Setting up a service using Amazon’s EBS is very easy. The documentation is clear and to the point.
However, when you try to turn on SSL, you might run into problems, as the many forum questions suggest.
Most issues revolve around two main points:
1. SSL certificate. Getting a certificate uploaded to Amazon is not as easy as it sounds, you need to install amazon’s CLI and make sure your certificates are in the right format. Sometimes you even need to make changes (change order of entries within the certificate, remove parts, etc.). If you use Godaddy as a certificate source, just download an Apache compatible certificate and you can upload it as is.
2. Setting up the environment. You can find the instructions here, and they’re all good until you get to step 3. That’s where Amazon tells you that IF you are using VPC with your instances, you need to setup rules to allow https. What they fail to say is that even if you don’t use VPC you still need to setup rules!
The following are instructions I got from Amazon support, after struggling with this for a couple of weeks (did not have business level support when I started working on this issue):
You need to update two security groups, one for your ELB and one for your instance, both must allow https (443)
- Go to your ec2 web console and click on “security groups” on the left
- Find the group with the following description: “ELB created security group used when no security group is specified during ELB creation – modifications could impact traffic to future ELBs”
- Add a rule for that group to allow https protocol port 443 from source 0.0.0.0/0
- Find the security group for your environment in that same list, and add https port 443 with the source being the default security group from step (2)
This should allow https connectivity between your load balancer and your instance.
You can follow this blog to set it all up, the problems I’ve encountered and their solutions are detailed below:
Q: What’s the command I have to run (under windows)
A: aws iam upload-server-certificate –server-certificate-name mycompanyname –certificate-body file://mycert.crt –private-key file://mykeyfile.key –certificate-chain file://customizedcertfromgodaddy.crt –path /cloudfront/justanameIchose/
Q: How do I customize my godaddy certificate to be compatible with AWS
A: AWS requires a subset of what’s included in your certificate authority’s certificate. The certificate I got from Godaddy (that’s THEIR certificate, not the one they issued for my company, i.e. the one named gd_bundle-g2-g1.crt) had 3 sections in it, I had to remove the first two.
Q: Got an error: A client error (AccessDenied) occurred when calling the UploadServerCertificate operation: User: arn:aws:iam::xxxxxxxxx:user/yyyyyyyy is not authorized to perform: iam:UploadServerCertificate on resource: arn:aws:iam::xxxxxxxxx:server-certificate/cloudfront/zzzzzzz/qqqqqqqq
A: This happens because the user whose credentials you supplied does not have enough permissions to perform this action. You should give it all permissions as explained in the blog post I referred to
Q: Got an error: A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to parse certificate. Please ensure the certificate is
in PEM format.
A: In my case, this had nothing to do with the certificate format, it just happened because I removed the file:// prefix in the aws command and this is required. Would have been much clearer if Amazon had bothered to specify this error instead of a general “your format is wrong”, which has nothing to do with the real problem, but c’est la vie.
Q: Got an error: A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: 3
A: This happened because I did not remove the unneeded parts of the godaddy certificate. See question above.
Q: Got an error: argument –server-certificate-name is required but I look at my command and it’s there
A: The problem might be with the source from which you copied the command string, sometimes — gets replaced by a similar character which visually looks the same but is not the same ASCII code. Just delete all the – signed and retype them yourself
Once this is all sorted out, you can continue to follow the blog post and all should work.