Day 11: Add HTTPS (SSL certificate)
How to request a free SSL certificate from AWS and enable HTTPS on your Application Load Balancer
Make it secureโ
Day 10: You got a custom domain
Today: We make it secure with HTTPS
Here's the situation:
Your app is accessible at:
http://ai-caller.yourdomain.com
Browser says: โ ๏ธ "Not secure":
Browser says: โ ๏ธ "Not secure"
The problem:
โ Data transmitted in plain text
โ Anyone can intercept traffic
โ Users don't trust it
โ Browser shows scary warnings
โ Can't use modern web features (WebRTC, microphone access)
What you need:
https://ai-caller.yourdomain.com
Browser says: โ "Secure" ๐
Solution: SSL Certificate
Think of it like mail:
HTTP (no SSL):
- Sending a post card
- Anyone can read it
- No privacy
HTTPS (with SSL):
- Sending a sealed envelope
- Only recipient can read it
- Encrypted and private
By the end of today, you'll have:
โ
Free SSL certificate from AWS Certificate Manager
โ
Domain ownership validated
โ
HTTPS listener on ALB (port 443)
โ
HTTP โ HTTPS redirect
โ
Green padlock in browser ๐
Let's secure your app ๐
What you'll build todayโ
Complete HTTPS setup:
| Component | Value | Purpose |
|---|---|---|
| SSL Certificate | ACM Certificate | Encrypts traffic |
| Domain | ai-caller.yourdomain.com | What the cert covers |
| Validation | DNS validation | Proves you own the domain |
| HTTPS Listener | Port 443 | Accepts HTTPS traffic |
| HTTP Redirect | Port 80 โ Port 443 | Forces HTTPS |
Result:
http://ai-caller.yourdomain.com โ Redirects to HTTPS
https://ai-caller.yourdomain.com โ โ
Secure! ๐
What you'll learnโ
- What SSL/TLS certificates are (and why you need them)
- How AWS Certificate Manager (ACM) works
- DNS validation vs email validation
- How to attach certificates to ALB
- How to configure HTTPS listeners
- How to redirect HTTP โ HTTPS
But if you want:
โ
Complete codebase (one clean repo)
โ
Complete walkthroughs
โ
Support when stuck
โ
Production templates
โ
Advanced features
Join the waitlist for the full course (launching February 2026):
Building something with AI calling?
Let's chat about your use case!
Schedule a free call โ - no pitch, just two builders talking.
Time requiredโ
15-20 minutes (certificate validation takes 5-10 minutes, ALB config takes 5 min)
Prerequisitesโ
โ
Completed Day 3 (VPC) โ
โ
Completed Day 4 (Subnets) โ
โ
Completed Day 5 (NAT Gateway) โ
โ
Completed Day 6 (Route Tables) โ
โ
Completed Day 7 (Security Groups) โ
โ
Completed Day 8 (prove it works) โ
โ
Completed Day 9 (Application Load Balancer) โ
โ
Completed Day 10 (Custom Domain) โ
โ
Access to AWS Console
โ
Domain managed by Route 53 (or ability to add DNS records)
Understanding SSK/TLS Certificates (3-minute primer)โ
What is SSL/TLS?โ
SSL = Secure Sockets Layer (older)
TLS = Transport Layer Security (newer, current standard)
People still say "SSL" but mean TLS.
What it does:
- Encrypts data between browser and server
- Verifies server identity (you are talking to the real site)
- Prevents man-in-the-middle attacks
How HTTPS worksโ
Without HTTPS (HTTP):
Browser: "Hey server, send me to the home page"
Server: "Here's the HTML: <html>..."
Attacker: ๐ "I can see everything"
With HTTPS:
Browser: "Her server, let's set up encryption"
Server: "Here's my certificate (proves I'm legit)"
Browser: "Certificate looks good, let's encrypt everything"
[All traffic now encrypted with unique keys]
Attacker: ๐ฅน "I see gibberish: XK3$#@..."
What is AWS Certification Manager (ACM)?โ
ACM = AWS's free SSL certificate service
Benefits:
โ
Free certificates (for AWS resources)
โ
Auto-renewal (no manual renewals)
โ
Automatic deployment to ALB, CloudFront, etc.
โ
Managed by AWS (no certificate files to manage)
DNS validation vs Email validationโ
To get a certificate, you need to prove you own the domain.
Two methods:
| Method | How it works | Time | Best for |
|---|---|---|---|
| DNS validation | Add CNAME record to Route 53 | 5-10 min | Route 53 domains (easiest) |
| Email validation | Click link in email | 30 min - 24 hr | External domains |
We'll use DNS validation (faster and automatic with Route 53).
