我试图在我的TOMCAT elastic beanstalk EC2实例中安装SSL证书。我还希望我的应用程序监听端口443上的HTTPS请求。作为起点,我基于this link上的解决方案。将SSL证书配置为单个Elastic Beanstalk TOMCAT实例
经过一段时间的大量尝试后,我无法安装证书或使端口443侦听到HTTPS请求。
那些是我遵循以下步骤:
1)I建立与在SRC ROOT一个.ebextensions文件夹中的WAR,如下
ROOT.war
|
WEB-INF
META-INF
.ebextensions
|
https-instance-single.config
https-instance.config
2)HTTPS-instance.config文件内容
packages:
yum:
mod_ssl : []
container_commands:
1killhttpd:
command: "killall httpd"
ignoreErrors: true
2wait:
command: "sleep 3"
files:
# Apache HTTPS configuration
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass/http://localhost:8080/ retry=0
ProxyPassReverse/http://localhost:8080/
ProxyPreserveHost on
</VirtualHost>
# Public certificate
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----
/etc/pki/tls/certs/gd_bundle.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
3)HTTPS实例-single.config文件内容
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
4)然后我使用弹性beanstalk控制台部署我的WAR(在进程中至少在控制台中引发了没有错误消息)。
我的战争如指定,我的web应用程序运行完美,但没有SSL配置和HTTPS请求没有被重定向到端口443.更糟糕的是,应用程序甚至没有收听HTTPS请求。
任何人都有光?我不想使用ELB(弹性负载平衡器),因为我正在迁移一堆小应用程序,这会带来我大幅增加的成本(每个应用程序大约20美元)。
你摸不着头脑? – hgolov
什么都没有!有什么想法吗? –
我有同样的问题,没有解决方案:( –