1

I have a running Elastic Beanstalk instance running on a security group that have http and https authorized in inbound. But https doesnt seems to work... Why?

Second question: I am currently creating a ssl certificate for my domain name. Where am I supposed to upload it on AWS ?

Thank you

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Marc Delalonde
  • 335
  • 4
  • 17
  • You take a look at [this](http://stackoverflow.com/questions/5309910/https-setup-in-amazon-ec2) yet? – Idris Jul 26 '14 at 17:41
  • @Idris Yes and according to the comment this should work on the fly when updating the security group.. Moreover amazon don't let me choose a security group when I create a new instance.. :/ – Marc Delalonde Jul 26 '14 at 17:44
  • I'm just going through the docs right now. Did you manage to see [this](http://docs.aws.amazon.com/gettingstarted/latest/computebasics/getting-started-security-group.html)? I'm just going through the basic diagnosis. – Idris Jul 26 '14 at 17:53
  • Thank you @Idris but even if i start a new instance with the good security group, it doesn't seem to work properly.. – Marc Delalonde Jul 26 '14 at 18:15

1 Answers1

4

You can configure HTTPS for your Elastic Beanstalk environment. Please read the following document: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html

You can upload your SSL certificate to AWS IAM using the console or CLI whichever you prefer. You need not modify the security group of the EC2 instance directly.

More details on Step 3 of the documentation above:

Create a file called 01-ssl.config in a folder named .ebextensions inside your app source. Put the following inside this file.

option_settings:
    - namespace: aws:elb:loadbalancer
      option_name: LoadBalancerHTTPSPort
      value: 443
    - namespace: aws:elb:loadbalancer
      option_name: SSLCertificateId
      value: <arn of your ssl certificate>

These option settings should automatically modify your security group ingress rules to allow traffic appropriately.

You can read more about customizing your Elastic Beanstalk environment using ebextensions here.

Details about all option settings supported including the ELB ones are available here. Let me know if you run into any issues.

Update

By default when you create an Elastic Beanstalk environment it creates an EC2 instance and puts it behind an Elastic Load Balancer. If you do not need a load balancer then you can create a Single Instance environment as explained here or do you already have a single instance environment. Once you have a single instance environment you can configure SSL for your environment as explained here.

Update on how to not put your certificate in your config file

Since you do not want to put the server.crt file in your ebextensions config file you can upload your file to S3 and then ask Elastic Beanstalk to download that file directly to your EC2 instance. The only thing that changes in the example here is that you use a source instead of content to specify the contents of your file. In the source section you can put the URL from where you want the file to be downloaded.

Your ebextensions will then look like:

files:
    /etc/pki/tls/certs/server.crt:
        mode: "000777"
        owner: ec2-user
        group: ec2-user
        source: <URL>

That way you don't need to put the contents in the repo. Read more about the file directive here.

In case you run into issues double check that your IAM instance profile (the one with which you run your beanstalk environment) has access to your S3 object. If you need more details about IAM instance roles and Elastic Beanstalk read this and this.

Rohit Banga
  • 18,458
  • 31
  • 113
  • 191
  • Thank you @Rohit but I just don't understand why the post is talking about Load Balancer ? I dont have any load balancing needs for the moment.. Can you explain please? – Marc Delalonde Jul 26 '14 at 18:28
  • Thank you very much! However in the example aws create a .config file with directly the content of certificate in it. But I dont want that to be in my repo ? Doesn't it ? How to proceed ? – Marc Delalonde Jul 26 '14 at 23:34
  • Perfect! Last question: do I have to listen to port 80 AND 443 in my nodejs app? And give to expressjs my cert? – Marc Delalonde Jul 29 '14 at 01:17
  • For single instance environment yes, the instance port will be 443. For your second question does this help: http://stackoverflow.com/questions/11804202/how-do-i-setup-a-ssl-certs-for-an-express-js-server? – Rohit Banga Jul 29 '14 at 01:57
  • Works like a charm! Thank you Rohit you are a boss :) – Marc Delalonde Jul 29 '14 at 02:45
  • Are you sure I have to handle ssl on both sides (nginx and nodejs). Because this post tell the opposite http://stackoverflow.com/questions/10375659/nginx-proxy-pass-node-ssl ? Thank you! – Marc Delalonde Jul 30 '14 at 13:27
  • Hi @Rohit, my ec2 definitely cannot access to my s3 bucket (with the ssl cert) while the iam user I use belong to the admin group and have access to all the ressources. I am currently forced to make public the certificate during the eb push process to make it works... – Marc Delalonde Nov 12 '14 at 06:42
  • Do you have any idea ?? Thanks – Marc Delalonde Nov 12 '14 at 06:42
  • Does the .ebextensions dir have to be in the git repo or the eb CLI take it automatically ? Sorry for the spam... – Marc Delalonde Nov 12 '14 at 06:44
  • I recommend providing access to the IAM user. Is that not possible? – Rohit Banga Nov 12 '14 at 06:45
  • Same result.. Maybe because S3 have this own access policy ? :/ – Marc Delalonde Nov 12 '14 at 19:08
  • Hi, I'm running on EC2...is it possible to use SSL (https) just with EC2 or do I need to use ELASTIC BEANSTALK? how does one use SSL (https) with EC2? – preston Sep 25 '15 at 14:30
  • Sure it's possible just with EC2. What web server are you using? You need to configure that server correctly.. – Rohit Banga Sep 25 '15 at 16:55