I have a few single instance environments in AWS Elastic Beanstalk. They all have SSL certificates installed via eb extensions, as opposed to using a load balancer.
They are all PHP and were running PHP 7 on Amazon Linux 1.
They are configured more or less with the guide from AWS: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-php.html
I am trying to migrate to instances running Amazon Linux 2023 and PHP 8.2
I should note, I am using Apache, and not ngix.
So far I have changed mod24_ssl : [] to mod_ssl : [] and was able to get the environment to load. Regular HTTP works fine, HTTPS receives "cannot connect to server" and "connection refused" depending on the client.
My ebextensions files are as follows:
packages:
yum:
mod_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
~~~~~~~
-----END CERTIFICATE-----
—
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["elasticbeanstalk-us-east-2-xxx"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
# Private key
"/etc/pki/tls/certs/server.key":
mode: "000400"
owner: root
group: root
authentication: "S3Auth"
source: https://s3.us-east-2.amazonaws.com/elasticbeanstalk-us-east-2-xxx/xxx.pem
—
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
I have reissued the certificates, and re-rolled the environments multiple times. I have spent hours searching the web for answers with no luck. I do not see any guides for setting this up targeted at Amazon Linux 2023.
On AL2023/AL2 platforms, you can use configuration files as before, and all sections work the same way. However, specific settings might not work the same as they did on previous Amazon Linux AMI platforms. For example:
- Some software packages that you install using a configuration file might not be available on AL2023/AL2, or their names might have changed.
- Some platform specific configuration options have moved from their platform specific namespaces to different, platform agnostic namespaces.
- Proxy configuration files provided in the .ebextensions/nginx directory should move to the .platform/nginx platform hooks directory. For details, expand the Reverse Proxy Configuration section in Extending Elastic Beanstalk Linux platforms.
Further Discussion here: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux-extend.html
Solution:
Move the contents of the ssl.conf file created in the eb extension file to .platform/httpd/conf.d/ssl.conf
So the configuration is now:
—
.ebextensions/https-instance.config
yum:
mod_ssl : []
files:
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
~~~~~~
-----END CERTIFICATE-----
—
.ebextensions/https-instance-single.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
—
.ebextensions/privatekey.config
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["elasticbeanstalk-us-east-2-025310008910"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
# Private key
"/etc/pki/tls/certs/server.key":
mode: "000400"
owner: root
group: root
authentication: "S3Auth"
source: https://s3.us-east-2.amazonaws.com/elasticbeanstalk-us-east-2-xxxxx/xxx.pem
—
.platform/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
</VirtualHost>
—
Once everything is working you should also go through and tighten up the security a bit. More here: https://docs.aws.amazon.com/linux/al2023/ug/SSL-on-amazon-linux-2023.html