0

I have a .net application using websocket, deployed to AWS EB with a load balancer. I have a domain name and ACM certificate set up, and I would like to enable TLS. In my local server, it is set up like this:

var certificate = X509Certificate2.CreateFromPemFile("Path/To/Pem", "Path/To/Key"); //replace the local file with an ACM certificate
if(certificate != null)
{
    var socket = new WebSocketServer($"wss://example.com:3000");
    socket.SslConfiguration.ServerCertificate = certificate;

    //other configs
}

How to do the same set up with ACM? If I use a third party certificate, and upload that to the ec2 instances, these instances will be replaced by EB because of auto scaling. Is it possible to get a path to the ACM certificates?

EDIT: I need my app to get the certificate from Amazon Certificate Manager, and construct an X509Certificate for my custom websocket listener.

SimonJ9
  • 17
  • 4

2 Answers2

1

Forget what you're used to, it doesn't work that way in AWS, i.e. putting the certificate on the EC2.

AWS Certificate Manager is used for handling certificates, i.e. either generating them for you, or you can upload your own.

You apply a certificate from AWS Certificate Manager to your Application Load Balancer which offloads the SSL then sends the traffic to the upstream server, i.e. EC2.

I'm assuming the acronym EB means Elastic Beanstalk? If so, AWS Elastic Beanstalk is an abstraction on top of EC2 instances (+ more AWS services). In these setups, you shouldn't be playing around with the EC2 that sits behind it as Elastic Beanstalk is designed to be a simpler way of managing infrastructure. If you're just going to bypass it as/when you feel, don't use Elastic Beanstalk, just use an EC2 instance.

As you say, Elastic Beanstalk will replace these instances if you have auto-scaling turned on so you don't want to do anything to these EC2 instances as they can be binned off and new ones started over time.

Hope that helps

Michael Cropper
  • 872
  • 1
  • 10
  • 28
  • I should have made it clear. Directly accessing EC2 instances is what I'm trying to avoid. I still need an instance of X509Certificate at application layer, constructed with an ACM certificate, so that the websocket can start listening. But I have no clue how to achieve that. – SimonJ9 Sep 09 '22 at 21:01
  • @SimonJ9 Default Web Socket (ws) is Port 80. The default Secure Web Socket (wss) is Port 443. Application layer listens on whatever port os configured. In this scenario with SSL offloading taking place on the Application Load Balancer, a simple setup is https://websocket.example.com --> ALB --> http --> EB --> EC2 --> App listens on Port 80. I can't comment on your specifics. Perhaps draw a diagram of every hop along the way and add to original post to help explain the challenge you're having/which hop isn't working? The above answer conceptually should work in 99% of cases. – Michael Cropper Sep 09 '22 at 21:25
  • Thank you for the reply. The only difference between my setup and the one you mentioned is that I'm using a TCP listener instead of http/https. The ssl is resolved when the request reaches to my app. I need my app to be able to get the certificate from ACM (Amazon Certificate Manager). – SimonJ9 Sep 09 '22 at 23:32
0

So I found the API in this answer: Is it possible in a .NET Core application to retrieve a certificate from AWS Certificate Manager and use it in a HttpClient post?

To construct the certificate, I use

var cert = new AmazonCertificateManagerClient();
GetCertificateResponse cert = await cert.GetCertificateAsync("ARN...");

One additional step for my case is that I need to add the policy to the elastic beanstalk role to allow the use of GetCertificate()

SimonJ9
  • 17
  • 4