When you have a certificate for your domain issued through AWS Certificate Manager, how do you apply that certificate to an Elastic Beanstalk application.
Yes, the Elastic Beanstalk application is load balanced and does have an ELB associated with it.
I know I can apply it directly to the ELB my self. But I want to apply it through Elastic Beanstalk so the env configuration is saved onto the Cloud Formation template.
I found out, you cannot do it through the elastic beanstalk console (at least not yet). However you can still set it via the eb cli, or aws cli.
Using EB CLI
Basically what we are trying to do is to update the aws:elb:listener
setting, you can see the possible settings in the general options docs.
Using the EB CLI is pretty simple. Assuming we already setup the awsebcli
tool for our project we can use the eb config
command.
It will open up your default terminal editor and allow you to change settings which are written as a YAML file. When you make a change and save it, the eb config
cmd will automatically update the settings for your Elastic Beanstalk environment.
You will need to add the following settings to your config file:
aws:elb:listener:443:
InstancePort: '80'
InstanceProtocol: HTTP
ListenerEnabled: 'true'
ListenerProtocol: HTTPS
PolicyNames: null
SSLCertificateId: CERTIFICATE_ARN_HERE
Change the value for CERTIFICATE_ARN_HERE
to your AMC Certificates ARN. You can find it in the AWS Certificate Manager console:
IMPORTANT: Your aws:elb:listener:443
setting MUST be placed above the aws:elb:listener:80
setting. Otherwise the environment configuration update will error out.
Using AWS CLI
The same can be accomplished using the general aws cli
tools via the update-environment command.
aws elasticbeanstalk update-environment \
--environment-name APPLICATION_ENV --option-settings \
Namespace=aws:elb:listener:443,OptionName=InstancePort,Value=80 \
Namespace=aws:elb:listener:443,OptionName=InstanceProtocol,Value=HTTP \
Namespace=aws:elb:listener:443,OptionName=ListenerProtocol,Value=HTTPS \
Namespace=aws:elb:listener:443,OptionName=SSLCertificateId,Value=CERTIFICATE_ARN_HERE
NOTE: When you update it via either of the methods above, the Elastic Beanstalk console will not show HTTPS as enabled. But the load balancer will, and it will also apply to the Cloudformation template as well get saved into the EB's configuration.
I find the simplest way is change the EB Load Balancer via the user console. Click change and select the new ACM certificate.
When you view the EB configuration, it will not appear, but it will be set
You can do this purely with CloudFormation; however, as seems to be quite common with Elastic Beanstalk the configuration options are much harder to find in the docs than they are for the individual components that comprise Elastic Beanstalk. The info is here:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elbloadbalancer
But basically what you need to do is add the creation of the cert to your template and then reference it in OptionSettings
in AWS::ElasticBeanstalk::ConfigurationTemplate
:
"Certificate" : {
"Type": "AWS::CertificateManager::Certificate",
"Properties": {
"DomainName": "example.com",
}
},
// ...
"ElasticbeanstalkTemplate": {
"Type": "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties": {
"SolutionStackName": "MyEBStack",
"ApplicationName": "MyAppName",
"Description": "",
"OptionSettings": [{
"Namespace": "aws:elb:listener:443",
"OptionName": "InstancePort",
"Value": "80"
}, {
"Namespace": "aws:elb:listener:443",
"OptionName": "InstanceProtocol",
"Value": "HTTP"
}, {
"Namespace": "aws:elb:listener:443",
"OptionName": "ListenerProtocol",
"Value": "HTTPS"
}, {
"Namespace": "aws:elb:listener:443",
"OptionName": "SSLCertificateId",
"Value": {
"Ref": "Certificate"
}
}, /*More settings*/]
Check in which zone you created the certificate and if it matches the Elastic Beanstalk zone. I had them in different zones so it didn't work.