2

I have a Rails application deployed on AWS Opsworks. I recently associated a domain bought AWS SES and I got a certificate in AWS Certificate Manager for that domain.

According to the documentation, the supported services are:

  • Elastic Load Balancing
  • Amazon CloudFront
  • AWS Elastic Beanstalk
  • Amazon API Gateway

The first solution that I came up with, is to add an Elastic Load Balancing to my Layer and associate both the domain and the certificate to its Elastic IP.

Did anyone experience the same challenge? Could you suggest any better solution?

E.g. There is a way to obtain the SSL certificate and the SSL certificate key from ACM in order to add it to my App settings in Opsworks?

Cœur
  • 37,241
  • 25
  • 195
  • 267
mabe02
  • 2,676
  • 2
  • 20
  • 35

2 Answers2

2

You cannot get the SSL certificate key generated by ACM, as you said it is only to be used by the 4 services provided by AWS above.

The one solution you can try is associate the ACM certificate to the ELB and do the SSL offloading at the ELB level, so essentially your listener configuration would be 443 TCP to some non secure port in the instance(Associate the ELB to the layer).

Manish Joshi
  • 3,550
  • 2
  • 21
  • 29
  • Thank you for your suggestion. I created in EC2 a Load Balancer and a target group with my Opsworks instance. In Route53 I managed to associate my domain to the ELB alias and I also associated the certificate. – mabe02 May 09 '17 at 12:22
  • However, when I forced in Rails 5 `config.force_ssl=true`, I cannot redirect the traffic since the instance is registered in the target group with port 80 and I cannot enable the SSL on an app level without providing the certificate key. Moreover, the health check on my instance in the target group returned unhealthy with error 302 – mabe02 May 09 '17 at 12:28
  • @mabe02 Looks like you are using Application load balancers, in ALB you have to register your target group with HTTPS(443) as well and select the SSL certificate from the dropdown and then route the traffic to your instance. By doing SSL offloading at the ALB level you are making sure that no SSL traffic reaches to your instance and hence you don't need to force ssl in your instance level. – Manish Joshi May 11 '17 at 03:40
  • Thank you for your comment. I actually forgot to close this topic since I found a solution as described in the answer I just posted. I used a classic Load Balancer instead of an ALB, but I guess that the behavior should be pretty much the same – mabe02 Jul 20 '17 at 11:05
2

Actually after some tries, I managed to achieve it following these steps:

  • add a Load Balance in EC2
  • point the LB to the Opsworks instances
  • add the certificate to LB
  • set properly the listeners configuration in the Security Groups
  • create a new RecordSet in Route53's Hosted Zones
  • add the RecordSet the LB as Alias Target

I wrote an article on LinkedIn Pulse where I put some screenshots and a detailed explanation.

mabe02
  • 2,676
  • 2
  • 20
  • 35