Search code examples
javaamazon-web-servicesdeploymenthttps

HTTPS not workin on AWS Elastic BeanStalk single instance Java platform

I configured my AWS Elastic BeanStalk single instance to use the HTTPS protocol for my custom domain attached to it, using the official documentation provided by AWS for the JAVA SE platform (Terminating HTTPS on EC2 instances running Java SE). However, when I access the domain the browser still says it's not secure.

In order to make it HTTPS I created a new .ebextensions folder inside the root directory of my project and added the following files:

.ebextensions/nginx/conf.d/https.conf:

# HTTPS server

server {
    listen       443;
    server_name  localhost;

    ssl                  on;
    ssl_certificate      /etc/pki/tls/certs/server.crt;
    ssl_certificate_key  /etc/pki/tls/certs/server.key;

    ssl_session_timeout  5m;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;

    location / {
        proxy_pass  http://localhost:5000;
        proxy_set_header   Connection "";
        proxy_http_version 1.1;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
    }
}

with the proxy_pass being set to localhost:5000 as I configured it on my instance using the SERVER_PORT 5000 parameter.

.ebextensions/https-instance.config:

files:
  /etc/pki/tls/certs/server.crt:
    content: |
      -----BEGIN CERTIFICATE-----
      certificate file contents (certificate.crt)
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      intermediate certificate (ca_bundle.crt)
      -----END CERTIFICATE-----
      
  /etc/pki/tls/certs/server.key:
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      private key contents (private.key)
      -----END RSA PRIVATE KEY-----

container_commands:
  01restart_nginx:
    command: "service nginx restart"

where I generated a 90 days period certificate for my custom domain (www.my-custom-domain.com) using ZeroSSL which generated the following files: ca_bundle.crt, certificate.crt and private.key.

.ebextensions/https-instance-single.config:

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

I created this files in IntelliJ using spaces as indentation just like the AWS documentation says and also added the .ebextensions folder on the root of my .war archive which I deployed to my Elastic BeanStalk instance.

Do you have any idea why it's not working?

Solution

  • I managed to fix it by actually switching to a load-balanced instance. From there the process was much easier. These are the steps I did:

    • create a new load-balanced instance
    • create a new SSL certificate for the custom domain from the AWS Certificate Manger (used both with and without the www prefix)
    • create two A-records aliases for the custom domain using both with and withouth the www prefix
    • create a HTTPS inbound rule on the instance's security group
    • added a new HTTPS listener using the new certificate
    • changed the HTTP listener to redirect to HTTPS

    Since the process of creating a load balanced instance is as easy as a single instance one, it is worth doing it this way rather then going the hard way of overwriting the server config files.