Step 1: Request SSL Certificateโ
Open the AWS Console โIn the search bar at the top, type certificate manager and click Certificate Manager from the dropdown menu:
In the search bar at the top, type certificate manager and click Certificate Manager from the dropdown menu
Same sure you're in the same region as your ALB.
Check top-right corner: Should say us-east-1 (or wherever your ALB is):
Check top-right corner: Should say us-east-1 (or wherever your ALB is)
If wrong region:
- Certificates won't show up in ALB dropdown
- You'll have to request again in correct region
Click Request a certificate
Step 1.1: Choose certificate typeโ
Select Request a public certificate:
Select Request a public certificate
Click Next
Step 1.2: Add domain namesโ
Add two domain names:
In Fully qualified domain name, first type:
ai-caller.yourdomain.com
In Fully qualified domain name, first type ai-caller.yourdomain.com
*.yourdomain.com
Then click Add another name to this certificate and add *.yourdomain.com
This wildcard covers any future subdomain you might need.
If you only want to cover ai-caller.yourdomain.com, that's fine - skip the wildcard.
But for most projects, the wildcard gives you flexibility at no extra cost.
For this tutorial, just ai-caller.yourdomain.com is enough.
Step 1.3: Select validation methodโ
Scroll down and select DNS validation:
Scroll down and select DNS validation
Why DNS validation:
โ
Faster (5-10 minutes)
โ
Automatic with Route 53
โ
Can be automated
โ
No email required
Step 1.4: Add tags (optional)โ
Optional: Add tags for organization
Click the icon
and copy each value from the table below โฌ| Key | Value |
|---|---|
Optional: Add tags for organization
Step 1.5: Request validationโ
Scroll down and click Request:
Scroll down and click Request
โ You should see: "Successfully requested certificate your request is being processed"
You should see: "Successfully requested certificate your request is being processed"
Step 2: Validate domain ownershipโ
Now we need to prove we own the domain by adding a DNS record.
Click Create records in Route 53:
Click Create records in Route 53
You can also click List certificates in the left menu and then click your certificate:
Go to Certificate Manager, click List certificates โ Click your certificate
A new screen will appear showing the CNAME records ACM needs.
Click Create records:
Click Create records
โ You should see: "Successfully created DNS records":
You should see: "Successfully created DNS records"
Step 2.1: Wait for validationโ
Certificate validation takes 5-10 minutes.
Refresh the page until Status changes from Pending validation to Issued:
Refresh the page until Status changes from Pending validation to Issued
When status shows Issued โ your certificate is ready:
Refresh the page until Status changes from Pending validation to Issued
Step 3: Add HTTPS listener to ALBโ
Now let's attach the certificate to your ALB.
In the search bar at the top, type ec2 and click EC2 from the dropdown menu:
In the search bar at the top, type ec2 and click EC2 from the dropdown menu
Scroll down the left menu and click Load balancers
Select Fargate-ALB and click the Listeners and rules tab
You should see one listener:
- HTTP:80 โ Fargate-TG
You should see one listener: HTTP:80 โ Fargate-TG
Click Add listener
Step 3.1: Configure HTTPS listenerโ
Fill in the settings:
| Field | Value |
|---|---|
| Protocol | HTTPS |
| Port | |
| Default action | Forward to โ Fargate-TG |
Select HTTPS and port 443
Scroll down and select Fargate-TG as Default action
Step 3.2: Attach SSL certificateโ
Scroll down to Secure listener settings:
Scroll down to Secure listener settings
Fill in the settings:
| Field | Value |
|---|---|
| Security policy | ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended) |
| Default SSL/TLS certificate | From ACM โ Select your certificate |
Keep the default Security policy: ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended)
Select and attach your SSL certificate we just created
Security policy = Which TLS versions and ciphers to support
Recommended: ELBSecurityPolicy-TLS13-1-2-2021-06
โ
TLS 1.3 (latest, fastest, most secure)
โ
TLS 1.2 (for older clients)
โ
Strong ciphers only
This balances security and compatibility.
Scroll all the way down and click Add listener
โ You should see: "Successfully created listener":
You should see: "Successfully created listener"
You should now see two listeners:
- HTTP:80 โ Forward to Fargate-TG
- HTTPS:443 โ Forward to Fargate-TG
You should now see two listeners:
Step 4: Test HTTPSโ
Let's verify HTTPS works!
Open your browser and visit:https://ai-caller.yourdomain.com
Expected result:
โ
Green padlock ๐ in address bar (depending on web browser)
โ
"Secure" or "Connection is secure"
โ 503 Service Temporarily Unavailable (no containers yet, but HTTPS works!)
