EC2 - Using SSL in conjunction with a load balancer

Owned by AlexI (Unlicensed)
Last updated: Dec 05, 2013
2 min read

Overview

As described here, it is possible to encrypt all communications between Infinit.e and its clients using SSLv3 (TLSv1).

For EC2 deployments that use a load balancer, you can leave tomcat running in HTTP and terminate the SSL connection there. This is preferable because it reduces the load on the tomcat API nodes, and also centralizes sensitive information like the private key.

Installing SSL certificates into Amazon AWS account

Alternatively you can upload the certificate separately (this also covers the same ground of creating Amazon-compatible keys and certificates from the downloaded SSL artifacts):

  • This link (search for "You can extract a private key from a keystore with Java6 and OpenSSL"; or this one) explains how to get the private key generated from the keystore 
    • (It can be ignored if you stored the private key differently when making the original certificate request)
  • This link explains how to load the SSL cert into tomcat.
    • The IAM stage is no longer necessary, you can just paste the certificates directly into the load balancer configuration in the Amazon console .
      • (though I am not sure what SSLCertificateIds that results in, eg if being used as part of a Cloudformation template)

 

Note that when trying to import the domain and intermediate certificates directly from GoDaddy into AWS I encountered "Invalid Public Certificate" errors. I had to perform the following steps to get it to work:

openssl x509 -inform PEM -in /path/to/domain.crt
#...Copy into the "public certificate" field in AWS console
openssl x509 -inform PEM -in /path/to/intermediate.crt (eg gdig2.crt)
#...Copy into the "intermediate certificate" field in AWS console
openssl rsa -in /path/to/private.key -outform PEM
#...Copy into the "private key" field in AWS console

Applying the SSL certificate to a load balancer

Amazon guide to using the SSL cert in load balancer

Or change the listener to be

	        "Listeners" : [ {
	          "LoadBalancerPort" : "443",
	          "InstancePort" : "443",
	          "InstanceProtocol" : "HTTPS",
	          "Protocol" : "HTTPS",
	          "SSLCertificateId": "arn:aws:iam::XXX"
	        } ],

Additional load balancer configuration

One downside of using an AWS load balancer is that (unlike tomcat) it does not automatically redirect HTTP (on port 80) to HTTPS (on port 443). This can result in user confusion eg when http is accidentally typed in the browser URL.

Infinit.e is configured with a "dummy" connector on 8081 that will do the redirection, therefore the following load balancer configuration will perform the desired automatic redirection:

  • HTTP on port 80 goes to HTTP on port 8081
  • HTTPS on port 443 goes to HTTP on port 80

(Unfortunately this is not possible for the enterprise configuration that always runs HTTPS on port 8090 because you cannot redirect from HTTP to HTTPS within a single port)

 

 

Copyright © 2012 IKANOW, All Rights Reserved | Licensed under Creative Commons