When you have a certificate for your domain issued through AWS Certificate Manager, how do you apply that certificate to an Elastic Beanstalk application.

Yes, the Elastic Beanstalk application is load balanced and does have an ELB associated with it.

I know I can apply it directly to the ELB my self. But I want to apply it through Elastic Beanstalk so the env configuration is saved onto the Cloud Formation template.

I found out, you cannot do it through the elastic beanstalk console (at least not yet). However you can still set it via the eb cli, or aws cli.

Using EB CLI

Basically what we are trying to do is to update the aws:elb:listener setting, you can see the possible settings in the general options docs.

Using the EB CLI is pretty simple. Assuming we already setup the awsebcli tool for our project we can use the eb config command.

It will open up your default terminal editor and allow you to change settings which are written as a YAML file. When you make a change and save it, the eb config cmd will automatically update the settings for your Elastic Beanstalk environment.

You will need to add the following settings to your config file:

aws:elb:listener:443:
  InstancePort: '80'
  InstanceProtocol: HTTP
  ListenerEnabled: 'true'
  ListenerProtocol: HTTPS
  PolicyNames: null
  SSLCertificateId: CERTIFICATE_ARN_HERE

Change the value for CERTIFICATE_ARN_HERE to your AMC Certificates ARN. You can find it in the AWS Certificate Manager console:

IMPORTANT: Your aws:elb:listener:443 setting MUST be placed above the aws:elb:listener:80 setting. Otherwise the environment configuration update will error out.

Using AWS CLI

The same can be accomplished using the general aws cli tools via the update-environment command.

aws elasticbeanstalk update-environment \
--environment-name APPLICATION_ENV --option-settings \
Namespace=aws:elb:listener:443,OptionName=InstancePort,Value=80 \
Namespace=aws:elb:listener:443,OptionName=InstanceProtocol,Value=HTTP \
Namespace=aws:elb:listener:443,OptionName=ListenerProtocol,Value=HTTPS \
Namespace=aws:elb:listener:443,OptionName=SSLCertificateId,Value=CERTIFICATE_ARN_HERE

NOTE: When you update it via either of the methods above, the Elastic Beanstalk console will not show HTTPS as enabled. But the load balancer will, and it will also apply to the Cloudformation template as well get saved into the EB's configuration.

I find the simplest way is change the EB Load Balancer via the user console. Click change and select the new ACM certificate.

When you view the EB configuration, it will not appear, but it will be set

You can do this purely with CloudFormation; however, as seems to be quite common with Elastic Beanstalk the configuration options are much harder to find in the docs than they are for the individual components that comprise Elastic Beanstalk. The info is here:

http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elbloadbalancer

But basically what you need to do is add the creation of the cert to your template and then reference it in OptionSettings in AWS::ElasticBeanstalk::ConfigurationTemplate:

"Certificate" : {
      "Type": "AWS::CertificateManager::Certificate",
      "Properties": {
        "DomainName": "example.com",
      }
    },
// ...
"ElasticbeanstalkTemplate": {
      "Type": "AWS::ElasticBeanstalk::ConfigurationTemplate",
      "Properties": {
        "SolutionStackName": "MyEBStack",
        "ApplicationName": "MyAppName",
        "Description": "",
        "OptionSettings": [{
          "Namespace": "aws:elb:listener:443",
          "OptionName": "InstancePort",
          "Value": "80"
        }, {
          "Namespace": "aws:elb:listener:443",
          "OptionName": "InstanceProtocol",
          "Value": "HTTP"
        }, {
          "Namespace": "aws:elb:listener:443",
          "OptionName": "ListenerProtocol",
          "Value": "HTTPS"
        }, {
          "Namespace": "aws:elb:listener:443",
          "OptionName": "SSLCertificateId",
          "Value": {
            "Ref": "Certificate"
          }
        }, /*More settings*/]

Check in which zone you created the certificate and if it matches the Elastic Beanstalk zone. I had them in different zones so it didn't work.