Configure SSL Certificates on AWS EBS

Responsive image

Elastic Beanstalk is a fantastic way to deploy and manage web applications. Today, for most web apps, you’ll need SSL certificates to encrypt data between users and your server. For this, we’ll use Let’s Encrypt Certificate Authority which provides free SSL certificates and is supported by a wide array of browsers.

To generate the certificate, we’ll use Certbot, which is the official Let’s Encrypt client, and is also developed by the Electronic Frontier Foundation. Certbot will automatically fetch and deploy SSL/TLS certificates for your server.

First, get Certbot to generate the SSL certificate

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Then, cut all NGINX or other process using port 80 and request your certificate. Be careful of API calls limit on Let’s Encrypt servers.

./certbot-auto certonly --standalone -d [www.mydomain.com] --debug

Finally, update your NGINX config like so to use the newly generated certificates and also to redirect incoming traffic to the HTTPS server.

# /etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf
[...]

server {
    listen      80 default;
    server_name [www.mydomain.com]
    access_log  off;
    error_log   off;
    ## redirect http to https ##
    return      301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/[www.mydomain.com]/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/[www.mydomain.com]/privkey.pem;
[...]
}

Ensure that you have open port 443 (HTTPS) on your security groups attached to the instance and you’re good to go!

Troubleshooting

If you encounter a Python error about cryptographic packages missing, add the following symlinks.

ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cryptography
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cryptography-2.0.2.dist-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cryptography-2.0.2.dist-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cffi /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cffi
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/cffi-1.10.0.dist-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/cffi-1.10.0.dist-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/_cffi_backend.so /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/_cffi_backend.so
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/.libs_cffi_backend /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/.libs_cffi_backend
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7-nspkg.pth /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope.interface-4.1.3-py2.7-nspkg.pth
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope.interface-4.1.3-py2.7.egg-info /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope.interface-4.1.3-py2.7.egg-info
ln -s /opt/eff.org/certbot/venv/local/lib64/python2.7/dist-packages/zope/interface /opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/interface

Also add the following package.

sudo /opt/eff.org/certbot/venv/local/bin/pip install cryptography interface

Add Password Authentication

If you have OpenSSL installed on your server, you can create a password file without adding additional packages. We will create a hidden file called .htpasswd in the /etc/nginx configuration directory to store our username and password combinations.

sudo sh -c "echo -n '[USERNAME]:' >> /etc/nginx/.htpasswd"
sudo sh -c "openssl passwd [MyPassword] >> /etc/nginx/.htpasswd"

Then add the following configuration in your NGINX configuration file.

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    root /usr/share/nginx/html;
    index index.html index.htm;

    server_name localhost;

    location / {
        try_files $uri $uri/ =404;
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
}
Written on November 20th, 2017 by Samy Gejzenblozen

Tags:

#AWS #devops

Social networks

You may also enjoy:

Install Docker and docker-compose on Amazon Linux

Install Docker and docker-compose on Amazon Linux

#AWS #Docker

I often have to deploy an AWS instance running on Amazon Linux and using it to deploy Docker containers. As *Amazon Linux* don't come with Docker preinstalled, you have to do it manually. Or even better, through a script in the ***user-data*** section of your launch template. Here's the script you'll need to install the latest version of **Doc... Read more

20 Mar 2020 - less than 1 minute read
Docker tips

Docker tips

#docker #devops

Recently, I started working with Docker on various projects. So here’s just a bunch of commands I’ve found to be quite helpful while troubleshooting errors with Docker. # List all containers docker images REPOSITORY TAG IMAGE ID CREATED SIZE project_web latest f4ef8d25add1 ... Read more

20 Sep 2017 - 1 minute read

Amat Victoria Curam

SM2G | Amat Victoria Curam by Samy Gejzenblozen