Click the icon in the address bar, you should see "Secure" or "Connection is secure"
Expected result: "Secure" or "Connection is secure" but still "503 Service Temporarily Unavailable" (we don't have containers yet)
Check certificate detailsโ
Click the icon next to the address bar and then click Connection is secure:
Click the icon next to the address bar and then click Connection is secure
This opens up a new window, now click Certificate is valid
You should now see certificate details:
- Issued to: ai-caller.yourdomain.com
- Issued by: Amazon
- Valid until: (1 year from now, auto-renews)
You should now see certificate details
Step 5: Redirect HTTP to HTTPSโ
Right now, both HTTP and HTTPS works:
http://ai-caller.yourdomain.comโ Workshttps://ai-caller.yourdomain.comโ Works
Best practice: Redirect HTTP โ HTTPS
Let's force everyone to HTTPS.
Go to Listeners and rules tab and select the HTTP:80 listener:
Go to Listeners and rules tab and select the HTTP:80 listener
Click Manage listener and then click Edit listener in the dropdown
Step 5.1: Change default action to redirectโ
Change the Routing action to Redirect to URL:
Change the Routing action to Redirect to URL
Configure the redirect:
| Field | Value |
|---|---|
| Protocol | HTTPS |
| Port | |
| Status code | 301 - Permanently moved |
Configure the redirect
Click Save changes
โ You should see: "Successfully modified listener":
You should see: "Successfully modified listener"
Step 5.2: Verify redirectโ
Now HTTP automatically redirects to HTTPS.
Test in your browser:http://ai-caller.yourdomain.com
Expected behavior:
- Browser loads HTTP version
- Immediately redirects to HTTPS
- URL changes to
https://ai-caller.yourdomain.com - Green padlock shows ๐ (depending on browser)
- Click the icon next to the address bar, it should say "Connection is secure":
Connection is secure
Perfect! โ
Step 6: Update security group (if needed)โ
Your ALB-SG should already allow HTTPS.
Let's verify:
In the search bar at the top, type VPC and click VPC from the dropdown:
In the search bar at the top, type VPC and click VPC from the dropdown
Click Security Groups in the left menu
Select ALB-SG and click Inbound rules
You should see:
| Type | Port range | Source |
|---|---|---|
| HTTP | 80 | 0.0.0.0/0 |
| HTTPS | 443 | 0.0.0.0/0 |
Verify ALB-SG allows HTTPS:
Verify ALB-SG allows HTTPS
How to add missing rule
Click Edit inbound rules
Click Add rule
Add this rule:
| Type | Source |
|---|---|
| HTTPS | Anywhere-IPv4 (0.0.0.0/0) |
Today's winโ
If you completed all steps:
โ
Requested free SSL certificate from ACM
โ
Validated domain ownership via DNS
โ
Added HTTPS listener to ALB (port 443)
โ
Attached SSL certificate
โ
Configured HTTP โ HTTPS redirect
โ
Validated green padlock in browser ๐
Your app is now secure.
Before:
โ ๏ธ http://ai-caller.yourdomain.com (Not Secure)
Browser says: โ ๏ธ "Not secure"
After:
๐ https://ai-caller.yourdomain.com (Secure)
Connection is secure
Production-ready HTTPS! Tomorrow we deploy a frontend.
Understand what you builtโ
The HTTPS flow:
Security layers:
- HTTPS encryption (SSL/TLS)
- Certificate validation (ACM)
- HTTP โ HTTPS redirect (no plain text)
- Security groups (firewall)
- Private subnets (containers hidden)
SSL/TLS certificate costsโ
ACM certificates are free!
Pricing:
- Certificate: $0 (free)
- Renewal: $0 (automatic, free)
- DNS validation: $0 (included in Route 53 hosted zone)
For AWS resources, ACM is unbeatable.
The only cost:
- Route 53 hosted zone: ~$0.50/month (as of December 2025)
Why HTTPS mattersโ
1. Securityโ
- Encrypts data in transit
- Prevents man-in-the-middle attacks
- Protects users privacy
2. Trustโ
- Green padlock = users trust your site
- No scary "Not Secure" warnings
- Professional appearance
3. Required for modern featuresโ
- WebRTC (real-time audio/video)
- Geolocation API
- Camera/microphone access
- Service Workers (PWAs)
4. SEO benefitsโ
- Google ranks HTTPS sites higher
- HTTP sites marked as "Not Secure"
- Better search visibility
5. Complianceโ
- Industry standard for production apps
HTTPS isn't optional. It's essential.
