Why is it using Let's Encrypt when AWS offers it's own certificates that are free, auto-renew, take seconds to setup in CloudFront, and as far as I know are just as widely recognized?

Just for fun actually, it will probably turn out to be a PITA :)

I can appreciate that.

Have a look at Netlify, https://www.netlify.com, (disclaimer I'm a cofounder).

You can get all of this in 30 seconds on our free plan + instant cache invalidation, deploy previews (we'll give you a unique preview url for every pull request), atomic deploys and no issues with deleting files :)

Yep, theyre great. One major problem for me is that their build logs are in pure Black, and don't have any colour output. Also, afaik you can't set up a multi stage build step, like Travis.

You can setup multi stage builds like:

    npm run build && npm run test

I second this, I tried it the other day and it really did take 30 seconds, it was great. I'm going to be using them for all my static sites now.

Does free plan works with multiple custom domains or single domain only?

Most of the time it's fine to just use Github pages though.

I do something like this for my site https://oauth2cloud.com though.

Note you'll have to manually create and deploy those Let's Encrypt certificates every 90 days because you didn't automate it (which is what they want/prefer).

https://letsencrypt.org/2015/11/09/why-90-days.html

Yes I should add that to the notes (author here). Thanks for pointing it out. I have been thinking about ways to automate it but haven't come up with anything I like yet. Any ideas? Might switch to ACM otherwise.

If you happen to use DNSimple for DNS, they recently released a Let's Encrypt integration that verifies via DNS record. They have web hooks and also make the certs and private keys available via API, so I imagine you could set something up with Lambda.

But in my experience, Amazon's certs are so easy to setup and use there is no reason not to.

It may be possible to automate using a scheduled AWS lambda function - though you would need to host a dynamic path under your cloudfront-hosted domain which triggers a lambda function as part of the renewal process.

Now just to set up the redirect so your visitors can only view in https.

CloudFront makes adding redirects easy -- set "Viewer Protocol Policy: Redirect HTTP to HTTPS" and it'll return 301s as appropriate. Done.

http://docs.aws.amazon.com/AmazonCloudFront/latest/Developer...

Now let's say you want to use HSTS so that browsers automatically rewrite HTTP to HTTPS. HSTS can protect users from agents that manipulate HTTP traffic, and it is therefore complementary to any redirection strategy.

S3 lets you specify headers with your objects, like Cache-Control and Content-Type and such, but it doesn't support Strict-Transport-Security. (You can get S3 to use custom headers, but they must start with x-amz-meta-, which doesn't help here.) If the S3 origin can't return Strict-Transport-Security, that leaves CloudFront -- but CloudFront has no specific mechanism for HSTS nor any general mechanism for adding a response header.

So... it's trivial to set a policy to redirect HTTP to HTTPS, but it's impossible to get S3->CloudFront to articulate that policy with Strict-Transport-Security headers. Sigh.