how to attach SSL certificate to single instance b

2019-03-09 22:39发布

I have a Java war that I want to host on elastic beanstalk on AWS. I have a certificate but I am not able to figure out how to attach it to my single instance app.

All the howtos describe how to attach the certificate to elastic load balancer but no document on how to do it without load balancer (i.e. single instance).

I don't want to use load balancer because it costs extra (and not needed in testing environment).

Any help will be appreciated.

2条回答
不美不萌又怎样
2楼-- · 2019-03-09 23:00

This solution uses LetsEncrypt free certs, and doesn't require storing your certs in a config file. And its easy to reuse for different domains.

http://bluefletch.com/blog/domain-agnostic-letsencrypt-ssl-config-for-elastic-beanstalk-single-instances/

Summary: a config file with container commands that automates downloading certbot, getting a cert, and pointing nginx to the cert.

查看更多
虎瘦雄心在
3楼-- · 2019-03-09 23:20

Elastic Beanstalk single instance type did not support SSL via Management Console or API. You can find more information in AWS Forums.

But you can use Configuration File to customize your instance to enable SSL. Please see the following example.

  1. Create an .ebextensions directory in the top-level of your source bundle.
  2. Copy SSLCertificateFile.crt, SSLCertificateKeyFile.key, SSLCertificateChainFile.crt and ssl.conf(apache2 ssl module configuration) into .ebextensions
  3. Create a configuration file, /your_app/.ebextensions/01ssl.config. Type the following 01ssl.config inside the configuration file to configure ssl settings
  4. Open 443 port in your security group

01ssl.config

packages:
  yum:
    mod_ssl: []
container_commands:
  add-SSLCertificateFile-label:
    command: cp .ebextensions/SSLCertificateFile.crt /home/ec2-user/SSLCertificateFile.crt

  add-SSLCertificateKeyFile-label:
    command: cp .ebextensions/SSLCertificateKeyFile.key /home/ec2-user/SSLCertificateKeyFile.key

  add-SSLCertificateChainFile-label:
    command: cp .ebextensions/SSLCertificateChainFile.crt /home/ec2-user/SSLCertificateChainFile.crt

  replace-ssl-configuration-label:
    command: cp .ebextensions/ssl.conf /etc/httpd/conf.d/ssl.conf

ssl.conf example

Your WAR structure should look like

web_app.war
          |
          |_.ebextensions
          |   |_ 01ssl.config
          |   |_ SSLCertificateFile.crt
          |   |_ SSLCertificateKeyFile.key
          |   |_ SSLCertificateChainFile.crt
          |   |_ ssl.conf
          |
          |_META-INF
          |
          |_WEB-INF
               |_ classes
               |_ lib
               |_ web.xml

2013/11/14 Updated.

  1. Using configuration file should pay attention to security problems, because the files in the folder .ebextensions are accessible for everyone. This may not happen in usual situation.
  2. AWS also provides an example Configuration File for configuring SSL for Single Instance Type now.
查看更多
登录 后发表回答