Setting up end-to-end TLS encryption and http-https redirects

This document is OUTDATED.

Need to updated with latest design for setting up HTTPS


Bahmni EKS clusters out of box comes with Kubernetes Ingress Controller Fake Certificate. End-to-end TLS encyprtion is required in order to ensure our channel / data transmission is encrypted and in addition its equally important for regularity requirements like PCI and HIPPA etc.

In this document articulates

  • Setting up end-to-end TLS encryption for EKS using AWS Certificate Manager and CloudFront

  • Redirect http to https

Note: Here is an alternate way to setup end-to-end encryption using aws-pca-issuer.

1️⃣ Issue a new certificate in AWS Certificate Manager

Navigate to AWS Certificate manager in us-east-1 and request for a new certificate for your domain. Two things to remember

  • The certificate should be issues in us-east-1 (Virginia) in order to be used by CloudFront

  • Use wild card to support the same certificate by sub domains or list all your domains with sub domains e.g.* (note that single * would only support single subdomain, if you have multiple subdomains such as, then you would need to add multiple wildcards *.*

Once the certificate is Issued, go inside the certificate and "Create Record in Route 53" under Domains to create CNAME(s) for the issued domain(s) in Route53

2️⃣ Create CloudFront distribution

We will create a new CloudFront distribution to service the application (accessible at the ingress DNS) with certificates issued by ACM and will also perform a http to https redirect

  1. Create a new CloudFront distribution

  2. Origin domain: ingress host where the application is available e.g.

  3. Select “HTTP only” under protocol

  4. Select “Redirect HTTP to HTTPS” under Viewer protocol policy

  5. Select “GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE” under Allowed HTTP methods

  6. Under Alternate domain name (CNAME) - add the domain Alias for this CloudFront e.g. (its important to add the Alternate domain name with matching alias name otherwise the CloudFront distribution would not show up while creating the A record in Route53)

  7. Under Custom SSL certificate - choose the certificate created in step #1

3️⃣ Create Alias for CloudFront Distribution

Finally we will create a Route53 Alias (AAAA record type) for CloudFront Distribution

  1. Record name: e.g. lite or demo or BLANK for www (this should match the alternate domain name we setup in the Cloudfront distribution i.e.

  2. Route Type: AAAA

  3. Route traffic to Alias - select Alias to CloudFront Distribution - and then select the distribution we created in step #2

The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)