AWS Elastic Beanstalk httpd/conf.d/ssl.conf not recognized

Question

I created a .ebextensions directory in the root of my project in order to activate ssl but I don't see the virtual host 443 created in the ssl.conf file.

After the deployment the keys are fine (are created fine), but the ssl.conf is never created. So I need to manually connect to the instance and modify the conf.d file to add the virtualhost.

WAR structure:

ROOT.war
      |
       WEB-INF
       META-INF
       .ebextensions
           |
            https-instance-single.config
            https-instance.config
           |
            httpd
                 |
                  conf.d
                        |
                         ssl.conf

https-instance.config:

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      XXXXXXXXXXXXXXXXXXXXXX
      -----END CERTIFICATE-----

  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      XXXXXXXXXX
      -----END RSA PRIVATE KEY-----

  /etc/pki/tls/certs/gd_bundle.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      XXXXXXXXXXXXXXXXXXXXXXXXXXX
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      XXXXXXXXXXXXXXXXXXXXXXXXXXX
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      XXXXXXXXXXXXXXXXXXXXXXXXXXX
      -----END CERTIFICATE-----

https-instance-single.config:

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

ssl.conf:

Listen 443

<VirtualHost *:443>
  ServerName YOUR_SERVER_NAME
  SSLEngine on
  SSLCertificateFile "/etc/pki/tls/certs/server.crt"
  SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
  SSLCertificateChainFile "/etc/pki/tls/certs/gd_bundle.crt"
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

  <Proxy *>
    Require all granted
  </Proxy>
  ProxyPass / http://localhost:8080/ retry=0
  ProxyPassReverse / http://localhost:8080/
  ProxyPreserveHost on

  ErrorLog /var/log/httpd/elasticbeanstalk-ssl-error_log

</VirtualHost>

Answer 1

I solved this.

I don’t know why and is not documented but seems that the proxy files must be inside .platform folder.

The log shows:

skip legacy configuration under .ebextensions, put under .platform instead

So I've tried to create that folder and works. But AWS had never made a document with that step. So AWS PLEASE UPDATE YOUR DOCS! :)