Install Wildcard SSL Certificate on AWS Elastic Beanstalk - ssl

I'm not the most advanced AWS user there is, and have come across a bit of a roadblock.
I've got 2 Elastic Beanstalk Environments, each with a Load Balancer, 2 EC2 instances and they share a RDS instance. One environment is for Development and the other for Production.
I have purchased a wildcard SSL certificate from Thawte, and would like to install it on both the Development and Production environments. I've gone through other threads about adding SSL certificates in AWS, but the admin interface has changed since they were written so I've been going round in circles trying to figure it out.
Also, do I install the same SSL certificate on both Load Balancers? Or is it a case of only having one load balancer and redirecting traffic depending on the domain?
Thanks

You will need two load balancers, one for each environment. For uploading the certificate, it sounds like you are creating your Beanstalk environment through the console. In that case, after you create the environment, go to the EC2 tab, then 'Load Balancers', then 'Listeners'. Edit that, change the protocol to https. You'll see there is a place to change the certificate:
That will give you a place to upload the certificate:
Now that the cert is there, you can use the Elastic Beanstalk configuration to change future environments to use that cert:

Related

1 SSL Cert for Multiple Dynamic Elastic Beanstalk Environments

I'm basically trying to setup review apps where our CI spins up a review app such as review-app-<tag>.review.ourdomain.com based on push to a git branch.
Our CI spins up a new elastic beanstalk environment per review app. I currently have a wildcard SSL cert hooked up to our domain, which works properly.
Now, I need to figure out how to get https to work for our review apps. One solution would be to leverage Cloudflare's API to add DNS records that point review-app-<tag>.review to the appropriate elastic beanstalk instance's load balancer. However, DNS takes a while to propagate sometimes so it's not a great solution especially for CI workflows.
How can I get this to work without modifying DNS records? Is there a hack that could be put in place by modifying our Nginx config or using a Shared Application Load Balancer?

Elastic Beanstalk Add more than one ssl certificate

I have a Docker, Django api application that can be called from multiple domains abc.xyx.com or def.lmn.com. I have added successfully the ssl certificate for abc.xyz.com from the configuration console in elastic beanstalk. That allows only one certificate to be added for 443 port.
How do i add the def.lmn.com certificate after creating it from aws certificate manager?
Multiple SSL secured applications can be hosted in aws with each having their own SSL certificates with the help of SNI (Server Name Indication).
In order to achieve this you need to use an Application Load Balancer for your application.
Hence, for using SNI you need to bind multiple certificates to the same listener on your Application Load Balancer.
If you have not configured Application Load Balancer while creating your environment, then you need to create a new environment and configure it.
Configuring Application Load Balancer: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-alb.html
Steps to be followed for adding multiple certificates, if you have configured Application Load Balancer while creating your Elastic Beanstalk Environment :
Step 1: Import/Upload all the certificates you require through “AWS Certificate Manager” service.
Step 2: Open your Load Balancer in the console.
Step 3: Go to the listeners tab, and select “view/edit certificates” .
Step 4: Now, use the “+” button in the top left corner and select the certificates you require. Then click the “Add” button.
That's it. In this way you can add multiple certificates to your application.
This can also done with the help of CLI using the following command:
aws elbv2 add-listener-certificates --listener-arn [listener-arn] --certificates CertificateArn=[cert-arn]
Hope this helps :)
You need to use an application load balancer instead of an elastic for your application. If you have an environment that already exists and you are not using an application load balancer then you need to create a new environment and while configuring the new environment specify the capacity as load balanced and select an application load balancer in the load balancer configuration. Once this is done then add a new listener for https. For now, select one certificate and launch your environment. Once your environment is launched, open the EC2 console and go to the loadbalancer in the sidebar. From there select your application loadbalancer, select your listener and click on view certificates. You can add multiple certificates, there.

