How can I configure SSL for my Elastic Beanstalk S

2019-06-27 09:46发布

I am new to AWS and got my Java based RESTAPI working on a Single Instance EBS. Now I am trying to install SSL certificate into above Single Instance EBS so that it can work for https requests.

I am trying to create Self Signed Certificate on my Windows machine for the certificate at this moment. I followed this article to create the certificates.

I have followed AWS Documentation and can see the sample script to create SSL Configuration File (singlessl.config).

I am not sure from where or how do I get <certificate file contents> and <private key contents> for the configuration file. Can you please advise.

EDIT:
Here is the config file that has no issues before I add the Certificate Content

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName: {"Ref" : "AWSEBSecurityGroup"}
      # GroupId: {"Ref" : "AWSEBSecurityGroup"}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

packages:
  yum:
    mod_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000755"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine             on
        SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:8080/ retry=0
        ProxyPassReverse / http://localhost:8080/
        ProxyPreserveHost on

        LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
        ErrorLog /var/log/httpd/elasticbeanstalk-error_log
        TransferLog /var/log/httpd/elasticbeanstalk-access_log
      </VirtualHost>

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      <certificate file contents>
      -----END CERTIFICATE-----

  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      <private key contents>
      -----END RSA PRIVATE KEY-----

services:
  sysvinit:
    httpd:
      enabled: true
      ensureRunning: true
      files : [/etc/httpd/conf.d/ssl.conf,/etc/pki/tls/certs/server.key,/etc/pki/tls/certs/server.crt]

Again after I add Certificate content the validation failed

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName: {"Ref" : "AWSEBSecurityGroup"}
      # GroupId: {"Ref" : "AWSEBSecurityGroup"}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

packages:
  yum:
    mod_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000755"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine             on
        SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:8080/ retry=0
        ProxyPassReverse / http://localhost:8080/
        ProxyPreserveHost on

        LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
        ErrorLog /var/log/httpd/elasticbeanstalk-error_log
        TransferLog /var/log/httpd/elasticbeanstalk-access_log
      </VirtualHost>

