如何为我的 Elastic Beanstalk 单实例配置 SSL

Posted 2023-03-04

技术标签:

【中文标题】如何为我的 Elastic Beanstalk 单实例配置 SSL【英文标题】：How can I configure SSL for my Elastic Beanstalk Single Instance 【发布时间】：2016-02-03 15:49:11 【问题描述】：

我是 AWS 新手，我的基于 Java 的 RESTAPI 在单实例 EBS 上工作。现在我正在尝试将 SSL 证书安装到上面的单实例 EBS 中，以便它可以用于 https 请求。

我正在尝试在我的 Windows 机器上为证书创建 自签名证书。我按照this article 创建证书。

我已关注AWS Documentation，可以看到示例脚本来创建 SSL 配置文件 (singlessl.config)。

我不确定从哪里或如何获得配置文件的<certificate file contents> 和<private key contents>。你能给些建议么。

编辑： 这是我添加证书内容之前没有问题的配置文件

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName: "Ref" : "AWSEBSecurityGroup"
      # GroupId: "Ref" : "AWSEBSecurityGroup"
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

packages:
  yum:
    mod_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000755"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine             on
        SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:8080/ retry=0
        ProxyPassReverse / http://localhost:8080/
        ProxyPreserveHost on

        LogFormat "%h (%X-Forwarded-Fori) %l %u %t \"%r\" %>s %b \"%Refereri\" \"%User-Agenti\""
        ErrorLog /var/log/httpd/elasticbeanstalk-error_log
        TransferLog /var/log/httpd/elasticbeanstalk-access_log
      </VirtualHost>

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      <certificate file contents>
      -----END CERTIFICATE-----

  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      <private key contents>
      -----END RSA PRIVATE KEY-----

services:
  sysvinit:
    httpd:
      enabled: true
      ensureRunning: true
      files : [/etc/httpd/conf.d/ssl.conf,/etc/pki/tls/certs/server.key,/etc/pki/tls/certs/server.crt]

再次添加证书内容后验证失败

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName: "Ref" : "AWSEBSecurityGroup"
      # GroupId: "Ref" : "AWSEBSecurityGroup"
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

packages:
  yum:
    mod_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000755"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine             on
        SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:8080/ retry=0
        ProxyPassReverse / http://localhost:8080/
        ProxyPreserveHost on

        LogFormat "%h (%X-Forwarded-Fori) %l %u %t \"%r\" %>s %b \"%Refereri\" \"%User-Agenti\""
        ErrorLog /var/log/httpd/elasticbeanstalk-error_log
        TransferLog /var/log/httpd/elasticbeanstalk-access_log
      </VirtualHost>

