Issues trying to configure SSL on AWS Elastic Beanstalk Webserver (single instance) PHP

Question

I am in the process of migrating a website for a client to AWS. I have everything configured and working except that the client would like to be able to accept payments on there website. I followed several guides on how to get SSL working using elastic beanstalk. Currently I have it set up to use a source bundle and I created a config file in the .ebextensions file that looks like this:

Resources:
 sslSecurityGroupIngress:
   Type: AWS::EC2::SecurityGroupIngress
   Properties:
    GroupName: {Ref : AWSEBSecurityGroup}
    IpProtocol: tcp
    ToPort: 443
    FromPort: 443
    CidrIp: 0.0.0.0/0

packages:
  yum:
    mod24_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000755"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
         <Proxy *>
           Order deny,allow
           Allow from all
         </Proxy>
         SSLEngine on
         SSLProtocol All -SSLv2 -SSLv3
         SSLCertificateFile "/etc/pki/tls/certs/server.crt"
         SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"

         ProxyPass / http://localhost:80/ retry=0
         ProxyPassReverse / http://localhost:80/
         ProxyPreserveHost on

         LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
         ErrorLog /var/log/httpd/elasticbeanstalk-error_log
         TransferLog /var/log/httpd/elasticbeanstalk-access_log
       </VirtualHost>

      /etc/pki/tls/certs/server.crt:
         mode: "000400"
         owner: root
         group: root
         source: sourceHere

      /etc/pki/tls/certs/server.key:
        mode: "000400"
        owner: root
        group: root
        source: sourceHere

where sourceHere is the link to the file in S3, I have also tried using content directly in place of source but the result is the same, the application launches without any errors but any attempts to connect to the IP address or provided URL just say that the page is unavailable. If i build the same zip file but leave out the config files it builds correctly. This is pretty much exactly what AWS has on there support page and in the documentation for Elastic Beanstalk so I am not sure what is happening.

Answer 1

Instead of provisioning SSL via .ebextensions you should look at adding it via the Load Balancer under the Elastic Beanstalk Environment configuration >> Networking Tier >> Load Balancing.

The easiest way, other than using the CLI tools, is to create a EC2 load balancer and add the keys. Once you pass stage 2 (Select Certificate) then you can abort and the certificate will be save for Elastic Beanstalk usage.

1. Create Load Balancer
2. Add HTTPS

3. Add Private Key, Public Key Certificate, Certificate Chain.
4. Continue, then abort.
5. The SSL Certificate will now be available in your Elastic Beanstalk Environment.