I have a running Elastic Beanstalk instance running on a security group that have http and https authorized in inbound. But https doesnt seems to work... Why?
Second question:
I am currently creating a ssl certificate for my domain name. Where am I supposed to upload it on AWS ?
Thank you
You can configure HTTPS for your Elastic Beanstalk environment.
Please read the following document:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
You can upload your SSL certificate to AWS IAM using the console or CLI whichever you prefer.
You need not modify the security group of the EC2 instance directly.
More details on Step 3 of the documentation above:
Create a file called 01-ssl.config in a folder named .ebextensions inside your app source.
Put the following inside this file.
option_settings:
- namespace: aws:elb:loadbalancer
option_name: LoadBalancerHTTPSPort
value: 443
- namespace: aws:elb:loadbalancer
option_name: SSLCertificateId
value: <arn of your ssl certificate>
These option settings should automatically modify your security group ingress rules to allow traffic appropriately.
You can read more about customizing your Elastic Beanstalk environment using ebextensions here.
Details about all option settings supported including the ELB ones are available here.
Let me know if you run into any issues.
Update
By default when you create an Elastic Beanstalk environment it creates an EC2 instance and puts it behind an Elastic Load Balancer. If you do not need a load balancer then you can create a Single Instance environment as explained here or do you already have a single instance environment.
Once you have a single instance environment you can configure SSL for your environment as explained here.
Update on how to not put your certificate in your config file
Since you do not want to put the server.crt file in your ebextensions config file you can upload your file to S3 and then ask Elastic Beanstalk to download that file directly to your EC2 instance. The only thing that changes in the example here is that you use a source
instead of content to specify the contents of your file. In the source section you can put the URL from where you want the file to be downloaded.
Your ebextensions will then look like:
files:
/etc/pki/tls/certs/server.crt:
mode: "000777"
owner: ec2-user
group: ec2-user
source: <URL>
That way you don't need to put the contents in the repo. Read more about the file directive here.
In case you run into issues double check that your IAM instance profile (the one with which you run your beanstalk environment) has access to your S3 object.
If you need more details about IAM instance roles and Elastic Beanstalk read this and this.
Related
I have a number of node apis that run on elastic beanstalk.
We are configuring the load balancer and a number of other things using .config files in the ebextensions folder.
Is it possible to get the secruity id from the newly created security group when eb create is run and the api is pushed to elastic beanstalk and started then add it to an inbound rule on another security group that already exists.
Would like to be able to have it all scripted so when we terminate and re create the rules will be re created.
For my nodejs application in Elastic BeanStalk, without Beanstalk Load Balancer I want to set up a Letsencrypt certificate and keep the classic domain provided by AWS : xxx.xxxx.elasticbeanstalk.com
After several searches I found two possible solutions :
1 - Using an .ebextensions file => to install Certbot, get a Letsencrypt certificate and config Nginx.
great post about that => https://bluefletch.com/blog/domain-agnostic-letsencrypt-ssl-config-for-elastic-beanstalk-single-instances/
2 - From an ssh connection, install Certbot, generate a certificate and Upload it to IAM AWS.
Docs AWS : https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl-upload.html
For both solutions I have the same error message during domain verification by Certbot.
I think that the directory generated by certbot for the verification isn't accessible..
Error :
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
So, my question is : What's the best way to setup a SSL Certificate to get the green lock for a Node Js Elastic BeanStalk application without Beanstalk Load Balancer ?
Thank you for your help.
I finally found the solution :
I took inspiration from this script and created one using WEBROOT MODE.
I created a git to share this solution :
https://github.com/SammyHam/LetsEncrypt-SSL-config-for-Elastic-Beanstalk
TLDR:
Generate a SSL certificate (you can use a free one at https://www.sslforfree.com/), download paste the public(certificate.crt) and private key(private.key) in ./ebsextensions/certs.config and deploy to elastic beanstalk
Step by step tutorial on how to enable https on single instance elastic beanstalk environment,
with http to https redirection.
This tutorial uses Node.js as platform, but it includes instructions for other platforms too.
elastic-beanstalk-&-nginx-conf
Explanation
AWS - EB - configuration docs
Troubleshooting
Make sure port 443 is listed in the security group.
I have deployed node.js code on aws elasticbeanstalk creating a new environment. The app is successfully deployed. I want to access the files. I used ssh to the remote machine but the I can't find the code
Elastic Beanstalk places the deployed code in /var/app/current
Note that you shouldn't be making changes on the Elastic Beanstalk server directly.
Adding to the last answer, remember that you need to select enable SSH to your instances when launching application. Else, you won't be able to SSH into any AWS Elastic Beanstalk instance.
If you found this question but you're not using ssh, you could download the zip after clicking on a version in the console.
I have AWS EC2 with Ubuntu instance. I successfully setup ssh access and I am able to login via ssh console. I installed NodeJS and one simple NodeJS application. Successfully start it by node server.js and when executing curl http://localhost:8080 I can confirm application is up and running. My only issue is that I am not able to access it using provided public IP by AWS.
I can see my public IP from AWS console, and I thought it should be enough to type:
http://aws-public-ip:8080 and it should load the application. It seams I am wrong since I don't obtain access to my app.
Any hints would be appreciated.
Actually I found the answer by myself - I had to edit security group rule and just add rule for corresponding port. By default security group created when you create your instance has only one incoming rule for port 22.
I am using Amazon EC2 using Elastic Beanstalk deployment process through Visual Studio all is working well, except that when the application is deployed it does not have by default write permission; so I had to manually Remote Desktop the individual machine; and give it write permission through IIS site and under permissions.
How can I automate this process, since amazon servers adds on to load balancer using auto-scaling etc.?
Or If I change one, the other to follow will copy the exact same thing, which I had done manually?
I am little confused, first time deploying, please help?
Thanks
Yes, you can use ebextensions config to set permissions on the directory after the instance spins up. Here is an example of someone creating a directory and setting the permissions on the new directory, you should be able to adapt to your circumstances:
AWS Beanstalk ebextensions on windows