
This post describes how to setup HTTPS using a self-signed certificate for a Python 3.7 webapp deployed to a single-instance AWS Elastic Beanstalk environment without using a custom domain or a load balancer. This is useful in dev/test scenarios where HTTPS is required.
Step 1 — Create Beanstalk App
Create a Beanstalk app as shown below:

Step 2 — Get Application Code
Download & unzip the Python app code from here.
Step 3 — Generate Certificate
Run this at your terminal to generate a self-signed certificate:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=*.elasticbeanstalk.com' openssl rsa -in key.pem -out key.pem
Step 4 — Modify Code
Create .ebextensions/https-instance-single.config
in the app code with these contents:
Resources: sslSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} IpProtocol: tcp ToPort: 443 FromPort: 443 CidrIp: 0.0.0.0/0
Create .ebextensions/https-instance.config
in the app code with these contents:
files: /opt/python/log/sample-app.log: mode: "000777" owner: root group: root content: | sample app log /etc/pki/tls/certs/server.crt: mode: "000400" owner: root group: root content: | -----BEGIN CERTIFICATE----- # contents of cert.pem -----END CERTIFICATE----- /etc/pki/tls/certs/server.key: mode: "000400" owner: root group: root content: | -----BEGIN RSA PRIVATE KEY----- # contents of key.pem -----END RSA PRIVATE KEY-----
Create .platform/nginx/conf.d/https.conf
in the app code with these contents:
server { listen 443; server_name localhost; ssl on; ssl_certificate /etc/pki/tls/certs/server.crt; ssl_certificate_key /etc/pki/tls/certs/server.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; }
Step 5 — Deploy Code
ZIP & upload the code to Beanstalk, open the Beanstalk app URL with https://
prefix & bypass the browser warning about the self-signed certificate to see the app!