Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Issues trying to configure SSL on AWS Elastic Beanstalk Webserver (single instance) PHP

I am in the process of migrating a website for a client to AWS. I have everything configured and working except that the client would like to be able to accept payments on there website. I followed several guides on how to get SSL working using elastic beanstalk. Currently I have it set up to use a source bundle and I created a config file in the .ebextensions file that looks like this:

Resources:
 sslSecurityGroupIngress:
   Type: AWS::EC2::SecurityGroupIngress
   Properties:
    GroupName: {Ref : AWSEBSecurityGroup}
    IpProtocol: tcp
    ToPort: 443
    FromPort: 443
    CidrIp: 0.0.0.0/0

packages:
  yum:
    mod24_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000755"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
         <Proxy *>
           Order deny,allow
           Allow from all
         </Proxy>
         SSLEngine on
         SSLProtocol All -SSLv2 -SSLv3
         SSLCertificateFile "/etc/pki/tls/certs/server.crt"
         SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"

         ProxyPass / http://localhost:80/ retry=0
         ProxyPassReverse / http://localhost:80/
         ProxyPreserveHost on

         LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
         ErrorLog /var/log/httpd/elasticbeanstalk-error_log
         TransferLog /var/log/httpd/elasticbeanstalk-access_log
       </VirtualHost>

      /etc/pki/tls/certs/server.crt:
         mode: "000400"
         owner: root
         group: root
         source: sourceHere

      /etc/pki/tls/certs/server.key:
        mode: "000400"
        owner: root
        group: root
        source: sourceHere

where sourceHere is the link to the file in S3, I have also tried using content directly in place of source but the result is the same, the application launches without any errors but any attempts to connect to the IP address or provided URL just say that the page is unavailable. If i build the same zip file but leave out the config files it builds correctly. This is pretty much exactly what AWS has on there support page and in the documentation for Elastic Beanstalk so I am not sure what is happening.

like image 674
Gordnfreeman Avatar asked Nov 27 '14 18:11

Gordnfreeman


People also ask

Does Elastic Beanstalk support PHP?

Elastic Beanstalk provides platforms for programming languages (Go, Java, Node. js, PHP, Python, Ruby), application servers (Tomcat, Passenger, Puma), and Docker containers. Some platforms have multiple concurrently-supported versions.


1 Answers

Instead of provisioning SSL via .ebextensions you should look at adding it via the Load Balancer under the Elastic Beanstalk Environment configuration >> Networking Tier >> Load Balancing.

enter image description here

The easiest way, other than using the CLI tools, is to create a EC2 load balancer and add the keys. Once you pass stage 2 (Select Certificate) then you can abort and the certificate will be save for Elastic Beanstalk usage.

  1. Create Load Balancer
  2. Add HTTPS

enter image description here

  1. Add Private Key, Public Key Certificate, Certificate Chain.
  2. Continue, then abort.
  3. The SSL Certificate will now be available in your Elastic Beanstalk Environment.

enter image description here

like image 63
George Rushby Avatar answered Sep 19 '22 02:09

George Rushby