Elastic Beanstalk Security Certificates: Difference between revisions

From Littledamien Wiki
Jump to navigation Jump to search
No edit summary
Tag: wikieditor
 
(104 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Overview ==
== Overview ==


Instructions on installing and maintaining SSL for AWS Elastic Beanstalk web apps.
Instructions on how to install security certificates for websites hosted in AWS Elastic Beanstalk environments.


Amazon offers its own security certificates for load balanced EC2 instances, but not for smaller stand-alone instances.
== AWS Certificate Manager ==


[https://letsencrypt.org/ Let's Encrypt] offers free security certificates.
* In the AWS management console, go to '''AWS Certificate Manager (ACM)'''
* Click '''Request a Certificate'''
** '''Certificate Type''': "Request a public certificate"
** '''Fully qualified domain name:''' ''Enter domain name''
** Click ''Add another name to this certificate'' to add any additional subdomains or wildcards to the certificate
** '''Select validation method:''' DNS validation
** Click '''Request''' button
*  The new certificate will be displayed in a list along with its associated domain name.  


== Installation ==
== Validate the certificate’s domains ==


All these commands are issued after using ssh to get a command prompt on the EC2 instance.
Each domain listed on the certificate must be validated to prove the person creating the certificate has control of the domain.


=== Prerequisites ===
* Click on the certificate in the ACM list.
* Under '''Domains''', a “Create records in Route 53” button is displayed if the Route 53 is used to manage the domain name.
* Click that button.
* Select the domains to validate.
* Click '''Create Records'''.


* ssh access to the EC2 instance
It can take up to 30 minutes for the status of the domain to change from “pending validation” to “issued.”
* Git, virtualenv, pip


=== Open port 443 on the EC2 instance ===
== Apply the certificate to load balancers ==


* '''AWS Management Console''' > '''EC2''' > ''instance'' > click for details > '''Security Group''' > click for details
A certificate is used to add a "listener" to the load balancer associated with an Elastic Beanstalk instance. The listener routes HTTPS requests to the EBS instance.
* '''Inbound''' tab > '''Edit''' button
* '''Add Rule''' button
** '''Type:''' HTTPS
** '''Protocol:''' TCP
** '''Port Range:''' 443
** '''Source:'''  0.0.0.0/0, ::/0


=== Enable SSL on EC2 instance ===
* Go to the '''Elastic Beanstalk management console'''.
* Select an EBS environment.
* Click '''Configuration''' from the menu on the left.
* Select '''Load Balancer''' > '''Edit'''
* Under '''Listeners''', click '''Add Listener'''
** '''Port:''' 443
** '''Protocol:''' HTTPS
** '''SSL Certificate:''' Select the certificate created in ACM
** '''SSL Policy:''' (blank)
** '''Default process:''' (default)
** Click '''Add'''


The Amazon documentation instructs you to install `mod_ssl` with the following command which should create a file `/etc/httpd/conf.d/ssl.conf` when it completes.
<span style="color:red;">Make sure to scroll down to the bottom of the page</span> to click '''Apply'''. I didn’t notice this at first and was wondering why the new listener was disappearing.


<syntaxhighlight lang="sh">
== Notes ==
$ sudo yum install mod_ssl
=== See Also ===
</syntaxhighlight>


This did not work for me for `dbarchowsky.com` which was on a t1.micro instance, Amazon Linux AMI version 2018.03. What worked instead was:
* Legacy page: [[Installing Lets Encrypt Security Certificates In Elastic Beanstalk Environments]]


<syntaxhighlight lang="sh">
=== References ===
$ sudo yum install mod24_ssl
<references />
</syntaxhighlight>


== Installing certificates ==
[[Category:AWS]][[Category:Elastic Beanstalk]][[Category:Web Development]]
 
Install Let's encrypt into `/opt/letsencrypt` with git
 
<syntaxhighlight lang="sh">
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencript
</syntaxhighlight>
 
The source instructions gave this command:
 
<syntaxhighlight lang="sh">
$ /opt/letsencrypt/letsencrypt-auto --debug
</syntaxhighlight>
 
But that returned the following error:
 
<pre>
PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
</pre>
 
This is cause by not having the typical [https://httpd.apache.org/docs/2.4/mod/core.html#virtualhost VirtualHost running on port 80] in the Apache configuration, so Certbot needs an alternative method for authenticating the doamin. It's possibel to manually specify the web root of the website: <ref>[https://community.letsencrypt.org/t/error-installing-lets-encrypt-on-aws-linux/52227/3 Error installing Let's Encrypt on AWS Linux] - AWS forums</ref>
 
<syntaxhighlight lang="sh">
$ /opt/letsencrypt/letsencrypt-auto --debug --authenticator webroot --installer apache -w /var/www/webroot -d mydomain.com,www.mydomain.com
</syntaxhighlight>
 
 
<ref>[https://medium.com/@gnowland/deploying-lets-encrypt-on-an-amazon-linux-ami-ec2-instance-f8e2e8f4fc1f Deploying Let's Encrype on An Amazon Linux AMI EC2 Instance] - Medium.com</ref>
 
[[Category:AWS]][[Category:Web Development]]

Latest revision as of 20:48, 21 August 2022

Overview[edit]

Instructions on how to install security certificates for websites hosted in AWS Elastic Beanstalk environments.

AWS Certificate Manager[edit]

  • In the AWS management console, go to AWS Certificate Manager (ACM)
  • Click Request a Certificate
    • Certificate Type: "Request a public certificate"
    • Fully qualified domain name: Enter domain name
    • Click Add another name to this certificate to add any additional subdomains or wildcards to the certificate
    • Select validation method: DNS validation
    • Click Request button
  • The new certificate will be displayed in a list along with its associated domain name.

Validate the certificate’s domains[edit]

Each domain listed on the certificate must be validated to prove the person creating the certificate has control of the domain.

  • Click on the certificate in the ACM list.
  • Under Domains, a “Create records in Route 53” button is displayed if the Route 53 is used to manage the domain name.
  • Click that button.
  • Select the domains to validate.
  • Click Create Records.

It can take up to 30 minutes for the status of the domain to change from “pending validation” to “issued.”

Apply the certificate to load balancers[edit]

A certificate is used to add a "listener" to the load balancer associated with an Elastic Beanstalk instance. The listener routes HTTPS requests to the EBS instance.

  • Go to the Elastic Beanstalk management console.
  • Select an EBS environment.
  • Click Configuration from the menu on the left.
  • Select Load Balancer > Edit
  • Under Listeners, click Add Listener
    • Port: 443
    • Protocol: HTTPS
    • SSL Certificate: Select the certificate created in ACM
    • SSL Policy: (blank)
    • Default process: (default)
    • Click Add

Make sure to scroll down to the bottom of the page to click Apply. I didn’t notice this at first and was wondering why the new listener was disappearing.

Notes[edit]

See Also[edit]

References[edit]

Retrieved from "https://wiki.dbarchowsky.com/index.php?title=Elastic_Beanstalk_Security_Certificates&oldid=3365"