Multi-tenant SSL with Cloudflare and Heroku

Im currently building an application that will reside at app.mydomain.com which is running on Heroku. All users will have their own entry points, like app.mydomain.com/client1, app.mydomain.com/client2, etc. I want clients to be able to setup their own domain (www.clientdomain.com) and cname it to their entry point. I understand this is pretty straight forward up until now.
All my DNS is handled by Cloudflare and I believe I can configure Cloudlfare into Full (Strict) mode, all I need to do is install their Origin Cert onto my Heroku dyno. This will ensure that all direct connects to my domain will be secure (going to app.mydomain.com/client1).
Question is, how does a client go about getting an SSL'ed connection for their domain; do I need to get a multidomain cert and start adding domains to it as I get clients, or am i supposed to install their cert onto Heroku (I believe I can only install 1 so thats a no go) or is it supposed to live on Cloudflare somewhere, or are there additional options I'm not seeing (I hope there are!).
Im not wondering what to do for my own domains, but rather, how do clients setup an SSL connection with their domains that resolve onto my servers.
This is rather perplexing!
The flow would be (I think):
User Browser -> Clients DNS -> (cname to) My Cloudflare -> Heroku
Hmm, it looks like this might be a pretty solid solution to this issue...
https://blog.cloudflare.com/introducing-ssl-for-saas/
Edit - after clarification
I'm currently building an application that will reside at
app.mydomain.com which is running on Heroku. All users will have their
own entry points, like app.mydomain.com/client1,
app.mydomain.com/client2, etc. Question is, how does a client go about
getting an SSL'ed connection for their domain; do I need to get a
multidomain cert and start adding domains to it as I get clients?
If you are going to use the same Heroku app for all of your clients (I think this is a bad idea by the way, but you might be required to) - then yes - you should get a multi-domain certificate and keep adding domains to it as your list of clients expand.
Original answer - which explains SSL + Load Balancing on Heroku.
Im currently building an application that will reside at
app.mydomain.com which is running on Heroku. I was clients to be able
to setup their own domain www.clientdomain.com and cname it to mine.
You will need a wildcard certificate to cover your subdomain (for the app.mydomain.com). You'll have use that cert in heroku.
...all I need to do is install their Origin Cert onto my Heroku dyno.
You are correct - except it's not on your Heroku dyno, it's on your Heroku app endpoint. There's a good read here: https://serverfault.com/questions/68753/does-each-server-behind-a-load-balancer-need-their-own-ssl-certificate
If you do your load balancing on the TCP or IP layer (OSI layer 4/3,
a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL
certificate installed.
If you load balance on the HTTPS layer (L7), then you'd commonly
install the certificate on the load balancer alone, and use plain
un-encrypted HTTP over the local network between the load balancer and
the webservers (for best performance on the web servers).
So you should install your SSL certificate to your Heroku endpoint and let Heroku handle the rest.
Question is, how does a client go about getting an SSL'ed connection;
do I need to get a multidomain cert and start adding domains to it as
I get clients, am i supposed to install their cert onto Heroku (I
believe I can only install 1 so thats a no go) or is it supposed to
live on Cloudflare somewhere?
If you're referring to adding servers to your service from heroku, all you need to do is increase the number of web-dynos. Heroku will handle the load balancing in between these dynos. Your SSL certificate should be resolved in the load balancer so your dynos will be serving requests for the same endpoint. You shouldn't need another SSL certificate for the endpoint you've defined - as long as you're serving traffic from multiple dynos attached to it.

Removing Rogue SSL Certs on AWS

I have a client site set up on AWS with multiple servers running HTPPS behind an Elastic Load Balancer. At some point, someone from the client's team attempted to update the SSL Cert by installing a new one directly on one of the servers (instead of in the ELB).
I was able to upload a new cert to the ELB, but when traffic is directed towards the server with the improperly installed cert, it triggers a security warning.
No one can seem to answer who attempted this install, how they went about, or where they installed it.
What's the best way to go about finding and removing it?
Thanks,
ty
If it's installed on the server, it has very little to do with AWS. I see you tagged the question with apache so I assume the server is running Apache Web Server. You will have to connect into that server and remove the SSL settings from the Apache Web Server configuration, just like you would with an Apache Web Server install anywhere else.

Do I need more than one SSL certificate for my AWS EBS/EC2 application

My application domain was bought on GoDaddy, the NS servers point to Route 53. Route53 has A records to Elastic Load Balancers for different urls which manage traffic to my Elastic Beanstalk.
Do I require more than one SSL certificate? Will a wildcard certificate be fine for this scenario (I assume it will be).
The reason I'm confused is because of the setup of the system and a lack of understanding how SSL certificates work with A records and Load Balancers.
A wildcard certificate should be sufficient, but you'll need to use CNAME records to map your subdomains to your various ELBs. A records are a recipe for disaster, because the ELBs change IP frequently.
You'll also need to load your certificate into AWS and create an HTTPS listener for each ELB, which is a lot of fun. See the ELB developer's guide.
This question is a little old, and I wanted to point out that today there is a free way to do this (rather than a wildcard cert which is typically expensive.)
Using Amazon certificate manager, you can request a cert for free, and assign a number of domains and subdomains to it. I have a cert running that has a total of six subdomains across two different domains. Four of the subdomains all point to the same application, with the load balancer on elastic beanstalk application pointing to the one cert.