How to configure SSL for AWS Elastic Beanstalk | AWS Elastic Beanstalk Survival Guide

Getting the green lock for your production AWS Elastic Beanstalk environment
July 21, 2016

Getting The Green Lock

If your production environment is dealing with any sensitive stuff like transactions, having it SSL-secured is the minimal amount of security measure that you should take.

Colin Toh

Direct Approach

To do that, you need to purchase a SSL cert. You can purchase it from many places but my favourite is SSLMate because they made the buying process a breeze.

After your purchase, you will get three files that will be crucial to setting up SSL on your Elastic Beanstalk environment:

Colin Toh This is what SSLMate gave me after the purchase

Indirect Approach

Let's say you are not using SSLMate to purchase the SSL cert and the SSL provider asked for a CSR (Certificate Signing Request) file. You will need to create it yourself.

Create a CSR with openssl

  1. Install openssl
  2. Create a private key openssl genrsa -out [name-your-key].key 2048

    openssl genrsa -out helloeb.com.key 2048
  3. Create the CSR openssl req -new -sha256 -key [path-to-private-key].key -out [name-of-csr].csr

    openssl req -new -sha256 -key helloeb.com.key -out helloeb.com.csr

For more detailed explanation:
https://support.rackspace.com/how-to/generate-a-csr-with-openssl/

You will get the private key file (helloeb.com.key) and CSR file (helloeb.com.csr). Submit the CSR to the SSL provider and they should return two important files to you - Public Key Certificate file and the Certificate Chain file.

Attaching the SSL cert to a load-balancer

There are two ways to attach a SSL cert to your Elastic Beanstalk environment's load-balancer.

1) Do it through aws cli


aws iam upload-server-certificate --server-certificate-name sslhelloeb --certificate-body file://publickeycertificatefile --private-key file://helloeb.com.key --certificate-chain file://certificatechain_file

Take note: that you must use file:// prefix to locate your files.

After this is done, go to the Elastic Beanstalk management console, click on Loading Balancing tab and under SSL certificate ID, select the SSL certificate that you have uploaded. In my case, it will be sslhelloeb.

Colin Toh

2) Do it through the management console

Colin Toh
  1. Click on Services > Compute > EC2 > Load Balancers
  2. Select your load balancer and click on the Listeners tab
  3. Click on Edit and then Add

    Colin Toh
  4. Select HTTPS as protocol and click Change under SSL Certificate
  5. Select Upload a new SSL certificate to AWS Identity and Access Management (IAM)
  6. Name your cert and paste the specific file contents
Colin Toh

Attaching TWO SSL cert to one environment

So what if you had to attach two SSL cert to one environment? I'm not judging because I ran into the same problem.

One load balancer can only take one SSL cert. The gist of the solution will be to create one more load-balancer and point it to the same instances that original load-balancer is pointing to. Then attach the second SSL cert to the second load-balancer.

Steps:
1. Click on 'Services > Compute > EC2 > Load Balancers'.
2. Click on 'Create Load Balancer'
3. Use the exact same VPC group and security group as the primary load balancer. You can find information under the primary load balancer's Description tab.
4. Click on 'Auto-Scaling Group`
5. Add the newly created load balancer to the same auto-scaling group as the primary load balancer and you are in business!

Relevant: http://stackoverflow.com/questions/21267569/aws-elastic-beanstalk-environment-with-multiple-load-balancers

Conclusion

We have come to an end of this survival guide series. I hope you had learned something or at least be familiarised with using Elastic Beanstalk. There are still a lot of unexplored terrains in the AWS landscape but that's another time for another series.

Like this AWS Elastic Beanstalk Survival Guide Series? Remember to subscribe below for more of such series


Elastic Beanstalk Survival Guide: Table Of Content

RSS