AWS Certificate Manager for ELB pointing to a Apache Server Running on EC2

Question

I was reading the aws documentation for Certificate Manager. I can associate a SSL certificate for a ELB. I have already done that and my application is still residing on Apache server deployed on a Ubuntu EC2 server.

And in the documentation it has the following,

Note Currently, ACM Certificates are associated with Elastic Load Balancing load balancers or Amazon CloudFront distributions. Although you install your website on an Amazon EC2 instance, you do not deploy an ACM Certificate there. Instead, deploy the ACM Certificate on your Elastic Load Balancing load balancer or on your CloudFront distribution.

To my understanding, that means we can just deploy the application on a EC2 and add it under a load balance that has certificate from the ACM.

And that is all you need to have to work SSL for your web application.

But when I am not using this approach, I was using the following Apache configuration to configure SSL.

<VirtualHost *:80>
        DocumentRoot /var/www/html/
        ServerName example.com
        ServerAlias example.com
        ErrorLog ${APACHE_LOG_DIR}/diyoron-error_log
        CustomLog ${APACHE_LOG_DIR}/diyoron-access_log common


        <Directory /var/www/html/>
                RewriteEngine on
                RewriteCond %{HTTPS} off
                RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R]
        </Directory>

</VirtualHost>

<VirtualHost *:443>
        # ServerAdmin [email protected]
        DocumentRoot /var/www/html/

        ServerName example.com
        ServerAlias example.com
        ErrorLog ${APACHE_LOG_DIR}/example-error_log
        CustomLog ${APACHE_LOG_DIR}/example-access_log common
        SSLEngine On

        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
        SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
        SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

</VirtualHost>

But In my current arrangement I can not configure SSLCertificateKeyFile, SSLCertificateChainFile , SSLCertificateFile in my Apache configuration.

If anybody can direct me to a right path that is much appreciated.

AH00016: Configuration Failed
[Fri Apr 21 23:14:01.184314 2017] [ssl:emerg] [pid 1190] AH02572: Failed to configure at least one certificate and key for example.com:443
[Fri Apr 21 23:14:01.184826 2017] [ssl:emerg] [pid 1190] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Fri Apr 21 23:14:01.184834 2017] [ssl:emerg] [pid 1190] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information

Answer 1

You will terminate SSL on youe ELB and configure it to forward both HTTP and HTTPS requests as HTTP (to your instance's port 80):

Therefore, you will not need <VirtualHost *:443> anymore.

Also, in your Apache configuration, in <VirtualHost *:80> you are redirecting users to https:// if the connection is not using SSL/TLS (btw, that condition was unnecessary, request would have never reached that point if it was using https - you could just unconditionally redirect it). This will not be possible any more since, from apache's point of view, all incoming connections use http://.

To determine the protocol used between the client and the load balancer, use the X-Forwarded-Proto request header (Elastic Load Balancing stores the protocol used between the client and the load balancer in the X-Forwarded-Proto request header and passes the header along to your server):

RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]