Elastic Beanstalk Security Certificates

From Littledamien Wiki
Jump to navigation Jump to search

Overview

Instructions on installing and maintaining SSL for AWS Elastic Beanstalk web apps.

Amazon offers its own security certificates for load balanced EC2 instances, but not for smaller stand-alone instances.

Let's Encrypt offers free security certificates.

Prerequisites

All these commands are issued after using ssh to get a command prompt on the EC2 instance.

  • ssh access to the EC2 instance
  • Git, virtualenv, pip

Open port 443 on the EC2 instance

  • AWS Management Console > EC2 > instance > click for details > Security Group > click for details
  • Inbound tab > Edit button
  • Add Rule button
    • Type: HTTPS
    • Protocol: TCP
    • Port Range: 443
    • Source: 0.0.0.0/0, ::/0

Enable SSL on EC2 instance

The Amazon documentation instructs you to install mod_ssl with the following command which should create a file /etc/httpd/conf.d/ssl.conf when it completes. 

$ sudo yum install mod_ssl

This did not work for me for dbarchowsky.com which was on a t1.micro instance, Amazon Linux AMI version 2018.03. What worked instead was: 

$ sudo yum install mod24_ssl

Installing Let's Encrypt

Install Let's encrypt into /opt/letsencrypt with git 

$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencript

Preserving Let's Encrypt configuration

Create a configuration file at /etc/letsencrypt/config.ini. 

$ echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini
$ echo "email = ________@____.com" >> /etc/letsencrypt/config.ini

Installing certificates

Use Let's Encrypt to install security certificates. [1] [2]

The source instructions gave this command: 

$ /opt/letsencrypt/letsencrypt-auto --debug

But that returned the following error: 

PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

This is cause by not having the typical VirtualHost running on port 80 in the Apache configuration, so Certbot needs an alternative method for authenticating the doamin. It's possible to manually specify the web root of the website: [3] (Set /var/www/webroot to a path appropriate to the environment.) 

$ /opt/letsencrypt/letsencrypt-auto --debug --authenticator webroot --installer apache -w /var/www/webroot -d mydomain.com -d www.mydomain.com

Troubleshooting

systemctl command not found

The AWS documentation uses systemctl to restart the Apache server. If this command is not available use the service command instead.

Cannot find SSLCertificateFile directive

When running letsencrypt-auto or certbot-auto 

Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf/httpd-le-ssl.conf/IfModule/VirtualHost. VirtualHost was not modified
Unable to find an SSLCertificateFile directive

This was fixed by successfully installing mod_ssl

ERR_CONNECTION_REFUSED in Chrome

Attempting to load the site using https protocol in Chrome results in ERR_CONNECTION_REFUSED error.

This was fixed after the certificate was installed (creating the httpd-le-ssl.conf file with correct SSL directives).

Notes

  1. Tutorial: Configure Apache Web Server on Amazon Linux 2 to Use SSL/TLS - AWS documentation
  2. Deploying Let's Encrype on An Amazon Linux AMI EC2 Instance - Medium.com
  3. Error installing Let's Encrypt on AWS Linux - AWS forums
Retrieved from "https://wiki.dbarchowsky.com/index.php?title=Elastic_Beanstalk_Security_Certificates&oldid=2504"