By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Applying Certs to EC2 Instance running webapp

0

Hello. I stood up a Wekan board using Docker and Snap installer. I have the IP address for the public facing site that is hosting the app here in AWS. I have a website hosted at another host and I created an A Record to point the vanity URL to this AWS instance. I have certificates on the webhost for all the .com pages, but the WeKan app gets routed to the EC2 instance and I can't figure out how or where to apply a certificate.

Do I purchase the cert and apply to the IP address and the vanity gets resolved from the call to the DNS or do I need to apply a cert at the web host, but I can't add an A Record to the Domain list at that host. Thanks.

asked 20 days ago39 views
2 Answers
1

Hello.

As answered by re:Post Agent, if ALB can be used, I think it is easy to issue an SSL certificate from ACM and set up an HTTPS listener.

However, if there are cost restrictions, it should be possible to convert to HTTPS by placing an SSL certificate directly on EC2 and referencing it in the web server settings.
I think the Apache settings discussed in the GitHub issue below will be helpful.
https://github.com/wekan/wekan/issues/916

https://docs.kanboard.org/v1/admin/docker/
Please create a directory called "kanboard_ssl" in the same directory as "docker-compose.yml" and place the SSL certificate.
Also, create "nginx.conf" to reference the SSL certificate.
I tried mounting the SSL certificate issued by Let's Encrypt inside the Docker container.
docker-compose.yml

version: '2'
services:
  kanboard:
    image: kanboard/kanboard:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - kanboard_data:/var/www/app/data
      - kanboard_plugins:/var/www/app/plugins
      - ./kanboard_ssl:/etc/nginx/ssl
      - ./nginx.conf:/etc/nginx/nginx.conf
    environment:
      DATABASE_URL: mysql://kanboard:kanboard-secret@db/kanboard
  db:
    image: mariadb:latest
    command: --default-authentication-plugin=mysql_native_password
    environment:
      MYSQL_ROOT_PASSWORD: secret
      MYSQL_DATABASE: kanboard
      MYSQL_USER: kanboard
      MYSQL_PASSWORD: kanboard-secret
    volumes:
    - db:/var/lib/mysql
volumes:
  kanboard_data:
  kanboard_plugins:
  kanboard_ssl:
  db:

Change the domain name of "server_name" to the domain you are using.
nginx.conf

user nginx;
worker_processes 1;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile           on;
    tcp_nopush         on;
    tcp_nodelay        on;
    keepalive_timeout  65;
    server_tokens      off;
    access_log         off;
    error_log          /dev/stderr;

    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;

    server {
        listen                    80;
        listen                    443 ssl;
        http2                     on;
        server_name               example.com;
        index                     index.php;
        root                      /var/www/app;
        client_max_body_size      32M;

        # https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1i&hsts=false&ocsp=false&guideline=5.6
        ssl on;
        ssl_certificate           /etc/nginx/ssl/fullchain.pem;
        ssl_certificate_key       /etc/nginx/ssl/privkey.pem;
        ssl_protocols             TLSv1.2 TLSv1.3;
        ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;
        ssl_session_timeout       1d;
        ssl_session_cache         shared:MozSSL:10m;
        ssl_session_tickets       off;

        location / {
            try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php-fpm.sock;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SERVER_NAME $host;
        }

        location ~ /data {
            return 404;
        }

        location ~* ^.+\.(log|sqlite)$ {
            return 404;
        }

        location ~ /\.ht {
            return 404;
        }

        location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ {
            log_not_found off;
            expires 7d;
            etag on;
        }

        gzip on;
        gzip_comp_level 3;
        gzip_disable "msie6";
        gzip_vary on;
        gzip_types
            text/javascript
            application/javascript
            application/json
            text/xml
            application/xml
            application/rss+xml
            text/css
            text/plain;
    }
}

After creating the above file, try starting the container.

docker-compose up -d

If it starts normally, you can connect using HTTPS as shown below.
a

profile picture
EXPERT
answered 20 days ago
profile picture
EXPERT
reviewed 20 days ago
0

To secure your Wekan board running on an EC2 instance with HTTPS, you have a few options:

  1. AWS Certificate Manager (ACM):

    • Request a free public SSL/TLS certificate from ACM for your custom domain.
    • This is the recommended approach for AWS services.
    • You'll need to validate domain ownership by adding a CNAME record to your DNS.
  2. Use an Application Load Balancer (ALB):

    • Create an ALB in front of your EC2 instance.
    • Associate the ACM certificate with the ALB.
    • Configure the ALB to forward traffic to your EC2 instance.
  3. Install the certificate directly on the EC2 instance:

    • If you prefer to manage the certificate yourself, you can install it directly on the EC2 instance.
    • You'll need to configure your web server (e.g., Nginx) to use the certificate.
  4. AWS Amplify Hosting (if applicable):

    • If you're using AWS Amplify to host your web app, you can use their custom SSL certificate feature.
    • You can bring your own SSL certificate from ACM.

Regarding your specific setup:

  • You don't apply the certificate to the IP address, but to the domain name.
  • The A record should point your vanity URL (custom domain) to the EC2 instance's public IP.
  • You need to obtain a certificate for the custom domain you're using for the Wekan board.
  • If using ACM, ensure the certificate is in the same region as your EC2 instance or ALB.

Remember to configure your security groups to allow HTTPS traffic (port 443) to your EC2 instance or ALB. Also, make sure your Wekan application is configured to use HTTPS.

For the most seamless integration with AWS services, using ACM with an ALB is often the simplest and most manageable approach for applying SSL/TLS certificates to EC2-hosted applications.
Sources
Options for AWS customers who use Entrust-issued certificates | AWS Security Blog
Bring your own SSL certificate to AWS Amplify Hosting | Front-End Web & Mobile

profile picture
answered 20 days ago
profile picture
EXPERT
reviewed 20 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions