elasticbeanstalk ssl without custom domain

2019-06-14 22:58发布

问题:

I'm trying to enable SSL on a Token Vending Machine hosted on Amazon Elastic Beanstalk. However, it tells me I need an SSL certificate if I try to enable a port 443 listener.

This would make sense if I had my own domain, but this is a system machine giving out tokens to a mobile app. The URL is of the form mytvm.elasticbeanstalk.com and will never be seen by an end user so there's no need to get a custom domain.

Is it possible to enable SSL without the hassle of setting it up on a custom domain name? Pretty much every host I've used before had a wildcard SSL certificate for stuff you ran on a subdomain of their main host. In other words I would expect Amazon to have had setup a wildcard certificate for *.elasticbeanstalk.com. Is this not the case?

回答1:

The name of your app can be your 'custom domain', i.e, mytvm.elasticbeanstalk.com.

If you are using a load-balancer with your elastic beanstalk application you can make use the directions here and use openssl to create your own cert. When you've installed openssl and the elastic beanstalk command line interface you can follow the steps by entering your domain name as 'mytvm.elasticbeanstalk.com'

Using the following commands:

C:\>openssl genrsa 1024 > privatekey.pem
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus....

C:\>openssl req -new -key privatekey.pem -out csr.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated....

Country Name (2 letter code) [AU]:us
State or Province Name (full name) [Some-State]:yourstate
Locality Name (eg, city) []:cityname
Organization Name (eg, company) [Internet Widgits Pty Ltd]:youname
Organizational Unit Name (eg, section) []: your
Common Name (e.g. server FQDN or YOUR name) []:**mytvm.elasticbeanstalk.com**
...

C:\>openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out server.crt

C:\>iam-servercertupload -b server.crt -k privatekey.pem -s server -v

Next change your setting to use 443.