Common mistakes (and how to avoid them)โ
โ Mistake #1: Wrong region for certificateโ
Result: Certificate doesn't show in ALB dropdown
Fix: Request certificate in same region as ALB
โ Mistake #2: Forgetting to create DNS validation recordโ
Result: Certificate stuck in "Pending validation"
Fix: Click "Create records in Route 53" in ACM
โ Mistake #3: Using wrong certificateโ
Result: Browser shows certificate error
Fix: Make sure certificate covers your exact domain (ai-caller.yourdomain.com)
โ Mistake #4: Not redirecting HTTP โ HTTPSโ
Result: Users can still access insecure HTTP version
Fix: Edit HTTP:80 listener โ Add redirect to HTTPS:443
โ Mistake #5: Forgetting HTTPS in Security Groupโ
Result: Can't access port 443
Fix: Add HTTPS (443) inbound rule to ALB-SG
Troubleshootingโ
Certificate stuck in "Pending validation"
Possible causes:
-
DNS record not created
- Go to ACM โ Click certificate
- Click "Create records in Route 53"
- Wait 5-10 minutes
-
Wrong hosted zone
- Verify Route 53 hosted zone matches domain
- Check nameservers are correct
-
DNS propagation
- Wait up to 30 minutes for DNS propagation
- Try:
nslookup _<validation-string>.yourdomain.com
Browser shows "Your connection is not private"
Possible causes:
-
Certificate not attached to ALB
- Go to ALB โ Listeners โ HTTPS:443
- Verify certificate is selected
-
Wrong domain in certificate
- Certificate must match exact domain
ai-caller.yourdomain.comโyourdomain.com
-
Certificate expired (rare with ACM)
- Check certificate status in ACM
- ACM auto-renews, but verify
HTTPS works, but HTTP doesn't redirect
Check:
- HTTP:80 listener exists
- Default action is "Redirect to HTTPS:443"
- Status code is 301
- Clear browser cache (Ctrl+Shift+R)
Can't select certificate in ALB dropdown
Possible causes:
-
Wrong region
- Certificate must be in SAME region as ALB
- Check top-right corner of console
-
Certificate not issued yet
- Status must be "Issued" (not "Pending validation")
-
Wrong certificate type
- Must be public certificate
- Must cover your ALB's domain
Tomorrow's previewโ
Today: You secured your app with HTTPS
Tomorrow (Day 12): We deploy a simple frontend
What we'll do:
Right now, visiting your domain returns 503 (no targets).
Tomorrow we'll:
- Create a simple HTML/JS frontend
- Uploading it to S3
- Configure S3 for static website hosting
- Point a subdomain to S3 (e.g.
app.yourdomain.com) - Add CloudFront for CDN (optional)
This gives users something to interact with:
- Landing page explaining your AI caller
- Button to initiate a call
- Status display
After Day 12, you'll have a working frontend.
Then Days 13-17: We deploy the actual AI containers!
What we learned todayโ
1. What SSL/TLS certificates areโ
Cryptographic files that encrypt traffic and verify identity
2. How AWS Certificate Manager worksโ
Free, managed SSL certificates for AWS resources
3. DNS validationโ
Proving domain ownership by adding CNAME record
4. HTTPS listener configurationโ
Adding port 443 listener with SSL certificate to ALB
5. HTTP โ HTTPS redirectโ
Best practice to force secure connections
The application layer is completeโ
Days 1-2: Local development (your laptop) โ
Day 3: VPC (your territory) โ
Day 4: Subnets (front yards vs back yards) โ
Day 5: NAT Gateway (back gate) โ
Day 6: Route Tables (the roads) โ
Day 7: Security Groups (the bouncers) โ
Day 8: Test Your Network (validation) โ
Day 9: Application Load Balancer (front door) โ
Day 10: Custom Domain (real URLs) โ
Day 11: SSL Certificate (HTTPS) โ YOU ARE HERE โ
Day 12: Deploy Frontend
Days 13-17: Fargate Deployment (THE BIG ONE!)
Days 18-24: Features & Polish
11 days done! 13 to go! ๐
Infrastructure is 95% complete! Time to deploy apps!
Share your progressโ
HTTPS working? Green padlock? Share it!
Twitter/X:
"Day 11: Added HTTPS! Got a free SSL certificate from ACM, configured HTTPS listener on my ALB, and set up HTTP โ HTTPS redirect. My AI app is now secure with that green padlock ๐ Following @norahsakal's advent calendar ๐"
LinkedIn:
"Day 11 of building AI calling agents: Secured my application with HTTPS using AWS Certificate Manager. Free SSL certificate, automatic renewals, and that green padlock in the browser. Production-ready security!"
Tag me! I want to celebrate your progress! ๐
But if you want:
โ
Complete codebase (one clean repo)
โ
Complete walkthroughs
โ
Support when stuck
โ
Production templates
โ
Advanced features
Join the waitlist for the full course (launching February 2026):
Let's chat about your use case!
Schedule a free call โ - no pitch, just two builders talking.
Tomorrow: Day 12 - Deploy Your Frontend ๐จ
See you then!
โ Norah