This post describes how to setup HTTPS using a self-signed certificate for a Python 3.7 webapp deployed to a single-instance AWS Elastic Beanstalk environment without using a custom domain or a load balancer. This is useful in dev/test scenarios where HTTPS is required.
Step 1 — Create Beanstalk App
Create a Beanstalk app as shown below:

Step 2 — Get Application Code
Download & unzip the Python app code from here.
Step 3 — Generate Certificate
Run this at your terminal to generate a self-signed certificate:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=*.elasticbeanstalk.com'
openssl rsa -in key.pem -out key.pem
Step 4 — Modify Code
Create .ebextensions/https-instance-single.config
in the app code with these contents:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
Create .ebextensions/https-instance.config
in the app code with these contents:
files:
/opt/python/log/sample-app.log:
mode: "000777"
owner: root
group: root
content: |
sample app log
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
# contents of cert.pem
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
# contents of key.pem
-----END RSA PRIVATE KEY-----
Create .platform/nginx/conf.d/https.conf
in the app code with these contents:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
Step 5 — Deploy Code
ZIP & upload the code to Beanstalk, open the Beanstalk app URL with https://
prefix & bypass the browser warning about the self-signed certificate to see the app!