Reputation: 5420
AWS Certificate Manager for ELB pointing to a Apache Server Running on EC2
I was reading the aws documentation for Certificate Manager. I can associate a SSL certificate for a ELB. I have already done that and my application is still residing on Apache server deployed on a Ubuntu EC2 server.
And in the documentation it has the following,
Note Currently, ACM Certificates are associated with Elastic Load Balancing load balancers or Amazon CloudFront distributions. Although you install your website on an Amazon EC2 instance, you do not deploy an ACM Certificate there. Instead, deploy the ACM Certificate on your Elastic Load Balancing load balancer or on your CloudFront distribution.
To my understanding, that means we can just deploy the application on a EC2 and add it under a load balance that has certificate from the ACM.
And that is all you need to have to work SSL for your web application.
But when I am not using this approach, I was using the following Apache configuration to configure SSL.
<VirtualHost *:80>
DocumentRoot /var/www/html/
ServerName example.com
ServerAlias example.com
ErrorLog ${APACHE_LOG_DIR}/diyoron-error_log
CustomLog ${APACHE_LOG_DIR}/diyoron-access_log common
<Directory /var/www/html/>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R]
</Directory>
</VirtualHost>
<VirtualHost *:443>
# ServerAdmin [email protected]
DocumentRoot /var/www/html/
ServerName example.com
ServerAlias example.com
ErrorLog ${APACHE_LOG_DIR}/example-error_log
CustomLog ${APACHE_LOG_DIR}/example-access_log common
SSLEngine On
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
But In my current arrangement I can not configure SSLCertificateKeyFile, SSLCertificateChainFile , SSLCertificateFile in my Apache configuration.
If anybody can direct me to a right path that is much appreciated.
AH00016: Configuration Failed
[Fri Apr 21 23:14:01.184314 2017] [ssl:emerg] [pid 1190] AH02572: Failed to configure at least one certificate and key for example.com:443
[Fri Apr 21 23:14:01.184826 2017] [ssl:emerg] [pid 1190] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Fri Apr 21 23:14:01.184834 2017] [ssl:emerg] [pid 1190] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
Upvotes: 5
Views: 4278
Answers (1)
Reputation: 10889
You will terminate SSL on youe ELB and configure it to forward both HTTP and HTTPS requests as HTTP (to your instance's port 80):
Therefore, you will not need <VirtualHost *:443> anymore.
Also, in your Apache configuration, in <VirtualHost *:80> you are redirecting users to https:// if the connection is not using SSL/TLS (btw, that condition was unnecessary, request would have never reached that point if it was using https - you could just unconditionally redirect it). This will not be possible any more since, from apache's point of view, all incoming connections use http://.
To determine the protocol used between the client and the load balancer, use the X-Forwarded-Proto request header (Elastic Load Balancing stores the protocol used between the client and the load balancer in the X-Forwarded-Proto request header and passes the header along to your server):
RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Upvotes: 6
Related Questions
- Certificate authority SSL using AWS load balancer
- AWS ElasticLoadBalancer certificate doesn't match domain name
- Misconfiguration of SSL Certificate for AWS Elastic Load Balancer
- Setting up HTTPS for ELB and EC2
- AWS Certificate Manager (ACM Certificate) with Elastic Beanstalk
- SSL cert on ELB or EC2?
- ELB and Apache configuration for HTTPS website
- Installing SSL cert on Amazon EC2 ELB
- AWS ELB Server certificate trust
- SSL Error on using Amazon ELB