Versions Compared

Old Version 5

changes.mady.by.user AlexI

Saved on

compared with

New Version Current

changes.mady.by.user AlexI

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For EC2 deployments that use a load balancer, you can leave tomcat running in HTTP and terminate the SSL connection there is an additional set of steps. These are described in the next 2 sections. This is preferable because it reduces the load on the tomcat API nodes, and also centralizes sensitive information like the private key.

Installing SSL certificates into Amazon AWS account

...

Alternatively you can upload the certificate separately (this also covers the same ground of creating Amazon-compatible keys and certificates from the downloaded SSL artifacts):

  • This link (search for "You can extract a private key from a keystore with Java6 and OpenSSL"; or this one) explains how to get the private key generated from the

...

  • keystore 
    • (It can be ignored if you stored the private key differently when making the original certificate request)
  • This link explains how to load the SSL cert into tomcat.
    • The IAM stage is no longer necessary, you can just paste the certificates directly into the load balancer configuration in the Amazon console .
      • (though I am not sure what SSLCertificateIds that results in, eg if being used as part of a Cloudformation template)

 

Info

Note that when trying to import the domain and intermediate certificates directly from GoDaddy into AWS I encountered "Invalid Public Certificate" errors. I had to perform the following steps to get it to work:

Code Block
openssl x509 -inform PEM -in /path/to/domain.crt
#...Copy into the "public certificate" field in AWS console
openssl x509 -inform PEM -in /path/to/intermediate.crt (eg gdig2.crt)
#...Copy into the "intermediate certificate" field in AWS console
openssl rsa -in /path/to/private.key -outform PEM
#...Copy into the "private key" field in AWS console

Applying the SSL certificate to a load balancer

...

Code Block
	        "Listeners" : [ {
	          "LoadBalancerPort" : "443",
	          "InstancePort" : "443",
	          "InstanceProtocol" : "HTTPS",
	          "Protocol" : "HTTPS",
	          "SSLCertificateId": "arn:aws:iam::XXX"
	        } ],

Additional load balancer configuration

One downside of using an AWS load balancer is that (unlike tomcat) it does not automatically redirect HTTP (on port 80) to HTTPS (on port 443). This can result in user confusion eg when http is accidentally typed in the browser URL.

Infinit.e is configured with a "dummy" connector on 8081 that will do the redirection, therefore the following load balancer configuration will perform the desired automatic redirection:

  • HTTP on port 80 goes to HTTP on port 8081
  • HTTPS on port 443 goes to HTTP on port 80

(Unfortunately this is not possible for the enterprise configuration that always runs HTTPS on port 8090 because you cannot redirect from HTTP to HTTPS within a single port)