how to install ssl certificate on tomcat at aws ec2 instance

Stpes to Install SSL Certificate at tomcat in aws ec2 instance

1) Generate CSR
2) Purchase Your SSL Certificate
3) Activate your SSL Certificate.
    1) Download Certificate File
    2) Convert into required formate
4)    Create Elastic Load Balancer.


1) Generate CSR

Before we go ahead we should have aws account and we have a ready tomcat in ec2 instance should should is running inside it.

Connect your EC2 instnace through putty or terminal in mac.

by entering following command in terminal (MacOs)

Last login: Wed Apr  3 08:14:13 on console

Mukeshs-MacBook-Air:~ mukeshchoudhary$ sudo ssh -i Desktop/AWS-2019/touristvisaonine2019.pem ec2-user@ec2-13-234-72-211.ap-south-1.compute.amazonaws.com

Password:

Last login: Sat Mar 30 12:44:15 2019 from 223.190.91.168

       __|  __|_  )

       _|  (     /   Amazon Linux AMI

      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/

13 package(s) needed for security, out of 20 available

Run "sudo yum update" to apply all updates.

-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory

[ec2-user@ip-172-31-31-148 ~]$ 

After Successfull Connection we have to generate CSR. by running this command.

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

After running this command it will generate CSR and server.key in your default location.

But we have to enter the following information as follow.
------------------------------------------------------------------------

[ec2-user@ip-172-31-31-148 ~]$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Generating a 2048 bit RSA private key

..................................+++

......................................................+++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:IN

State or Province Name (full name) []:Uttar Pradesh

Locality Name (eg, city) [Default City]:Noida

Organization Name (eg, company) [Default Company Ltd]:Tourist Visa Online E - Visa Services

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:www.touristvisaonline.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[ec2-user@ip-172-31-31-148 ~]$ 

Note Points : Do not enter email address and challenge password and optional company name. just simply press enter or skip by entering these fields.

This command will generate 2 files one is server.csr and another one is server.key file

Note Point : While installing certificate in AWS Certificate Manager (Elastic Load Balancer) AWS Certificate Manager Demand all the files should be in PEM encoded so we need our server.key file in pem format so we can convert it by entering this command.

openssl rsa -in server.key -outform PEM > server.private.pem


As Follow

[ec2-user@ip-172-31-31-148 ~]$ ls

GeoLite2-Country.mmdb  server.csr  server.key  touristvisaonline.war

[ec2-user@ip-172-31-31-148 ~]$ openssl rsa -in server.key -outform PEM > server.private.pem

writing RSA key

[ec2-user@ip-172-31-31-148 ~]$ ls

GeoLite2-Country.mmdb  server.csr  server.key  server.private.pem  touristvisaonline.war

[ec2-user@ip-172-31-31-148 ~]$ 

Now we have to submit this CSR to our CA authority from where we bought SSL Certificate he will provide the certificate.



After Download Go to AWS Certificate Manager.

and Choose Provision Certificate.

Then Click on Import a Certificate

After Click on Import Certificate you will get window like this in which we have to enter details very carefully.

First Section We have to Enter Our Certification Body Means Original Certificate in PEM Encoded.

At Place of "Certification private key" we have to enter PEM encoded server.key that is generated in first step along with CSR.

in last "Certificate Chain" we have to convert all the intermidate certificate in chain and then convert into pem encoded and we have to enter it here.

Like suppose in our certification we have following files

1) COMODORSADomainValidationSecureServerCA.crt
2) COMODORSAAddTrustCA.crt
3) AddTrustExternalCARoot.crt
4) ..... one more here


So first 1,2,3 are intermidate certicate we can combine all these in one file that is  server.chain

by this command

sudo cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt  > server.chain

Note: these are steps for comodo ssl certificate .

But If you download certificate from Godaddy then your certificate will contains only 3 files
1) bc3c2b1562fc680f.crt . -- origianal ceriticate file
2) gd_bundle-g2-g1.crt . -- this is certificate chain
3) gdig2.crt.pem  -- certificate private key but this should be pem encode so while i past at aws i got an error so i copied server.private.pem that is generated in 1st step.

After Installing Certificate in ACM we are ready to use this ceriticiate in our AWS Load Blanacer as follow.

Use Your Certificate with an Amazon Elastic Load Balancer

The easiest way to provide HTTPS access to web resources running in your AWS instance is to set up an Elastic Load Balancer and configure it with your new SSL certificate. This lets Amazon handle the certificate configuration for you so you don’t have to worry about making sure your specific web server is configured properly to support HTTPS.

Follow the AWS Console Elastic Load Balancer Setup Wizard to begin creating a new Elastic Load Balancer. On the first screen, make sure you add Protocols for HTTPS. You can have HTTP as well if you want to provide non-encrypted access to your resources.

