I am in the process of migrating a website for a client to AWS. I have everything configured and working except that the client would like to be able to accept payments on there website. I followed several guides on how to get SSL working using elastic beanstalk. Currently I have it set up to use a source bundle and I created a config file in the .ebextensions file that looks like this:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: {Ref : AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
packages:
yum:
mod24_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000755"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
source: sourceHere
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
source: sourceHere
where sourceHere is the link to the file in S3, I have also tried using content directly in place of source but the result is the same, the application launches without any errors but any attempts to connect to the IP address or provided URL just say that the page is unavailable. If i build the same zip file but leave out the config files it builds correctly. This is pretty much exactly what AWS has on there support page and in the documentation for Elastic Beanstalk so I am not sure what is happening.
There is a problem of indentation in your config file: /etc/pki/tls/certs/server.crt and /etc/pki/tls/certs/server.key should be at the same level as /etc/httpd/conf.d/ssl.conf.
You should correct the indentation so you get:
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000755"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
source: sourceHere
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
source: sourceHere
Instead of provisioning SSL via .ebextensions you should look at adding it via the Load Balancer under the Elastic Beanstalk Environment configuration >> Networking Tier >> Load Balancing.
The easiest way, other than using the CLI tools, is to create a EC2 load balancer and add the keys. Once you pass stage 2 (Select Certificate) then you can abort and the certificate will be save for Elastic Beanstalk usage.
- Create Load Balancer
- Add HTTPS
- Add Private Key, Public Key Certificate, Certificate Chain.
- Continue, then abort.
- The SSL Certificate will now be available in your Elastic Beanstalk Environment.
If you want to use letsencrypt you can try this: Heres a way to install certs on single instance elastic beanstalk node servers: http://bluefletch.com/blog/domain-agnostic-letsencrypt-ssl-config-for-elastic-beanstalk-single-instances/
Basically an automated .ebextension to install certbot, get a cert, and link nginx to it.
来源:https://stackoverflow.com/questions/27177139/issues-trying-to-configure-ssl-on-aws-elastic-beanstalk-webserver-single-instan