Elastic Beanstalk Security Certificates Archived November 2020

From Littledamien Wiki
Revision as of 01:18, 17 November 2020 by Video8 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Warning about the contents of this page[edit]

Note that all the information on this page is DEPRECATED. It is preserved there for archival purposes.

Prerequisites[edit]

= Enable SSL on EB environment[edit]

Apache server[edit]

The Amazon documentation instructs you to install mod_ssl with the following command which should create a file /etc/httpd/conf.d/ssl.conf when it completes.

Note that applies to Apache servers. Confirm that Apache is serving web requests with 

$ sudo systemctl is-enabled httpd

If the command returns disabled then another server, most likely nginx, is already serving web requests. 

$ sudo yum install mod_ssl

This did not work for me for dbarchowsky.com which was on a t1.micro instance, Amazon Linux AMI version 2018.03. What worked instead was: 

$ sudo yum install mod24_ssl

These commands don't need to be entered manually. Instead they should be put into an .ebextensions config file so that the site can be deployed without manual configuration. 

packages:
  yum:
    mod_ssl : []

Installing certbot[edit]

WARNING! These instructions describe how to install certbot-auto which is a script that allows for automated execution of certbot installation of Let's Encrypt security certificates. certbot-auto is not supported on Amazon Linux 2 as of mid-2020.

Certbot Commands documentation

certbot is a command line script that will install Let's Encrypt certificates and configure the current web server to recognize the certificates in order to serve https requests.

Let's encrypt certificates typically are stored in .pem files located in /etc/letsencrypt/live/mydomain.com.

Also the server's config file must be updated in order store the location of the certificate files. A typical path for this file is /etc/httpd/conf.d/ssl.conf.

Installing certbot from the command line[edit]

$ mkdir -p /opt/certbot 
$ wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto 
$ chmod a+x /opt/certbot/certbot-auto

Installing certbot in .ebextensinos[edit]

The above commands likely would require sudo on the command line. The best location for this configuration is in a .ebextensions config file with something like this: 

20_install_certbot:
    command: "mkdir -p /opt/certbot && wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto && chmod a+x /opt/certbot/certbot-auto"

Generating LE Certificates[edit]

Running certbot-auto[edit]

WARNING! The certbot-auto script is not supported on Amazon Linux as of mid-2020.

The following is an example certbot-auto command. 

$ sudo /opt/certbot/certbot-auto certonly --standalone --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos -d ${LETSENCRYPT_DOMAIN} -d www.${LETSENCRYPT_DOMAIN} --expand --renew-with-new-domains --pre-hook "service nginx stop"

Different authentication methods can be specified. The method above creates a challenge file in the web server directory, then makes a http request for that file in order to confirm there is legitimate access to the website. This means that the domain name must point to the server where certbot-auto is running.

Installing LE Certificates with nginx[edit]

The following instructions originate from Let's Encrypt with AWS Elastic Beanstalk by “PirateFaché”. This installs LE certificates on nginx.

The following directives in the .ebextensions file will NOT change the configuration of the nginx server. See Troubleshooting for details.

Creating /etc/nginx/conf.d/https_custom.conf allows requests to port 443 to access the LE certificates 

# HTTPS server
server {
    listen       443 default ssl;
    server_name  localhost;
    error_page  497 https://$host$request_uri;

    ssl_certificate      /etc/letsencrypt/live/ebcert/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/ebcert/privkey.pem;

    ssl_session_timeout  5m;
    ssl_protocols  TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers   on;

    # Include the Elastic Beanstalk generated locations
    include conf.d/elasticbeanstalk/*.conf;
}

It’s necessary to create a symbolic link from the “ebcert” directory specified in the file above with the actual directory containing the LE certificates: 

$ sudo ln -sf /etc/letsencrypt/live/wiki.dbarchowsky.com /etc/letsencrypt/live/ebcert

Restart nginx 

$ sudo systemctl restart nginx

At this point it should be possible to make https requests to the site: 

$ curl https://mydomain.com

TLS 1.2[edit]

Note that this line in /etc/nginx/conf.d/https_custom.conf 

ssl_protocols  TLSv1.1 TLSv1.2;

Allows for both TLS 1.1 and TLS 1.2. TLS is the most current protocol (as of mid-2020) and addresses security issues with TLS 1.1. When confirming the certificate with SSL Labs this will result in a “B” grade only because TLS 1.1 is allowed. If you scroll down on the report TLS 1.2 is still supported. It looks like requests should still be handled if the client is limited to TLS 1.2.

Other Reference[edit]


Renewing certificates[edit]

Cron job[edit]

Let's Encrypt certificates expire every 90 days. Create a cron job (in /etc/crontab) that will run once per day to check and renew the certificates as necessary.

Follow the renewal of the certificate with a restart of the Apache server in order to have the server recognize any renewed certificates. 

# Renew SSL Certs
0  1  *  *  *  ec2-user  /opt/certbot/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"

Manually[edit]

Certificates can be manually forced to renew with 

$ /opt/certbot/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"
Retrieved from "https://wiki.dbarchowsky.com/index.php?title=Elastic_Beanstalk_Security_Certificates_Archived_November_2020&oldid=2921"