Select the Security Group for your Elastic Load Balancer. If you are creating your ELB inside a VPC, you should probably select the default security group which will allow inbound traffic from all other instances in the security group and outbound traffic to anywhere.

The third screen is the tricky one. This is where we set up our SSL Certificate for the first time. The good news is that once you complete this process, you can just keep using the same certificate for other subdomains you might create in the future. You need the wildcard certificate in order to do this, of course.

Easy way to install ssl certificate in aws is through Amazon Elasti Load Balancer 

there are 3 types of load balancer 

1) Application Load Balancer 

2) Network Load Balancer

3) Class Load Balancer 

For ssl we have to choose classic load balancer

Select Classic Load Balancer first then click on create.

Now we have to define Load Balancer Name. then we have to use define Load Balancer Protocal and port and Instance protocol and port. (Keep in mind here we can use different port for Load balancer and instance port but we internally redirected port in tomcat and here we are keeping like this. meansy any request come from end user to loadbalncer may be at port http or https 80 or 443 but internally it will go on port 80 to tomcat. which we internally redirect by ip rounting table to port 8080.) once we done then click on Next Assign Security Group.

Now choose security group very carefully we have selected already created security group.

Step 3 : in this setup we have to configure security settings like SSL. 

If we have already installed certification in ACM then we  can use from below three option as Certification from ACM.

Step 4 : Select Configuration Health Checkup.

Here we can define checkup page name. We can also customize option like Response timeout. 

Unhealthy threshold means after that particular attempts between internals it will give a notification like 30 sec internal will attempt 2 times if server didn't response then will considered as unhealthy instance. 

Step 5. We have to add our EC2 Instance that we want to attach with our Load Balancer. 

Here we will selected available instance from this table and will attach to it.

Step 6. We have to attach the tags.

Finally we have to review and create our classic load balancer. 

Now finally we are done with Classic Load Balancer.

Once our classicload balancer is created now to pass traffic from classic load balancer we will use instead of A record in route 53 we will use classicload balancer DNS name with www version like as shown here we will choose Alias checkbox and then from Alias Target we will choose our classic load balancer DNS A Record.

TO redirect for http to https then we have to create a bucket first with the name of domain like touristvisaonline.com and then we have to change from static ...

HOW TO REDIRECT FROM HTTP TO HTTPS IN AWS. 

Step 1. First Create a Bucket with domain name like  - boolment.com or touristvisaonline.com 

with default configuration. once you will create a bucket now its look like this.

Now we have to Select bucket and then we have go to "Properties"  > Static Website Hosting.

Step 3 : Now we have to go to "Route 53" where we will create a record set called aliase you can see in below image right and side we have created this record set.

HOW TO SERVER YOUR STATIC RESOURCES THROUGH CLOUDFRONT WITH CUSTOM CNAME.

Steps to be followed to achieve this requirements.
1) Create S3 Bucket with any name. as we have created with assets.touristvisaonline.com

2) Create CloudFront Distributions. by Clicking on Create Distributions.

3) Step select type of distributions.(here we will select Web and then click on Get Started.)

4) Enter the following information as shown in pictures.

Now we have created our web distribution.

Step 5) To access this web distribution through Alternate Domain Names
(CNAMEs) we have to create a record set in route 53 as follows 

Step 6 ) We can also use AWS provided SSL certificate for s3(static assets )

A. First Choose ACM for Request for Certificate.

here we have to enter our domain like *.touristvisaonline.com or (*.your_domain_name.com) then click on next.

like as shown in below picture.

Now we have to validate our subdomain ssl certificate by creating CNAME record in our Route 53. You can create a record set in route 53 by just clicking on Create Record in Route 53. and then click on continue.

Once you create a record set then it would take some time (Around 15-30 minutes) and you will get status as verified.

Once this certificated is issued we can use this certificate in cloudfront.



Note : SOME COMON ISSUE THAT WE FACED IN TOMCAT AS BACKEND SERVER AND USEING CLASSIC LOAD BALANCER AS FRONT END FOR REQUEST HANDLING.

Some time when we took server restart after deploying war file. classic load balancer will go . "OutofServices" to reslove this issue we have to change timing of Health Check in classic load balancer because what happen when we took the restart tomcat may take more time then usually healthcheck happen so if healthcheck failed continuously then it go out of service. so to resolve this issue we can change health check timing as shown.

NOTE : SOME TIME WHEN WE TRY TO ACCESS ASSTIC ASSETS FROM CLOUDFRONT THEN WE WAY GET AN ERROR LIKE CROSS ORIGIN PROBLEM SO HOW TO SLOVE THIS PROBLEM.

A) If you want to solve CROS problem then we have to change in cloudfront by changing Whtelist Header

as shown in picture.