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
MIIFrjCCA5agAwIBAgIQnWFbX+HcXIBD15PWJMbowzANBgkqhkiG9w0BAQ0FADBd
MQ4wDAYDVQQGEwVJbmRpYTEMMAoGA1UECxMDREVWMR4wHAYDVQQKExVWNSBCdXNp
bmVzcyBTb2x1dGlvbnMxHTAbBgNVBAMTFE1BU2dlbmllIERldiBSb290IENBMB4X
DTE0MTIzMTE4MzAwMFoXDTE5MDEzMDE4MzAwMFowGzEZMBcGA1UEAxMQZGV2Lm1h
c2dlbmllLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMEHn/iC
9iGQHAKwxscFdnun2Q1qr0M0jBIt4JcwTsT5NjRfII7RBHvCnTWrQUo4QBoIqVdR
OkG4PkAS0Q3wqcuACyCAknx//k9O0DQHbkk2jI0aNrrD0iDFlHX9P/e+zS6VA5Qg
2Wrzf4nHNDC3ITsGYkNvXXFn6Uhl0o7WHrQ7njHpd26kNFGQPwVbFdjDm2uYDUqz
SnnlxXWVI1bgIoKVrZOqe61XCmgaFP0fIMXw4nZGT1GzfWmrzg9qjglMldxjoHL2
XpOtF6l8jRnVMLQqytlDb3CkQSYdoDqKWhiqNvq1l0ZsLupuPebdjTD11KMybW2k
q/0R5WCrNBBLRwxFq6DZgzyhhHvBhxFA567uafSRDhlpCz8C0Ll3SM1TrU8ySyVN
JgRIH2E3CPJ5wAiIWEuz4LKJ/Pip+j/7iuqsRgX7QBh7kJN3oRghoAKmkoWvBuJ8
n4azmtO+B4WDDwaoV7+JYX79dwpI+dzYAZXG1MhJv0SSIx4F3eCw5tSJqpbtj9om
KluKd8RGHpZW9qUQCcLY3Expx74Ehnm+Lbgov5C1ba7JYab+JRyM1tz5k/Z+sy2m
3PUUZz2WxBeysrnjjfCYrLtXGOwG13jO2rf4e9PakRBQd4Ybx2Z45IximaFT38r5
DQZXlLgq+BkekGuV7FVtzPSZH3FV86UIRBeTAgMBAAGjgaswgagwEwYDVR0lBAww
CgYIKwYBBQUHAwEwgZAGA1UdAQSBiDCBhYAQKxykerZGsDqRGnXn8lBmoqFfMF0x
DjAMBgNVBAYTBUluZGlhMQwwCgYDVQQLEwNERVYxHjAcBgNVBAoTFVY1IEJ1c2lu
ZXNzIFNvbHV0aW9uczEdMBsGA1UEAxMUTUFTZ2VuaWUgRGV2IFJvb3QgQ0GCEE/8
C0XD+iW3TMfyC51vkw0wDQYJKoZIhvcNAQENBQADggIBAHggcAILANfMtdSJd9XW
2BsFXORtKrWzrlsYEOkM8sIjqI0QoDI1KE7NwFbzhue5OdxB8uOq1nD/J8HZUovH
Ij4np58yJjp6K43zaxrFjQNO7UyHJmcJ0rPRet7WuCTwqs4DY4/J4foEe1mNE3kL
7HiAAEKHmZ0/sLwu6TKa3QOajWxIV/MCLAuNEvTc4hPAesmyuUlnRWa8Uk/8cOCB
HFgpe/jWN8wxAcj1YS60RBGTeneiutW+/ZZr9YKlTjZgmnbR3LEDdSTsP6eLGocl
KHT0MdTqIm0uphmr8jUeUw2iNOrbm1FRZoTW9hKboIdM0Uksr778WK5A3MlsakZP
2J2G1cvQAC1fEckTS9p39QhLRTes5gCpLROySfWY9ZeMam2AXQyeVHZ6kbqdAdNG
TpOysl8j13m/O5Lh1QM26fJ9P+IIqKOffXxty4C4bZCVoR270QEP42az9G61mQZ9
d0c2yMsCvIhS1UxguF3cjGz3CK90SMo3l5TFDnNU71a0M5DIuuViIB8f40Jp5HL3
hjq+l2vzIxrmFbKyCvL5+dbEy46q9dIjqOFJECsu9khqHNbA7Wn5GBzBNxGLTkh/
2kaeIvUbRPrDFE67J/gHL4NPXSp+NohnQvjFRvGn/+3GKjhdrLDu+rlXrcEkNUv3
c4XR9gJqVsCoSiWRnoZP05FB
      -----END CERTIFICATE-----

  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      <private key contents>
      -----END RSA PRIVATE KEY-----

services:
  sysvinit:
    httpd:
      enabled: true
      ensureRunning: true
      files : [/etc/httpd/conf.d/ssl.conf,/etc/pki/tls/certs/server.key,/etc/pki/tls/certs/server.crt]

The Error:

(<unknown>): could not find expected ':' while scanning a simple key at line 56 column 1

1条回答
唯我独甜
2楼-- · 2019-06-27 10:13

The line

MIIFrjCCA5agAwIBAgIQnWFbX+HcXIBD15PWJMbowzANBgkqhkiG9w0BAQ0FADBd

should be at the same indentation level as

-----BEGIN CERTIFICATE-----

that means, your file should look like this:

content: |
  -----BEGIN CERTIFICATE-----
  MIIFrjCCA5agAwIBAgIQnWFbX+HcXIBD15PWJMbowzANBgkqhkiG9w0BAQ0FADBd

So, give spaces before your certificate and key content and it should work.

查看更多
登录 后发表回答