22

I have a Java war that I want to host on elastic beanstalk on AWS. I have a certificate but I am not able to figure out how to attach it to my single instance app.

All the howtos describe how to attach the certificate to elastic load balancer but no document on how to do it without load balancer (i.e. single instance).

I don't want to use load balancer because it costs extra (and not needed in testing environment).

desertnaut
  • 57,590
  • 26
  • 140
  • 166
Jus12
  • 17,824
  • 28
  • 99
  • 157
  • You have to read https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html and https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-java.html – Jorge Orpinel Pérez Oct 25 '18 at 20:51

2 Answers2

19

Elastic Beanstalk single instance type did not support SSL via Management Console or API. You can find more information in AWS Forums.

But you can use Configuration File to customize your instance to enable SSL. Please see the following example.

  1. Create an .ebextensions directory in the top-level of your source bundle.
  2. Copy SSLCertificateFile.crt, SSLCertificateKeyFile.key, SSLCertificateChainFile.crt and ssl.conf(apache2 ssl module configuration) into .ebextensions
  3. Create a configuration file, /your_app/.ebextensions/01ssl.config. Type the following 01ssl.config inside the configuration file to configure ssl settings
  4. Open 443 port in your security group

01ssl.config

packages:
  yum:
    mod_ssl: []
container_commands:
  add-SSLCertificateFile-label:
    command: cp .ebextensions/SSLCertificateFile.crt /home/ec2-user/SSLCertificateFile.crt

  add-SSLCertificateKeyFile-label:
    command: cp .ebextensions/SSLCertificateKeyFile.key /home/ec2-user/SSLCertificateKeyFile.key

  add-SSLCertificateChainFile-label:
    command: cp .ebextensions/SSLCertificateChainFile.crt /home/ec2-user/SSLCertificateChainFile.crt

  replace-ssl-configuration-label:
    command: cp .ebextensions/ssl.conf /etc/httpd/conf.d/ssl.conf

ssl.conf example

Your WAR structure should look like

web_app.war
          |
          |_.ebextensions
          |   |_ 01ssl.config
          |   |_ SSLCertificateFile.crt
          |   |_ SSLCertificateKeyFile.key
          |   |_ SSLCertificateChainFile.crt
          |   |_ ssl.conf
          |
          |_META-INF
          |
          |_WEB-INF
               |_ classes
               |_ lib
               |_ web.xml

2013/11/14 Updated.

  1. Using configuration file should pay attention to security problems, because the files in the folder .ebextensions are accessible for everyone. This may not happen in usual situation.
  2. AWS also provides an example Configuration File for configuring SSL for Single Instance Type now.
study
  • 5,628
  • 4
  • 36
  • 44
  • 1
    See this thread on AWS forums for a solution: https://forums.aws.amazon.com/thread.jspa?messageID=502277񺨅 – inder Nov 14 '13 at 08:48
  • @study: You mentioned that the folder .ebextentions is open to everyone - could you elaborate? It looks like it is not accessible once the app is deployed on Tomcat in production. However, it is still part of the war file, and if it is moved to a different system, it would be completely exposed, right? – stepanian Nov 22 '13 at 09:22
  • @stepanian, it means that the files in the folder .ebextentions are accessible for everyone. – study Nov 26 '13 at 17:54
  • @stepanian, you are right, the folder is not accessible. But if you know the filename in .ebextentions folder, you can access the files in the .ebextentions directly. No matter what system you use. Some official EB Configuration File example directly put AccessKey and SecretKey in context.xml and place the context.xml in .ebextentions folder . If you know the rule of configuration file, you can directly access the context.xml. – study Nov 27 '13 at 05:21
  • @study: Thanks for your response. When you "you can access the files in .ebextensions directly" are you saying that, once the website is deployed on AWS, someone can connect to the website on their browser and download the files inside the .ebextensions folder? I tried that and its seems like the whole folder is blocked. – stepanian Nov 28 '13 at 07:51
  • @stepanian, Amazon EB example seems to find this problem, they move `.ebextension` into `WEB-INF` directory. But the AWS SDK for Java tutorial still tells you to place `.ebextension` in `WebContent` directory. If you put them in `WebContent`, everyone can access the files in `.extensions` directly. AWS SDK for Java tutorial for Manage Tomcat Session State with Amazon DynamoDB: http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-tomcat-session-manager.html The screenshot: http://postimg.org/image/ldko0qwol – study Nov 28 '13 at 15:01
  • @study: Where have you seen .ebextesnions folder in the WEB-INF directory? Can you provide a link? All the examples I have seen put it in the WebContent directory. If you put it in the WebContent directory, the files are not accessible when in production environment. I have multiple apps set up like that and I tested them. This is a very important security issue, that's why I keep commenting on it. Sorry. – stepanian Nov 28 '13 at 20:23
  • @stepanian, I found a EB HostManager script will remove .ebextensions in the Tomcat ROOT directory. The path of the script is /opt/elasticbeanstalk/hooks/appdeploy/enact/03deploy.sh. So the security issue may not happen in usual case. But I am sure that I ever directly access the files in .ebextensions, I don't know what situation will cause it to happen. About .ebextensions in WEB-INF, you can start a AWS Java Web Project in Eclipse. [The exposed WAR](http://phstudy.s3.amazonaws.com/aws-java-web-project.war) and [the eclipse project](http://phstudy.s3.amazonaws.com/aws-java-web-project.zip). – study Nov 29 '13 at 09:39
  • 2
    I ended up using a load balancer which is the simplest. – Jus12 May 15 '14 at 06:36
  • @Jus12, but it not the answer for this question. – study May 15 '14 at 06:58
  • Can you please give some leads on how you used Load Balancer? @Jus12 – romil gaurav Jun 28 '17 at 11:30
6

This solution uses LetsEncrypt free certs, and doesn't require storing your certs in a config file. And its easy to reuse for different domains.

http://bluefletch.com/blog/domain-agnostic-letsencrypt-ssl-config-for-elastic-beanstalk-single-instances/

Summary: a config file with container commands that automates downloading certbot, getting a cert, and pointing nginx to the cert.

Tony Gutierrez
  • 753
  • 1
  • 6
  • 16