ideas

Installing godaddy ssl to aws

It is actually very easy to upload your ssl certificate with AWS ElasticBeanstalk. Here are the steps for creating a SSL secured Java application on AWS ElasticBeanstalk. Note that in this article, I will use AWS ElasticBeanstalk, Godady and Tomcat. If your configuration or environment is different you can follow steps for general information.

1- Buy an SSL certificate: I bought a SSL certificate from Godaddy, follow the link and select the certificate for your needs. Godaddy offers three types, Protect One Website, Protect Multiple Websites, Protect All Subdomains. You cannot protect multiple domains with Protect One Website certificate. If you wanna protect *.yourwebsite.com you have to buy Protect All Subdomains.

2- Create CSR file and private key: A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. In this case we will create CSR file and send this file to Godaddy to create digital certificate. We will use OpenSSL to create CSR file, here you can find steps to install OpenSSL. Once you install it, first create private key for your website: openssl genrsa 2048 > yourwebsite.pem

And simply run this command to create CSR file:
openssl req -new -key yourwebsite.pem -out csr.pem

This command will prompt information about your organization:

  • Country Name: The two-letter ISO code for the country where your organization is location. For example US, UK, IN
  • State or Province: The state/region where your organization is located. This shouldn't be abbreviated. For example Washington
  • Locality Name: The city where your organization is located. For example Seattle
  • Organization Name: The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. For example Example Corporation
  • Organizational Unit: The division of your organization handling the certificate. For example Marketing
  • Common Name: The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error. For example: *.yourwebsite.com or www.yourwebsite.com or rest.yourwebsite.com
  • Email address: An email address used to contact your organization. For example someone@yourwebsite.com

After entering all these information CSR file will be created at the path you executed the command. You are now ready to download your SSL certificate from Godaddy.

3- Upload CSR file to Godaddy and download SSL certificate: After creating CSR file login to Godaddy and go to Your Product page. Click your SSL certificate and click Manage button. Click Manage again from SSL Certificate page. Open CSR file with your favorite text editor or simply from terminal vi csr.pem and copy all. Your CSR file should look like this: -----BEGIN CERTIFICATE REQUEST-----{your pem encrypted content}-----END CERTIFICATE REQUEST----- Select all content and copy. Now paste the content to Certificate Signing Request (CSR) text area and submit changes.

Godaddy CSR upload form

If common name of the CSR is correct, Godaddy will show your domain name automatically. After this point Godaddy will verify the domain ownership. You don't need to do anything unless Godaddy asks you. In 5 minutes, Godaddy will create ssl certificate which will be ready to install.

4- Download digital certificate: After validation, you will see Download button at SSL Management page as shown below. You will see several information about your certificate.

SSL Certificate Download page

Press Download button. At this point Godaddy asks you about the server type of your application. Select server type and press download. You will get a zip file which includes Public Key Certificate and Certificate Chain. Now we are ready to upload the certificate to AWS.

5- Upload your certificate to AWS: Login to AWS and go to Load Balancers under EC2. Select the load balancer from the list which you want to upload the certificate. Click Listeners tab. If you didn't add any HTTPS listener you need to add one simply by clicking add as shown below:

Adding https listener to AWS Load Balancer

Now press Change under SSL Certificate column. And AWS console will ask you:

  • Certificate Type: You have two options, Existing or New. At this step we will select new to upload the certificate. You can use your uploaded certificates by selecting "Choose an existing certificate from AWS Identity and Access Management (IAM)"
  • Certificate Name: This field is the unique certificate name on AWS. I use camel notation with name format website+certificate, for example "fisiltiAppCertificate" for my website fisiltiapp.
  • Private Key: Copy your private key created on step 1, yourwebsite.pem
  • Public Key Certificate: Copy public key verified by Godaddy. Simply unzip the file you downloaded on step 4 and open bundle file with name something c2f7a6977b5dxd14.crt
  • Certificate Chain: Copy gdig2.crt (Secure Server Certificate) and paste it to certificate chain area and press Save.

AWS ssl certificate upload page

If your content is OK, your ssl certificate is uploaded to load balancer correctly. visit your web app like https://yourwebsite.com and see if it works correctly.

If it doesn't work, keep on reading next steps :)

6- Open SSL port: SSL port is not open on AWS by default, you have to open port 443 of the load balancer from security group. If the port is not open, you cannot connect to SSL port of your application.

For testing if SSL port is open telnet https://yourwebsite.com 443 and see if you can connect to SSL port.

Select the load balancer and open Security tab and click on the security group, Security Group details shall be opened automatically. Open Inbound tab and open SSL port with fields:

  • Type: HTTPS
  • Protocol: TCP
  • Port Range: 443
  • Source: Anywhere (If you want to open SSL to everyone. If you have specific requirements, check this url for detailed information about Security Groups)

Now easily run command telnet https://yourwebsite.com 443 and see if it is connected. If you can connect to port, open your browser and test to open page https://yourwebsite.com. If everything is set up correctly you can connect to your webpage with SSL certificate.

If it doesn't work, keep on reading next step :)

7- Configure Tomcat for SSL: ElasticBeanstalk Tomcat configuration is not configured for SSL by default. So you need to modify your server.xml for working with SSL. Here is a detailed information about SSL configuration on Tomcat. Here are the steps I follow for updating Tomcat configuration for SSL update.

  • Download server.xml from EC2 instance with scp : I always update ElasticBeanstalk's Tomcat server.xml. First connect to your EC2 instance with ssh and check if server.xml file is located at /etc/tomcat8/server.xml. Download file to your local with scp.
  • Configure server.xml: Make sure your connector settings has the following information: protocol="HTTP/1.1" proxyPort="443" scheme="https" secure="true" proxyName="yourwebsite.com" redirectPort="8443".
  • Create directory .ebextensions under webapp folder and move modified server.xml file under directory .ebextensions. Also create file server-update.config under .ebextensions folder and copy below content in file: containercommands:
    replace
    server_xml:
    command: "cp .ebextensions/server.xml /etc/tomcat8/server.xml"
    This code will replace your your provided server.xml with /etc/tomcat8/server.xml. So now Tomcat will start redirect 443 to 8443. (For detailed information about server config update refer here)
  • Redeploy application

And voila!

If still https://yourwebsite.com does not respond, I will happy to help you! Just send me a note. But if all steps are followed, I am sure your SSL shall be uploaded and worked as expected!


Soner ALTIN
TAGGED IN cloud computing, tech, Java