We have a project and we are working on creating bulk Ec2 t2.micro instances on demand. The automation process would be
Creating an instance
update the DNS zone with Correct public IP
Get Lets encrypt latest certificate.
We are using Jenkins and Ansible for this task. do you guys think if there is any better or easy approach then this.
The issues of an automated creation and management of instance and a static public IP can be solved by means of Elastic Beanststalk (EB).
EB also gives you a DNS name for free, but this is AWS DNS. If you want to use your custom domain for DNS, you can use Route53 for that as explained here.
SSL certificate depends on your EB environment. If you choose to use EB with load-balancer, then you can easly get free public SSL cert using ACM. If you don't want load balancer, you can install free public certificate from LetsEncrypt. But you have to manually set it up on your EB instance.
Related
I am using AWS and I created an Instance in EC2 and created a SSL Certificate in Certificate Manager, I have a domain from whois.com which I was able to connect to my instance using Route 53.
I am now trying to install the SSL Certificate to my EC2 instance and have googled a bunch on tutorials on the subject, but they all are super confusing and don't seem to work, must of them say I need to use a Load Balancer, but either I am missing a step or something I am doing is wrong because the SSL certificate is not working, http works like a charm, https is not working at all.
Is someone able to point me in the right direction?
AWS do not allow the certificates to be downloaded for ACM public CA so you are limited with where it can be attached.
You cannot use a public ACM certificate directly in your EC2 instance. The following resources support attachment for HTTPS of your application:
Elastic Load Balancer (ALB, CLB or Network Load Balancer with a TLS target group)
CloudFront Distribution
API Gateway
If you do not want to use one of these resources then the following 3 options are available for you:
Use a free SSL CA to generate the SSL for your EC2 instance such as certbot
Purchase a SSL from another CA and install on your host
Use AWS ACM Private CA (Although this can be expensive)
I am running a Spring Boot Application (as a RESTful Webservice) dockerized in an EC2 Instance. If I start the container, everything is working fine, but only with HTTP. e.g. http://ec2-54-93-55.eu-central...com
I already tried setting up the Security Groups of my EC2 Instance, where I enabled HTTPS, but it still does not work.
Now I want to add a SSL Certificate to my Instance with the AWS Certificate Manager. The problem is now, that I need a hosted domain for this and I can not use the Domain of my EC2 Instance.
I tried setting it up as api.mydomain.com and it is verified now. How can I now connect my EC2 Instance with this domain?
I tried creating an Alias in Route 53 by routing api.mydomain.com to the EC2 public DNS. But this did not work too.
You will not be able to attach an ACM public certificate to your EC2 instance as they are required to be attached to either one of these resources:
CloudFront
Elastic Load Balancer.
Once these are configured you will need to update the DNS record on your hosting provider to target the CNAME of whichever of these resources they use.
If you were using Route 53 as your hosting provider you would add your record to the public hosted zone for that domain, however this process is slightly different for each DNS provider.
I have a EC2 instance running in my account, now I need to add an SSL certificate to my web server running inside that EC2 instance.
Can I create a new cloudfront and attach my existing EC2 instance to it? Would that solve my purpose?
Yes, you make CloudFront point to an EC2 instance or any server really. Check out Requiring HTTPS for Communication Between Viewers and CloudFront for more information on how to do this.
Another option for free SSL certificates is Let’s Encrypt. Super easy to setup and works with Apache and Nginx.
I am spinning a new EC2 instance on demand using AMI by script using Java SDK from here at http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/welcome.html
I am hosting rest API's on the newly spun EC2 instance from AMI on port 8000. I want to access instance from IP only as I will spinning many instances from base AMI when needed and will be destroying when not needed.
I want to call this API's from another web application which is hosted under HTTPS. I know it will not allow me to hit HTTP from HTTPS due to Mixed Content.
After some research, I found AWS provides ACM-Server Certificates service which can be applied to EC2. Ref http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-iam-server-certificates.html
But it works with services integrated with ACM as per document saying at below link
http://docs.aws.amazon.com/acm/latest/userguide/acm-services.html >>
You cannot install an ACM Certificate directly on your website or
application. You must install your certificate by using one of the
services integrated with ACM. For more information about these
services, see Services Integrated with AWS Certificate Manager.
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway AWS
CloudFormation
But I am not using any of above-mentioned services. Is there any way to achieve this and install SSSL on EC2 ip using script ?