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
MIIFrjCCA5agAwIBAgIQnWFbX+HcXIBD15PWJMbowzANBgkqhkiG9w0BAQ0FADBd
MQ4wDAYDVQQGEwVJbmRpYTEMMAoGA1UECxMDREVWMR4wHAYDVQQKExVWNSBCdXNp
bmVzcyBTb2x1dGlvbnMxHTAbBgNVBAMTFE1BU2dlbmllIERldiBSb290IENBMB4X
DTE0MTIzMTE4MzAwMFoXDTE5MDEzMDE4MzAwMFowGzEZMBcGA1UEAxMQZGV2Lm1h
c2dlbmllLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMEHn/iC
9iGQHAKwxscFdnun2Q1qr0M0jBIt4JcwTsT5NjRfII7RBHvCnTWrQUo4QBoIqVdR
OkG4PkAS0Q3wqcuACyCAknx//k9O0DQHbkk2jI0aNrrD0iDFlHX9P/e+zS6VA5Qg
2Wrzf4nHNDC3ITsGYkNvXXFn6Uhl0o7WHrQ7njHpd26kNFGQPwVbFdjDm2uYDUqz
SnnlxXWVI1bgIoKVrZOqe61XCmgaFP0fIMXw4nZGT1GzfWmrzg9qjglMldxjoHL2
XpOtF6l8jRnVMLQqytlDb3CkQSYdoDqKWhiqNvq1l0ZsLupuPebdjTD11KMybW2k
q/0R5WCrNBBLRwxFq6DZgzyhhHvBhxFA567uafSRDhlpCz8C0Ll3SM1TrU8ySyVN
JgRIH2E3CPJ5wAiIWEuz4LKJ/Pip+j/7iuqsRgX7QBh7kJN3oRghoAKmkoWvBuJ8
n4azmtO+B4WDDwaoV7+JYX79dwpI+dzYAZXG1MhJv0SSIx4F3eCw5tSJqpbtj9om
KluKd8RGHpZW9qUQCcLY3Expx74Ehnm+Lbgov5C1ba7JYab+JRyM1tz5k/Z+sy2m
3PUUZz2WxBeysrnjjfCYrLtXGOwG13jO2rf4e9PakRBQd4Ybx2Z45IximaFT38r5
DQZXlLgq+BkekGuV7FVtzPSZH3FV86UIRBeTAgMBAAGjgaswgagwEwYDVR0lBAww
CgYIKwYBBQUHAwEwgZAGA1UdAQSBiDCBhYAQKxykerZGsDqRGnXn8lBmoqFfMF0x
DjAMBgNVBAYTBUluZGlhMQwwCgYDVQQLEwNERVYxHjAcBgNVBAoTFVY1IEJ1c2lu
ZXNzIFNvbHV0aW9uczEdMBsGA1UEAxMUTUFTZ2VuaWUgRGV2IFJvb3QgQ0GCEE/8
C0XD+iW3TMfyC51vkw0wDQYJKoZIhvcNAQENBQADggIBAHggcAILANfMtdSJd9XW
2BsFXORtKrWzrlsYEOkM8sIjqI0QoDI1KE7NwFbzhue5OdxB8uOq1nD/J8HZUovH
Ij4np58yJjp6K43zaxrFjQNO7UyHJmcJ0rPRet7WuCTwqs4DY4/J4foEe1mNE3kL
7HiAAEKHmZ0/sLwu6TKa3QOajWxIV/MCLAuNEvTc4hPAesmyuUlnRWa8Uk/8cOCB
HFgpe/jWN8wxAcj1YS60RBGTeneiutW+/ZZr9YKlTjZgmnbR3LEDdSTsP6eLGocl
KHT0MdTqIm0uphmr8jUeUw2iNOrbm1FRZoTW9hKboIdM0Uksr778WK5A3MlsakZP
2J2G1cvQAC1fEckTS9p39QhLRTes5gCpLROySfWY9ZeMam2AXQyeVHZ6kbqdAdNG
TpOysl8j13m/O5Lh1QM26fJ9P+IIqKOffXxty4C4bZCVoR270QEP42az9G61mQZ9
d0c2yMsCvIhS1UxguF3cjGz3CK90SMo3l5TFDnNU71a0M5DIuuViIB8f40Jp5HL3
hjq+l2vzIxrmFbKyCvL5+dbEy46q9dIjqOFJECsu9khqHNbA7Wn5GBzBNxGLTkh/
2kaeIvUbRPrDFE67J/gHL4NPXSp+NohnQvjFRvGn/+3GKjhdrLDu+rlXrcEkNUv3
c4XR9gJqVsCoSiWRnoZP05FB
      -----END CERTIFICATE-----

  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      <private key contents>
      -----END RSA PRIVATE KEY-----

services:
  sysvinit:
    httpd:
      enabled: true
      ensureRunning: true
      files : [/etc/httpd/conf.d/ssl.conf,/etc/pki/tls/certs/server.key,/etc/pki/tls/certs/server.crt]

错误：

(<unknown>): could not find expected ':' while scanning a simple key at line 56 column 1

【问题讨论】：

您可以通过在文本编辑器中打开文件并复制内容来获取文件内容。感谢@mbaird 的建议。您能否告知我将使用哪个证书文件（.cer 或 .pfx），证书文件应该来自服务器证书或客户端证书。很抱歉提出这个基本问题。您好 @mbaird，当我验证我的 singlessl.config 文件时，在我粘贴证书内容之前，使用 YAML 解析器它说有效。然后我在 notepad++ 中打开了服务器证书并将内容复制到占位符中，然后 YAML 验证失败。如果我们从notepad++编辑器获取，这是否意味着证书内容无效？ 【参考方案1】：

线

MIIFrjCCA5agAwIBAgIQnWFbX+HcXIBD15PWJMbowzANBgkqhkiG9w0BAQ0FADBd

应该与

处于相同的缩进级别

-----开始证书-----

也就是说，您的文件应该如下所示：

content: |
  -----BEGIN CERTIFICATE-----
  MIIFrjCCA5agAwIBAgIQnWFbX+HcXIBD15PWJMbowzANBgkqhkiG9w0BAQ0FADBd

所以，在您的证书和密钥内容之前留出空格，它应该可以工作。

【讨论】：

以上是关于如何为我的 Elastic Beanstalk 单实例配置 SSL的主要内容，如果未能解决你的问题，请参考以下文章

如何为 RDS 配置 Elastic Beanstalk

如何为 Elastic Beanstalk 配置 Laravel？

如何为 Elastic Beanstalk 应用程序正确配置 Spring Datasource？

如何为在 64 位 Amazon Linux 2 上运行的 Elastic Beanstalk Python 3.7 项目安装节点包？

如何为 Elastic Beanstalk DOCKER 环境设置永久 DNS 名称？

如何为 Elastic Beanstalk 的 Tomcat 实例提供自定义日志附加程序？