AWS Certificate Manager for ELB pointing to an Apache server running EC2
I was reading the aws documentation for the certificate manager. I can bind an SSL certificate for ELB. I have already done that and my application is still on Apache server installed on Ubuntu EC2 server.
And the documentation has the following:
Note. ACM certifications are currently related to Elastic Load Load Balancing or Amazon CloudFront Distributions. Even though you are installing your website on an Amazon EC2 instance, you are not deploying an ACM certificate there. Instead, deploy the ACM certificate to your Load Balancing Load Balancer or your CloudFront distribution.
As I understand it, this means that we can simply deploy the application to EC2 and add it under a load balancer that is certified by ACM.
And that's all you need for SSL to work for your web application.
But when I don't use this approach, I used the following Apache config to set up SSL.
<VirtualHost *:80>
DocumentRoot /var/www/html/
ServerName example.com
ServerAlias example.com
ErrorLog ${APACHE_LOG_DIR}/diyoron-error_log
CustomLog ${APACHE_LOG_DIR}/diyoron-access_log common
<Directory /var/www/html/>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R]
</Directory>
</VirtualHost>
<VirtualHost *:443>
# ServerAdmin webmaster@example.com
DocumentRoot /var/www/html/
ServerName example.com
ServerAlias example.com
ErrorLog ${APACHE_LOG_DIR}/example-error_log
CustomLog ${APACHE_LOG_DIR}/example-access_log common
SSLEngine On
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
But in my current location, I cannot configure SSLCertificateKeyFile, SSLCertificateChainFile, SSLCertificateFile in my Apache config.
If anyone can guide me on the right path, that is much appreciated.
AH00016: Configuration Failed
[Fri Apr 21 23:14:01.184314 2017] [ssl:emerg] [pid 1190] AH02572: Failed to configure at least one certificate and key for example.com:443
[Fri Apr 21 23:14:01.184826 2017] [ssl:emerg] [pid 1190] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Fri Apr 21 23:14:01.184834 2017] [ssl:emerg] [pid 1190] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
source to share
You will stop using SSL on your ELB and configure it to forward both HTTP and HTTPS requests as HTTP (to your instance port 80):
So you won't need it anymore <VirtualHost *:443>
.
Also, in your Apache configuration, in <VirtualHost *:80>
, you redirect users to https://
if the connection does not use SSL / TLS (by the way, this condition was not necessary, the request will never reach this point if it uses https - you can simply redirect it unconditionally) ... This will not be possible since from apache's point of view all incoming connections are using http://
.
To determine the protocol used between the client and the load balancer use the request header X-Forwarded-Proto
(Elastic Load Balancing stores the protocol used between the client and the load balancer in the request header X-Forwarded-Proto
and passes the header along to your server):
RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
source to share