Installing Go Daddy SSL cert on AWS Route 53

1
votes

I am trying to install a Go Daddy SSL certificate into my Tomcat running in an AWS instance, but it is not clear which of the three cert files I downloaded from Go Daddy should be imported into my Java keystone. The Go Daddy documentation is not clear about which files need to be used.

I have these files:

  • c4c170b79c58acc3.crt (one certificate)
  • gd_bundle-g2-g1.crt (bundle of three certificates)
  • gdig2.crt.pem (one certificate)

The Go Daddy instructions are to install the root, intermediate, followed by issued certificate. My previous attempt failed, and the keystore resulted in a broken chain of authority.

Here is a link to Go Daddy's SSL certificate repository. It isn't even clear whether I might have to take something from here, but I thought I would also include this.

2
amazon-web-servicessslssl-certificate

2 Answers

1
votes

The easiest solution is to put your tomcat application behind a load balancer. You would then upload your GoDaddy cert to IAM, and from there you can use it to enable SSL on the load balancer.

The second easiest solution would be to put apache in front of tomcat, and terminate SSL on apache.

You would need to provide more information on versions (tomcat and java) for details of how to enable that, but it would be my last choice - the above two would be far simpler.

(and actually the easiest solution of all would be to use ACM to get a free cert, and deploy it to a load balancer)

Edit:

From the documentation you link to, you have both the bundle (which includes the root) or just the root cert (the gdig2.crt.pem). So you need to add your cert to the end of the bundle.

You can verify the format (I have seen certs get messed up in transit - for example, some editors may mess up the line endings, which can result in an invalid cert) by using openssl - take a look at some of the options here.

0
votes

What operating system is your server running? I can't comment yet, so I had to ask, here. Yell at me if you must.

From my understanding Route 53 can do a few different things, but to your point, you manage your certificates through GoDaddy.com, so I don't believe you will need to use AWS's Route 53 service for this. You will need to however make sure that your url resolves to the AWS EC2 IP through GoDaddy.com. I've found that certbot simplifies the process quite a bit and there is a guide on digital ocean for CentOS (pretty much the free version of RHEL) here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7 The basic steps are: Install epel then the required repos (you may already have httpd and mod_ssl installed I presume):

sudo yum install epel-release
sudo yum install httpd mod_ssl python-certbot-apache

Make sure your firewall rules are in order and allow for https, usually 443 or 8443 depending on your setup... Now run certboot and replace example.com with your urls

sudo certbot --apache -d example.com -d www.example.com

You will get some prompts to answer. If your virtual hosts file doesn't specify your domain then you will be asked to choose a file, ssl.conf should work fine. Choose HTTPS (and HTTP to HTTPS redirect if you desire). Your certs will be installed at /etc/letsencrypt/live

Thats really it, certbot should have done some checks and make sure you're in control of the domain name and modified your apache configuration to use the certs it installed. There are some other security hardening techniques that link goes through but that is out of the scope of the question.

This of course assumes you're not using a load balancer in AWS, If that is the case, then you will need to install your certificate into the HTTPS listener on the load balancer. More here: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html

Hopefully that helps.