03,613 --> 00:03:06,450 ‫I'll just choose the highest ELB security policy. 87 00:03:06,450 --> 00:03:08,810 ‫Click on add and we're good. 88 00:03:08,810 --> 00:03:11,310 ‫Now I can even disable HTTP if I want it to, 89 00:03:11,310 --> 00:03:13,060 ‫but I'll just keep it for now. 90 00:03:13,060 --> 00:03:15,270 ‫And in terms of the rules, 91 00:03:15,270 --> 00:03:16,103 ‫everything looks good. 92 00:03:16,103 --> 00:03:16,936 ‫Let's scroll down. 93 00:03:16,936 --> 00:03:18,150 ‫Yep, everything looks perfect. 94 00:03:18,150 --> 00:03:19,070 ‫So let's go. 95 00:03:19,070 --> 00:03:21,440 ‫So this is all my custom configuration 96 00:03:21,440 --> 00:03:23,780 ‫and I'll create my environment right now. 97 00:03:23,780 --> 00:03:25,910 ‫So this is going to create just a very simple 98 00:03:25,910 --> 00:03:29,230 ‫Beanstalk application with a load balancer. 99 00:03:29,230 --> 00:03:32,590 ‫But now the specificity is that the load balancer 100 00:03:32,590 --> 00:03:34,930 ‫should have an SSL certificate on it 101 00:03:34,930 --> 00:03:38,270 ‫and we should be able to access our environment from there. 102 00:03:38,270 --> 00:03:40,130 ‫So let's wait for Beanstalk to be provisioned 103 00:03:40,130 --> 00:03:42,240 ‫and then we'll see what happens. 104 00:03:42,240 --> 00:03:45,080 ‫Okay, so my Beanstalk application has been created. 105 00:03:45,080 --> 00:03:46,900 ‫As we can see, I can click on this 106 00:03:46,900 --> 00:03:48,570 ‫and we have the congratulations. 107 00:03:48,570 --> 00:03:51,410 ‫And here, the URL is definitely not what we want 108 00:03:51,410 --> 00:03:53,290 ‫and it's also not secure. 109 00:03:53,290 --> 00:03:54,360 ‫So what do we have to do? 110 00:03:54,360 --> 00:03:56,080 ‫If you remember this course correctly, 111 00:03:56,080 --> 00:03:58,700 ‫we will have to create a CNAME record first 112 00:03:58,700 --> 00:04:00,920 ‫to have the right domain point to this. 113 00:04:00,920 --> 00:04:03,110 ‫So let's go back to our services 114 00:04:03,110 --> 00:04:06,650 ‫and I'm gonna go to Route 53. 115 00:04:06,650 --> 00:04:09,610 ‫And in there, I'm going to go to my hosted zone, 116 00:04:09,610 --> 00:04:12,130 ‫my domain, click create record sets, 117 00:04:12,130 --> 00:04:14,140 ‫and this is going to be a CNAME. 118 00:04:14,140 --> 00:04:17,640 ‫I think I called my acm-demo for my SSL certificate. 119 00:04:17,640 --> 00:04:20,720 ‫So, acm-demo.stephanetheteacher.com. 120 00:04:20,720 --> 00:04:25,280 ‫And the value of it is going to be this, right here. 121 00:04:25,280 --> 00:04:28,790 ‫So we have created a CNAME record, and here we go. 122 00:04:28,790 --> 00:04:32,090 ‫So now that means that I should be able to access my website 123 00:04:32,090 --> 00:04:34,860 ‫using acm-demo.stephanetheteacher.com. 124 00:04:34,860 --> 00:04:36,440 ‫So let's have a look and see if that works. 125 00:04:36,440 --> 00:04:41,440 ‫acm-demo.stephanetheteacher.com. 126 00:04:42,110 --> 00:04:42,980 ‫Okay, here we go. 127 00:04:42,980 --> 00:04:45,980 ‫So, we have access now to our Beanstalk environments 128 00:04:45,980 --> 00:04:47,410 ‫using this URL. 129 00:04:47,410 --> 00:04:48,520 ‫But it's still not secure. 