Setting up SSL with Amazon Elastic Beanstalk
Setting up a service using Amazon’s EBS is very easy. The documentation is clear and to the point.
However, when you try to turn on SSL, you might run into problems, as the many forum questions suggest.
Most issues revolve around two main points:
1. SSL certificate. Getting a certificate uploaded to Amazon is not as easy as it sounds, you need to install amazon’s CLI and make sure your certificates are in the right format. Sometimes you even need to make changes (change order of entries within the certificate, remove parts, etc.). If you use Godaddy as a certificate source, just download an Apache compatible certificate and you can upload it as is.
2. Setting up the environment. You can find the instructions here, and they’re all good until you get to step 3. That’s where Amazon tells you that IF you are using VPC with your instances, you need to setup rules to allow https. What they fail to say is that even if you don’t use VPC you still need to setup rules!
The following are instructions I got from Amazon support, after struggling with this for a couple of weeks (did not have business level support when I started working on this issue):
You need to update two security groups, one for your ELB and one for your instance, both must allow https (443)
- Go to your ec2 web console and click on “security groups” on the left
- Find the group with the following description: “ELB created security group used when no security group is specified during ELB creation – modifications could impact traffic to future ELBs”
- Add a rule for that group to allow https protocol port 443 from source 0.0.0.0/0
- Find the security group for your environment in that same list, and add https port 443 with the source being the default security group from step (2)
This should allow https connectivity between your load balancer and your instance.