Subscribe to Email Updates

Discovery Workshop Download

How to Add an SSL Certificate to a Single Instance EBS Server for a Node.js App

Posted by Chester Schofield on May 18, 2017

SSL certificates are a necessary nuisance.

No one really enjoys working with them, and adding them to a project can be as simple as checking a box or a wildly, unexpectedly, difficult task. 

This is an article about the second sort of SSL cert. 

I recently needed to add an SSL certificate to a very specific project: a Node.js app running on a single-instance EBS server using nginx. For some context, we're talking about a child application of a larger project. It used the same DB but was otherwise distinct and on its own server. We chose not to go the route of using a load balancer, as the parent application already held a wild card certification, and - since the EBS server was primarily for a dev instance - scale wasn't really a concern. But of course, we still needed the cert. 

Some quick Googling turned up the following tutorial links:

Terminating HTTPS on EC2 Instances Running Node.js

Storing Private Keys Securely in Amazon S3

And you know what? They're great. They're from the AWS team, and they're fairly comprehensive. Unfortunately, they still leave a couple questions unanswered.

My biggest challenge was figuring out how to allow an elastic beanstalk instance to communicate with an S3 bucket. The solution: create a user allowed to both pull from the bucket and interact with the EC2 instance, connecting EB and the S3 bucket. Need to give EC2 instance information on which user you'll be allowing to interact with the S3 bucket, do so by setting environment variables and giving users a specific IAM Role. 

chester-ssl-add-diagram-1.png

Digging up these solutions on my own was anything but fun, and I'd hate for you to have to repeat the process. So, step-by-step, here's how to get things done the easy way:

Before you use the links above

Add the needed environment variables to the EBS configuration

  1. From the AWS console select your EBS application

  2. Navigate to 'Configuration'

  3. Select the gear icon on 'Software Configuration'

  4. Add the following Environment Variables

    1. AWS_SECRET_ACCESS_KEY

    2. AWS_ACCESS_KEY_ID

Set the necessary Permissions on the IAM user you defined in the environment variables above

  1. Add the following permissions: 

    1. AmazonS3FullAccess

    2. AWSElasticBeanstalkFullAccess

If EBS didn't create an S3 bucket for your environment then you'll need to create one

  1. From the AWS console navigate to the S3 service

  2. Create a new bucket

  3. Create a folder 'ssl'

  4. Attach a Bucket Policy

    1. Use the AWS policy generator to build the policy Policy Generator

      1. Select Type of Policy: S3 Bucket Policy

      2. Effect: Allow

      3. Principal: The ARN of your IAM Role (aws-elasticbeanstalk-ec2-role)

      4. AWS Service: Amazon S3

      5. Actions: GetObject

      6. Amazon Resource Name (ARN): The arn of the S3 bucket followed by '/ssl/*' 

If you're having trouble with the links above:

  1. SSH into the server into the server and check if the cert and private key were uploaded to the server

  2. Check out the logs from the EBS application

  3. Check out these examples:

    https-instance.config 

    https-instance-single.config 

     

If you have any additional questions, feel free to shoot me an email at cschofield (at) lookfar.com.

Tell the story of your startup city
Chester Schofield

Written by Chester Schofield