Adding SSL certificate issues by ACM to Apache virtual host on ubuntu machine

1
votes

I am trying my Hands-on ACM for SSL certificates.

I have requested a public certificate for a domain 'prod.yp-uae.waveaxis.space' which is attached to a load balancer. I have also added the Https listener to the load balancer.

The ACM dashboard shows the certificate to be in use.

But when I use the domain name in the browser it shows not normal non-secure link http://prod.yp-uae.waveaxis.space/

I assume it is because of the virtual host that I have set on apache2. Below is the code for my virtual host:

<VirtualHost *:80>


        ServerName prod.yp-uae.waveaxis.space
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        ProxyPreserveHost On
            
        ProxyPass / http://127.0.0.1:8380/
        ProxyPassReverse / http://127.0.0.1:8380/
        
</VirtualHost>
    
#<VirtualHost *:443>
#</VirtualHost>

I am aware of configuring 443 port as below(just an example)

SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
  SSLCertificateFile "/var/www/www.foo.com/ssl/server.crt"
  SSLCertificateKeyFile "/var/www/www.foo.com/ssl/server.key"

The thing I am wondering on is how can I get my ACM SSL certificate on my Ec2 machine for the variable 'SSLCertificateFile' 'SSLCertificateKeyFile'?

OR

Am I missing some other part as well?

Here is my ALB's security group:

enter image description here

enter image description here

2
amazon-web-servicesamazon-ec2httpsssl-certificateapache2

2 Answers

1
votes

Generally you don't need SSL cert on your EC2 instances if you have deployed SSL cert on your ALB. The reason is that ALB is going to terminate your SSL/HTTPS connection, and then it will forward it to your instances as a regular HTTP (non-SSL) connection. In this scenario, the traffic flow is:

client---(HTTPS)-->ALB----(HTTP)--->EC2 instances

This design simplifies a lot of work with manually setting up SSL certificates and off-loads its processing to ALB.

Therefore, if its not really a requirement to have HTTPS between ALB and instance, its just easier to have your Apache serve regular HTTP traffic on port 80.

The thing I am wondering on is how can I get my ACM SSL certificate

Sadly you can't access ACM certificates as they can only be used on load balancer, CloudFront distribution and API gateway. This means that you can't use it on instances.

However, if you really require end-to-end HTTPS, then you should generate and deploy your own self-signed SSL certificate on the instances. This will require a bit of setup, but your connection will be:

client---(HTTPS)-->ALB----(HTTPS)--->EC2 instances

However, this is not normally done and in most cases the first scenario with HTTP between ALB and the instance is sufficient.

1
votes

To add to @Marcin answer based on our discussion you need to ensure that you serve assets and reference domains in your JavaScript to use a HTTPS protocol and not a HTTP protocol (as is currently being used).

If the user is accessing the site over HTTPS, any requests using HTTP may be blocked due to "Mixed Content" which would then stop your site from loading these resources. This would have worked when the site is also loaded over plain text (HTTP).

If these also load over HTTPS then Marcins solution will work for you. In addition you are referencing an IP address rather than a domain that can serve the HTTPS request, this should be adjusted as I am assuming this is the IP of an EC2 host rather than the load balancer.