12

When you have a certificate for your domain issued through AWS Certificate Manager, how do you apply that certificate to an Elastic Beanstalk application.

Yes, the Elastic Beanstalk application is load balanced and does have an ELB associated with it.

I know I can apply it directly to the ELB my self. But I want to apply it through Elastic Beanstalk so the env configuration is saved onto the Cloud Formation template.

Kirill Fuchs
  • 13,446
  • 4
  • 42
  • 72

4 Answers4

15

I found out, you cannot do it through the elastic beanstalk console (at least not yet). However you can still set it via the eb cli, or aws cli.

Using EB CLI

Basically what we are trying to do is to update the aws:elb:listener setting, you can see the possible settings in the general options docs.

Using the EB CLI is pretty simple. Assuming we already setup the awsebcli tool for our project we can use the eb config command.

It will open up your default terminal editor and allow you to change settings which are written as a YAML file. When you make a change and save it, the eb config cmd will automatically update the settings for your Elastic Beanstalk environment.

You will need to add the following settings to your config file:

aws:elb:listener:443:
  InstancePort: '80'
  InstanceProtocol: HTTP
  ListenerEnabled: 'true'
  ListenerProtocol: HTTPS
  PolicyNames: null
  SSLCertificateId: CERTIFICATE_ARN_HERE

Change the value for CERTIFICATE_ARN_HERE to your AMC Certificates ARN. You can find it in the AWS Certificate Manager console:

enter image description here

IMPORTANT: Your aws:elb:listener:443 setting MUST be placed above the aws:elb:listener:80 setting. Otherwise the environment configuration update will error out.

Using AWS CLI

The same can be accomplished using the general aws cli tools via the update-environment command.

aws elasticbeanstalk update-environment \
--environment-name APPLICATION_ENV --option-settings \
Namespace=aws:elb:listener:443,OptionName=InstancePort,Value=80 \
Namespace=aws:elb:listener:443,OptionName=InstanceProtocol,Value=HTTP \
Namespace=aws:elb:listener:443,OptionName=ListenerProtocol,Value=HTTPS \
Namespace=aws:elb:listener:443,OptionName=SSLCertificateId,Value=CERTIFICATE_ARN_HERE

NOTE: When you update it via either of the methods above, the Elastic Beanstalk console will not show HTTPS as enabled. But the load balancer will, and it will also apply to the Cloudformation template as well get saved into the EB's configuration.

Kirill Fuchs
  • 13,446
  • 4
  • 42
  • 72
  • 1
    I have try it by eb cli and by adding config file under .ebextensions it always says "Server Certificate not found for the key...." http://egscr.com/JpcAa8 – Max Feb 29 '16 at 12:51
  • @Max you do not add the config file in the .ebextensions folder. The eb cli will download the config file and re-upload it back to elastic beanstalk when you create a change. IT is not the same as adding an ebextension. – Kirill Fuchs May 25 '16 at 15:19
  • @KirillFuchs With the AWS CLI option, is it the same syntax for ec2? – Jeboy Dec 05 '16 at 12:10
  • @Jeboy no, the command to add it directly to a load balancer would be different. – Kirill Fuchs Dec 05 '16 at 23:40
  • @KirillFuchs Ok, I was trying that route as I was having problem with certificate from ACM being invalid. I setup AWS classic load balancer with HTTPS Listener using ACM certificate as described in http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html but the browser rejects it http://stackoverflow.com/questions/40929255/aws-acm-certificate-not-valid – Jeboy Dec 06 '16 at 01:00
  • This is great with ebcli `eb config` but regarding your note: "MUST be placed above the `aws:elb:listener:80` setting" --what if we don't have that setting in the existing config, does that need to be set? – Jordan Aug 17 '17 at 02:57
  • 1
    @Jordan if the update didn't error out then you're all good :). But I should note that you can now add an ACM certificate to elastic beanstalk through the console. – Kirill Fuchs Aug 17 '17 at 03:05
2

I find the simplest way is change the EB Load Balancer via the user console. Click change and select the new ACM certificate. enter image description here

When you view the EB configuration, it will not appear, but it will be set

Community
  • 1
  • 1
Jonathan
  • 1,349
  • 1
  • 10
  • 20
0

You can do this purely with CloudFormation; however, as seems to be quite common with Elastic Beanstalk the configuration options are much harder to find in the docs than they are for the individual components that comprise Elastic Beanstalk. The info is here:

http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elbloadbalancer

But basically what you need to do is add the creation of the cert to your template and then reference it in OptionSettings in AWS::ElasticBeanstalk::ConfigurationTemplate:

"Certificate" : {
      "Type": "AWS::CertificateManager::Certificate",
      "Properties": {
        "DomainName": "example.com",
      }
    },
// ...
"ElasticbeanstalkTemplate": {
      "Type": "AWS::ElasticBeanstalk::ConfigurationTemplate",
      "Properties": {
        "SolutionStackName": "MyEBStack",
        "ApplicationName": "MyAppName",
        "Description": "",
        "OptionSettings": [{
          "Namespace": "aws:elb:listener:443",
          "OptionName": "InstancePort",
          "Value": "80"
        }, {
          "Namespace": "aws:elb:listener:443",
          "OptionName": "InstanceProtocol",
          "Value": "HTTP"
        }, {
          "Namespace": "aws:elb:listener:443",
          "OptionName": "ListenerProtocol",
          "Value": "HTTPS"
        }, {
          "Namespace": "aws:elb:listener:443",
          "OptionName": "SSLCertificateId",
          "Value": {
            "Ref": "Certificate"
          }
        }, /*More settings*/]
Stefano
  • 2,056
  • 2
  • 15
  • 13
0

Check in which zone you created the certificate and if it matches the Elastic Beanstalk zone. I had them in different zones so it didn't work.

welter
  • 156
  • 4