130 00:04:48,520 --> 00:04:51,560 ‫It's because right now I only have forced HTTP, 131 00:04:51,560 --> 00:04:55,560 ‫but if I do HTTPS slash, slash, boom, here we go. 132 00:04:55,560 --> 00:04:56,393 ‫It works. 133 00:04:56,393 --> 00:04:58,480 ‫And we have a little luck here saying the connection 134 00:04:58,480 --> 00:04:59,440 ‫is secure. 135 00:04:59,440 --> 00:05:02,690 ‫That's because the SSL certificate get generated 136 00:05:02,690 --> 00:05:03,523 ‫and it's valid. 137 00:05:03,523 --> 00:05:06,040 ‫And if I click here, it's a Chrome feature. 138 00:05:06,040 --> 00:05:10,440 ‫It says that it was issued by Amazon and it is fully working 139 00:05:10,440 --> 00:05:12,040 ‫so I can get the details and so on. 140 00:05:12,040 --> 00:05:15,490 ‫And it is valid until Saturday, July 25th, 2020. 141 00:05:15,490 --> 00:05:18,670 ‫And it will be automatically renewed by Amazon 142 00:05:18,670 --> 00:05:19,930 ‫in case we need to. 143 00:05:19,930 --> 00:05:20,763 ‫So this is really good. 144 00:05:20,763 --> 00:05:24,400 ‫That means that ACM did provision our SSL certificates. 145 00:05:24,400 --> 00:05:28,070 ‫And finally, we can just verify that if we go to here, 146 00:05:28,070 --> 00:05:29,860 ‫so let's refresh this. 147 00:05:29,860 --> 00:05:32,800 ‫It says that now my certificate is in use. 148 00:05:32,800 --> 00:05:35,740 ‫And if we go here and see what it's in used by, 149 00:05:35,740 --> 00:05:38,440 ‫we need to go actually to the ELB service. 150 00:05:38,440 --> 00:05:42,180 ‫So we'll go to EC2 console and on our EC2 console, 151 00:05:42,180 --> 00:05:44,360 ‫I'll go to my load balancers, 152 00:05:44,360 --> 00:05:47,590 ‫find my Beanstalk balancer that was just created, 153 00:05:47,590 --> 00:05:48,760 ‫which is one of these two. 154 00:05:48,760 --> 00:05:49,810 ‫So let's have a look. 155 00:05:50,730 --> 00:05:51,823 ‫Is it this one? 156 00:05:52,770 --> 00:05:53,750 ‫Let's see the listeners. 157 00:05:53,750 --> 00:05:55,120 ‫No, it's not this one. 158 00:05:55,120 --> 00:05:55,970 ‫Is it this one? 159 00:05:55,970 --> 00:05:56,930 ‫Yes, it is. 160 00:05:56,930 --> 00:05:58,590 ‫So now we can see, we have two listeners. 161 00:05:58,590 --> 00:06:01,190 ‫We have port 80 and port 443. 162 00:06:01,190 --> 00:06:03,260 ‫And in this case, 443 is HTTPS. 163 00:06:03,260 --> 00:06:05,580 ‫So we have a security policy that we did apply. 164 00:06:05,580 --> 00:06:10,580 ‫And we did add the SSL certificates directly from ACM. 165 00:06:10,780 --> 00:06:14,000 ‫And we can click on view/edit certificates if we wanted to, 166 00:06:14,000 --> 00:06:15,750 ‫to just change the certificates. 167 00:06:15,750 --> 00:06:16,780 ‫So that's it. 168 00:06:16,780 --> 00:06:18,560 ‫Hopefully really helpful, but in the end, 169 00:06:18,560 --> 00:06:22,470 ‫we did manage our own application using Beanstalk and HTTPS, 170 00:06:22,470 --> 00:06:24,320 ‫which is a cool demo to do. 171 00:06:24,320 --> 00:06:27,193 ‫I hope you liked it and I will see you in the next lecture.