Skip to main content

Attaching SSL certificate to AWS Elastic BeanStalk's single instance environment

Attaching SSL certificate to AWS Elastic BeanStalk's single instance environment

Step 1:

Create a ssl certificate

Go to this link to create a free ssl certificate
Create folders .well-known > acme-challenge and put the file which you got while creating a ssl above eg. 2elaFuIeUlvdNUGhnGa3A4NLSPYM21AyK7uHHZNc_s0
The website will need to confirm that you are the legitimate user of the domain for which you are claiming the ssl certificate. To verify, you can go to your node server and add
app.get('/.well-known/acme-challenge/2elaFuIeUlvdNUGhnGa3A4NLSPYM21AyK7uHHZNc_s0', function (req, res) {
    res.sendFile(__dirname + '/.well-known/acme-challenge/2elaFuIeUlvdNUGhnGa3A4NLSPYM21AyK7uHHZNc_s0');
});
Download the certificates

Step 2:

Upload the ssl certificate to EBS environment

Create a folder .ebextensions
Inside this folder, create a file called https-instance.config and put the following contents
Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0
      
files:
  /etc/nginx/conf.d/https.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS server

      server {
          listen       443;
          server_name  localhost;
          
          ssl                  on;
          ssl_certificate      /etc/pki/tls/certs/server.crt;
          ssl_certificate_key  /etc/pki/tls/certs/server.key;
          
          ssl_session_timeout  5m;
          
          ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
          ssl_prefer_server_ciphers   on;
          
          location / {
              proxy_pass  http://nodejs;
              proxy_set_header   Connection "";
              proxy_http_version 1.1;
              proxy_set_header        Host            $host;
              proxy_set_header        X-Real-IP       $remote_addr;
              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          }
      }
  /etc/nginx/conf.d/000_my_config.conf:
    mode: "000755"
    owner: root
    owner: root
    content: |
      server {
          listen 8080;
          return 301 https://$host$request_uri;
      }
  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      *your certificate*
      -----END CERTIFICATE-----
      
  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      *your private key*
      -----END RSA PRIVATE KEY-----
Replace the certificate and private key in above file and zip the application and upload to beanstalk environment and you are done

Security:

For security reasons you can upload the private key to aws s3 bucket and add the following snippet of code to grant EBS's instance to access the bucket to read the private key.
Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["elasticbeanstalk-us-east-1-xxxxxxxxxxx"]
          roleName: 
            "Fn::GetOptionSetting": 
              Namespace: "aws:autoscaling:launchconfiguration"
              OptionName: "IamInstanceProfile"
              DefaultValue: "aws-elasticbeanstalk-ec2-role" 
              
  files:
    /etc/pki/tls/certs/server.key:
      mode: "000400"
      owner: root
      group: root
      source: https://s3.amazonaws.com/elasticbeanstalk-us-east-1-xxxxxxxxxx/server.key

Sources:

Comments

Post a Comment

Popular posts from this blog

When to use Azure Virtual Machine Scale Sets?

So it all started with client's requirement to build a Minimum Viable Product (MVP). The backend of the product was written in python and involved processing of images using Computer Vision. We decided to host the backend in Azure. There were lots of advantages of having the backend hosted in cloud instead of having an on-premise setup. The thing that attracted us the most was infrastructure scaling and availability of the system. We now dont have to bother about infrastructure, power consumption, system availability, system failures, etc. We were in need of GPU machines to run the code in backend. We though of using N-Series Azure virtual machines for this purpose. We wanted to scale the machines horizontally to handle multiple requests. We booted up few more machines to handle the load. This is where Azure Load balancer came into picture. Since there were multiple instances of virtual machines, we needed someone to decide for us, which machine the request should go to. We connect...
Post a Comment
Read more

Product review of cloudsploit

Hello People! This article is to share my understanding about cloudsploit and the service they provide to the people. What they do? CloudSploit is a service which analysis your AWS/Azure account for security holes/risks. With people moving to serverless technologies, Azure and AWS are gaining popularity these days at higher rate. Also alot of developers/dev-ops engineers tend to overlook some of the security considerations while setting up services in cloud. CloudSploit is here to address such problems for you! How do they do it? CloudSploit asks you for a access key with read only permissions to your cloud resources. They have a set of plugins, which run using this access key. Each plugin is a javascript function which uses some node cloud SDKs to analyse the services in cloud. Result of what they do When you run CloudSploit, as a final output you get to see different plugins and their test results. The plugins also have recommended actions section which tell...
Post a Comment
Read more

Building Installer for mac using packages (Implementation level details)

So now that you have a code ready, next question is how you are going to ship it as a product to end users. The easiest and user friendly solution, is to build the Installer for your product! Building an installer has many advantages, like: User don't have to be worried about the installation steps (the user has to just follow laymen's instructions to get ready to use the product). It eliminates human errors. Makes the product easy to install and use. So now that we have idea of WHY  we need Installers, let see what  packages  offer us to build installers for mac.  Packages is a tool developed for mac. Packages can be either flat or bundle. As per my observations, flat packages cannot be inspected to view the contents of the package. But there are ways to extract the contents for viewing purpose using  pkgutil  utility. In case of Bundle packages, user can view the contents of the bundle directly. Its like a directory. Packages...
Post a Comment
Read more