Setup an SSL certificate on an EC2 instance

20
votes

I'm having hard time trying to setup an SSL certificate (it's a Comodo PositiveSSL purshased from NameCheap) on my EC2 micro instance (I'm using Amazon Linux AMI 2012.3, which is based on CentOS if I'm not mistaken).

Here's what I did:

  1. I installed mod_ssl & OpenSSL

  2. I enabled port 443 on my EC2's instance security group

  3. I CHMODed the *.key & *.crt files to 777 as Comodo suggested

  4. I'm certain the IP address & files path are correct (put a bunch of 0s in the example but it is correct in my ssl.conf)

  5. I added this VirtualHost entry to ssl.conf

<VirtualHost 00.000.000.00:443>
   ############# I tried both with & without this section ##############
   ServerName www.mydomain.com:443

   ServerAlias www.mydomain.com
   DocumentRoot /var/www
   ServerAdmin [email protected]
   ######################################################################

   SSLEngine on
   SSLCertificateKeyFile /etc/ssl/mydomain_com.key
   SSLCertificateFile /etc/ssl/mydomain_com.crt
   SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>

Then I restarted apache...but I stil cannot access https://www.mydomain.com/ !!!

I checked with ssltool.com, it says

The Common Name on the certificate is: ip-00-00-00-000

The certificate chain consists of:
SomeOrganization, ip-00-00-00-000. Expires on: Apr 10 13:39:41 2013 GMT - that's 363 days from today.
The site tested mydomain.com is NOT the same as the Subject CN ip-00-00-00-000!.

I even went & copied the VistualHost to httpd.conf instead of ssl.conf & restarted apache, all in vain.

I've been banging my head against the wall for days now. I'm pretty sure I'm missing a tiny something to make this work, I just don't know what exactly.

I'd be infinitely grateful if someone can suggest something to make this work!

3
linuxsslamazon-ec2amazon-web-servicesssl-certificate

3 Answers

23
votes

Sometimes this section

<VirtualHost _default_:443>

prevents your real SSL certificate from being used. If this is the case either comment VirtualHost default or move the SSLCertificate* attributes to it, ie.

<VirtualHost _default_:443>
  SSLCertificateKeyFile /etc/ssl/mydomain_com.key
  SSLCertificateFile /etc/ssl/mydomain_com.crt
  SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>

Make sure you restart apache after that.

3
votes

Amazon now provide a certificate manager! (for free)

If you use Elastic Beanstalk this is the new way to do: It's free, You avoids errors due to the configuration and it's a better choice on a performance point of vue:

Because ELB supports SSL offload, deploying a certificate to a load balancer (rather than to the EC2 instances behind it) will reduce the amount of encryption and decryption work that the instances need to handle.

from the doc:

The new AWS Certificate Manager (ACM) is designed to simplify and automate many of the tasks traditionally associated with management of SSL/TLS certificates. ACM takes care of the complexity surrounding the provisioning, deployment, and renewal of digital certificates! Certificates provided by ACM are verified by Amazon’s certificate authority (CA), Amazon Trust Services (ATS).

Even better, you can do all of this at no extra cost. SSL/TLS certificates provisioned through AWS Certificate Manager are free!

ACM will allow you to start using SSL in a matter of minutes. After your request a certificate, you can deploy it to your Elastic Load Balancers and your Amazon CloudFront distributions with a couple of clicks. After that, ACM can take care of the periodic renewals without any action on your part.

the doc:

https://aws.amazon.com/fr/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

0
votes

Looking at your list, it happens that you forget to enable your configuration with your Virtual host.

sudo a2enmod ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart

There is a complete guide on how to install an SSL certificate on your EC2 here https://medium.com/@adnanxteam/how-to-add-ssl-certificate-to-laravel-on-ec2-aws-18104cc036d1