Following the instructions at https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-php.html I've been trying to add my SSL certificate to allow for https for my single instance environment.
I've spent a ridiculous amount of time on this and it's driving me crazy.
My important findings are:
I was testing by SSHing onto the EC2 instance after redeploying and checking /etc/httpd/conf.d/.
I'm running on the platform: PHP 7.4 running on 64bit Amazon Linux 2/3.1.2
This is the first time I am working with SSL certificates as well as AWS so any help would be much appreciated.
https-instance.config:
packages:
yum:
mod_ssl: []
files:
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
3
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
1
-----END RSA PRIVATE KEY-----
"/etc/httpd/conf.d/ssl.conf":
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
</VirtualHost>
https-instance-single.config (not important for this issue)
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
To create / modify any file or execute any script post deployment, do the following (I already answered a similar question about modifying nginx configuration on deployment here). Same applies for your apache configuration.
You need to create files in /tmp then mv them to their final location using a script.
The following applies for an Amazon Linux 2 environment:
Source: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux-extend.html
Scripts are executed from subfolders in .platform that you have to place at the root of your project, like so:
~/your-app/
|-- Procfile
|-- readme.md
|-- .ebextensions/
| |-- 01_write_some_files.config
`-- .platform/
|-- hooks
`-- postdeploy
`-- 01_move_some_files.sh # Executed post deployment
01_write_some_files.config
Create a .config file at the root of .ebextensions.
files:
/tmp/someFolder/server.crt:
mode: "000644"
owner: root
group: root
content: |
# your file content
/tmp/someFolder/server.key:
mode: "000644"
owner: root
group: root
content: |
# your file content
# Do the same for all your files
01_move_some_files.sh
Create a small script in .platform/hooks/postdeploy and change permissions to 755.
#!/usr/bin/bash
# Move the files you created in /tmp into the desired directories.
sudo mv /tmp/someFolder/server.crt /etc/pki/tls/certs/server.crt
# other bash commands