Elastic Beanstalk Security Certificates: Difference between revisions

Overview

Instructions on installing and maintaining SSL for AWS Elastic Beanstalk web apps.

Amazon offers its own security certificates for load balanced EC2 instances, but not for smaller stand-alone instances.

Let's Encrypt offers free security certificates.

Prerequisites

All these commands are issued after using ssh to get a command prompt on the EC2 instance.

• ssh access to the EC2 instance
• Git, virtualenv, pip

Open port 443 on the EC2 instance

• AWS Management Console > EC2 > instance > click for details > Security Group > click for details
• Inbound tab > Edit button
• Add Rule button
  • Type: HTTPS
  • Protocol: TCP
  • Port Range: 443
  • Source: 0.0.0.0/0, ::/0

Enable SSL on EC2 instance

The Amazon documentation instructs you to install mod_ssl with the following command which should create a file /etc/httpd/conf.d/ssl.conf when it completes.

$ sudo yum install mod_ssl

This did not work for me for dbarchowsky.com which was on a t1.micro instance, Amazon Linux AMI version 2018.03. What worked instead was:

$ sudo yum install mod24_ssl

Installing certificates

Install Let's encrypt into /opt/letsencrypt with git

$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencript

The source instructions gave this command:

$ /opt/letsencrypt/letsencrypt-auto --debug

But that returned the following error:

PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

This is cause by not having the typical VirtualHost running on port 80 in the Apache configuration, so Certbot needs an alternative method for authenticating the doamin. It's possibel to manually specify the web root of the website: ^[1]

$ /opt/letsencrypt/letsencrypt-auto --debug --authenticator webroot --installer apache -w /var/www/webroot -d mydomain.com,www.mydomain.com

^[2]