This is a common question, because AWS ACS certificates are free.
Thus, to avoid using such certificates with other services than AWS ones, AWS never discloses the associated private keys to its customers.
To let the https server on your EC2 instance use such a certificate, AWS should give you the private key, for you to configure the https server itself.
This is why you can not use an ACS certificate with your EC2 instance. You need to configure an Elastic Load Balancing instance in front of it, so that AWS provides this ELB with your certificate and private key (or provide an HSM with this private key and connect this HSM to the ELB front-end).
Note that using an ELB instance in front of your EC2 instance, in order to be able to use a free certificate from the AWS ACS service, is probably a bad idea: certificates are often cheaper (depending on their type and duration, of course) than the ELB cost overhead.
Note that Let'sEncrypt (https://letsencrypt.org/) can provide your EC2 instance with free DV (domain validated) certificates. You just need to install the Certbot ACME client, since you have shell access to your EC2 instance.
AWS has come up with a new service AWS Certificate Manager. One thing I got from the description is that if we are using this service we don't have to pay for the certificate anymore.
They are providing certificates for Elastic Load Balancer (ELB) and CloudFront, but I didn't find EC2 anywhere.
Is there any way to use the certificate with EC2?
Q: Can I use certificates on Amazon EC2 instances or on my own servers?
No. At this time, certificates provided by ACM can only be used with specific AWS services.
Q: With which AWS services can I use certificates provided by ACM?
You can use ACM with the following AWS services:
• Elastic Load Balancing
• Amazon CloudFront
• AWS Elastic Beanstalk
• Amazon API Gateway
https://aws.amazon.com/certificate-manager/faqs/
You can't install the certificates created by Amazon Certificate Manager (ACM) on resources you have direct low-level access to, like EC2 or servers outside of AWS, because you aren't provided with access to the private keys. These certs can only be deployed on resources managed by the AWS infrastructure -- ELB and CloudFront -- because the AWS infrastructure holds the only copies of the private keys for the certificates that it generates, and maintains them under tight security with auditable internal access controls.
You'd have to have your EC2 machines listening behind CloudFront or ELB (or both, cascaded, would also work) in order to use these certs for content coming from EC2... because you can't install these certs directly on EC2 machines.
No, you cannot use aws certificate manager for deploying certs on EC2. The certificate manager certs can only be deployed against cloudfront and elastic load balancer. Inoredr to use it on ec2, you need to put elb on top of ec2, so that request from client to load balancer will be https protected and from elb to ec2 webserver will be on http.
If you are using AWS ACM Cert for internal purpose only then you could probably use AWS ACM Private CA to issue the certs.(I think you can use it for public/external traffic purpose as well if your root CA is publicly trusted CA).
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaGetStarted.html
During Application/EC2/Container startup, set a step to export your ACM Private CA issued Cert/Private Key to your destination and start referring that for serving the traffic.
https://docs.aws.amazon.com/cli/latest/reference/acm/export-certificate.html
One good thing is, you can control who can call export cert feature using IAM Role so not everyone can download private key of the cert.
One downside with this is, private CA is expensive AWS service($400/month).
https://aws.amazon.com/certificate-manager/pricing/
Adding to the comments above, you can't use the AWS Certificate Manager for this, but you can add a Let's Encrypt certificate to ec2 on a Windows server running IIS and it's pretty easy:
Associate an elastic ip with your ec2 instance.
Make sure you have a registered domain. You can't use ec2----------.us-east-1.compute.amazonaws.com type names that come with your instance.
Through your domain provider's DNS settings have your domain point to your Elastic IP.
Connect to your ec2 instance and add your domain name to the site bindings.
Go to https://github.com/PKISharp/win-acme/releases
Look under assets, and use the latest version (win-acme.v2.0.10.444.zip for example). This is the only assets folder that you need.
Unzip the folder, open the terminal as administrator, and cd into the unzipped folder.
Run wacs.exe and follow the prompts.
Make sure the security group assigned to your instance allows traffic (at the very least your own IP) through the HTTPS port you chose in IIS; this is port 443 by default.
I found the links below helpful when I was figuring this out. Here is a video using an earlier release if you need more help, but it's the same idea.
https://www.youtube.com/watch?v=fq5OUOjumuM
Also this article might be helpful:
https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows