HTTPS not workin on AWS Elastic BeanStalk single instance Java platform

0

I configured my AWS Elastic BeanStalk single instance to use the HTTPS protocol for my custom domain attached to it, using the official documentation provided by AWS for the JAVA SE platform (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-java.html). However, when I access the custom domain the browser still says it's not secure.

In order to make it HTTPS I created a new .ebextensions folder inside the root directory of my project and added the following files:

.ebextensions/nginx/conf.d/https.conf:

# HTTPS server

server {
    listen       443;
    server_name  localhost;

    ssl                  on;
    ssl_certificate      /etc/pki/tls/certs/server.crt;
    ssl_certificate_key  /etc/pki/tls/certs/server.key;

    ssl_session_timeout  5m;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;

    location / {
        proxy_pass  http://localhost:5000;
        proxy_set_header   Connection "";
        proxy_http_version 1.1;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
    }
}

with the proxy_pass being set to localhost:5000 as I configured it on my instance using the SERVER_PORT 5000 parameter.

.ebextensions/https-instance.config:

files:
  /etc/pki/tls/certs/server.crt:
    content: |
      -----BEGIN CERTIFICATE-----
      certificate file contents (certificate.crt)
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      intermediate certificate (ca_bundle.crt)
      -----END CERTIFICATE-----
      
  /etc/pki/tls/certs/server.key:
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      private key contents (private.key)
      -----END RSA PRIVATE KEY-----

container_commands:
  01restart_nginx:
    command: "service nginx restart"

where I generated a 90 days period certificate for my custom domain (www.my-custom-domain.com) using ZeroSSL which generated the following files: ca_bundle.crt, certificate.crt and private.key.

.ebextensions/https-instance-single.config:

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

I created this files in IntelliJ using spaces as indentation just like the AWS documentation says and also added the .ebextensions folder on the root of my .war archive which I deployed to my Elastic BeanStalk instance.

Do you have any idea why it's not working? I also checked the browser for any info related to why it's not secure, but apart from the 'The page is not secure' message I don't get anything else in the Security tab inside the DevTools.

2 réponses
0
Réponse acceptée

I managed to fix it by actually switching to a load-balanced instance. From there the process was much easier. These are the steps I did:

  • create a new load-balanced instance
  • create a new SSL certificate for the custom domain from the AWS Certificate Manger (used both with and without the www prefix)
  • create two A-records aliases for the custom domain using both with and withouth the www prefix
  • create a HTTPS inbound rule on the instance's security group
  • added a new HTTPS listener using the new certificate
  • changed the HTTP listener to redirect to HTTPS

Since the process of creating a load balanced instance is as easy as a single instance one, it is worth doing it this way rather then going the hard way of overwriting the server config files.

Daniel
répondu il y a 12 jours
0

Hello.

Is it possible that the certificate is not reflected due to a problem with the browser's cache?
By the way, I think you could check whether the certificate was reflected by accessing the website at "https://www.my-custom-domain.com" and checking the lock mark in the upper left of the browser.
a

As mentioned in the documentation, please restart Nginx after completing the configuration.
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-java.html

The container_commands key restarts the nginx server after everything is configured so that the server loads the nginx configuration file.

profile picture
EXPERT
répondu il y a un mois
  • I'm not sure if it can be a browser caching issue since it's not working in neither one of the browsers I have (Chrome, Firefox and Edge - which I'm not using at all). Beside this I don't have the lock mark on the upper left of the browser's URL address like it should, it just says "Not secure". Also, shouldn't the command "service nginx restart" that you are talking about should automatically restart the nginx server itself after it's deployed?

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions