Skip to main content

how to install ssl certificate on tomcat at aws ec2 instance

Stpes to Install SSL Certificate at tomcat in aws ec2 instance

1) Generate CSR
2) Purchase Your SSL Certificate
3) Activate your SSL Certificate.
    1) Download Certificate File
    2) Convert into required formate
4)    Create Elastic Load Balancer.


1) Generate CSR

Before we go ahead we should have aws account and we have a ready tomcat in ec2 instance should should is running inside it.

Connect your EC2 instnace through putty or terminal in mac.

by entering following command in terminal (MacOs)


Last login: Wed Apr  3 08:14:13 on console
Mukeshs-MacBook-Air:~ mukeshchoudhary$ sudo ssh -i Desktop/AWS-2019/touristvisaonine2019.pem ec2-user@ec2-13-234-72-211.ap-south-1.compute.amazonaws.com
Password:
Last login: Sat Mar 30 12:44:15 2019 from 223.190.91.168

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
13 package(s) needed for security, out of 20 available
Run "sudo yum update" to apply all updates.
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
[ec2-user@ip-172-31-31-148 ~]$ 





After Successfull Connection we have to generate CSR. by running this command.

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

After running this command it will generate CSR and server.key in your default location.

But we have to enter the following information as follow.
------------------------------------------------------------------------
[ec2-user@ip-172-31-31-148 ~]$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
..................................+++
......................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Uttar Pradesh
Locality Name (eg, city) [Default City]:Noida
Organization Name (eg, company) [Default Company Ltd]:Tourist Visa Online E - Visa Services
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.touristvisaonline.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[ec2-user@ip-172-31-31-148 ~]$ 



Note Points : Do not enter email address and challenge password and optional company name. just simply press enter or skip by entering these fields.

This command will generate 2 files one is server.csr and another one is server.key file


Note Point : While installing certificate in AWS Certificate Manager (Elastic Load Balancer) AWS Certificate Manager Demand all the files should be in PEM encoded so we need our server.key file in pem format so we can convert it by entering this command.

openssl rsa -in server.key -outform PEM > server.private.pem


As Follow
[ec2-user@ip-172-31-31-148 ~]$ ls
GeoLite2-Country.mmdb  server.csr  server.key  touristvisaonline.war
[ec2-user@ip-172-31-31-148 ~]$ openssl rsa -in server.key -outform PEM > server.private.pem
writing RSA key
[ec2-user@ip-172-31-31-148 ~]$ ls
GeoLite2-Country.mmdb  server.csr  server.key  server.private.pem  touristvisaonline.war

[ec2-user@ip-172-31-31-148 ~]$ 



Now we have to submit this CSR to our CA authority from where we bought SSL Certificate he will provide the certificate.



After Download Go to AWS Certificate Manager.

and Choose Provision Certificate.

Then Click on Import a Certificate


After Click on Import Certificate you will get window like this in which we have to enter details very carefully.

First Section We have to Enter Our Certification Body Means Original Certificate in PEM Encoded.

At Place of "Certification private key" we have to enter PEM encoded server.key that is generated in first step along with CSR.

in last "Certificate Chain" we have to convert all the intermidate certificate in chain and then convert into pem encoded and we have to enter it here.

Like suppose in our certification we have following files

1) COMODORSADomainValidationSecureServerCA.crt
2) COMODORSAAddTrustCA.crt
3) AddTrustExternalCARoot.crt
4) ..... one more here


So first 1,2,3 are intermidate certicate we can combine all these in one file that is  server.chain

by this command

sudo cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt  > server.chain

Note: these are steps for comodo ssl certificate .

But If you download certificate from Godaddy then your certificate will contains only 3 files
1) bc3c2b1562fc680f.crt . -- origianal ceriticate file
2) gd_bundle-g2-g1.crt . -- this is certificate chain
3) gdig2.crt.pem  -- certificate private key but this should be pem encode so while i past at aws i got an error so i copied server.private.pem that is generated in 1st step.





After Installing Certificate in ACM we are ready to use this ceriticiate in our AWS Load Blanacer as follow.


Use Your Certificate with an Amazon Elastic Load Balancer

The easiest way to provide HTTPS access to web resources running in your AWS instance is to set up an Elastic Load Balancer and configure it with your new SSL certificate. This lets Amazon handle the certificate configuration for you so you don’t have to worry about making sure your specific web server is configured properly to support HTTPS.
Follow the AWS Console Elastic Load Balancer Setup Wizard to begin creating a new Elastic Load Balancer. On the first screen, make sure you add Protocols for HTTPS. You can have HTTP as well if you want to provide non-encrypted access to your resources.
Select the Security Group for your Elastic Load Balancer. If you are creating your ELB inside a VPC, you should probably select the default security group which will allow inbound traffic from all other instances in the security group and outbound traffic to anywhere.
The third screen is the tricky one. This is where we set up our SSL Certificate for the first time. The good news is that once you complete this process, you can just keep using the same certificate for other subdomains you might create in the future. You need the wildcard certificate in order to do this, of course.


Easy way to install ssl certificate in aws is through Amazon Elasti Load Balancer 
there are 3 types of load balancer 
1) Application Load Balancer 
2) Network Load Balancer
3) Class Load Balancer 

For ssl we have to choose classic load balancer


Select Classic Load Balancer first then click on create.


Now we have to define Load Balancer Name. then we have to use define Load Balancer Protocal and port and Instance protocol and port. (Keep in mind here we can use different port for Load balancer and instance port but we internally redirected port in tomcat and here we are keeping like this. meansy any request come from end user to loadbalncer may be at port http or https 80 or 443 but internally it will go on port 80 to tomcat. which we internally redirect by ip rounting table to port 8080.) once we done then click on Next Assign Security Group.



Now choose security group very carefully we have selected already created security group.

Step 3 : in this setup we have to configure security settings like SSL. 

If we have already installed certification in ACM then we  can use from below three option as Certification from ACM.



Step 4 : Select Configuration Health Checkup.



Here we can define checkup page name. We can also customize option like Response timeout. 
Unhealthy threshold means after that particular attempts between internals it will give a notification like 30 sec internal will attempt 2 times if server didn't response then will considered as unhealthy instance. 

Step 5. We have to add our EC2 Instance that we want to attach with our Load Balancer. 

Here we will selected available instance from this table and will attach to it.

Step 6. We have to attach the tags.



Finally we have to review and create our classic load balancer. 


Now finally we are done with Classic Load Balancer.


Once our classicload balancer is created now to pass traffic from classic load balancer we will use instead of A record in route 53 we will use classicload balancer DNS name with www version like as shown here we will choose Alias checkbox and then from Alias Target we will choose our classic load balancer DNS A Record.






TO redirect for http to https then we have to create a bucket first with the name of domain like touristvisaonline.com and then we have to change from static ...

HOW TO REDIRECT FROM HTTP TO HTTPS IN AWS. 
Step 1. First Create a Bucket with domain name like  - boolment.com or touristvisaonline.com 
with default configuration. once you will create a bucket now its look like this.



Now we have to Select bucket and then we have go to "Properties"  > Static Website Hosting.




Step 3 : Now we have to go to "Route 53" where we will create a record set called aliase you can see in below image right and side we have created this record set.





HOW TO SERVER YOUR STATIC RESOURCES THROUGH CLOUDFRONT WITH CUSTOM CNAME.

Steps to be followed to achieve this requirements.
1) Create S3 Bucket with any name. as we have created with assets.touristvisaonline.com

2) Create CloudFront Distributions. by Clicking on Create Distributions.


3) Step select type of distributions.(here we will select Web and then click on Get Started.)


4) Enter the following information as shown in pictures.





Now we have created our web distribution.

Step 5) To access this web distribution through Alternate Domain Names
(CNAMEs) we have to create a record set in route 53 as follows 


Step 6 ) We can also use AWS provided SSL certificate for s3(static assets )

A. First Choose ACM for Request for Certificate.

here we have to enter our domain like *.touristvisaonline.com or (*.your_domain_name.com) then click on next.

like as shown in below picture.


Now we have to validate our subdomain ssl certificate by creating CNAME record in our Route 53. You can create a record set in route 53 by just clicking on Create Record in Route 53. and then click on continue.
Once you create a record set then it would take some time (Around 15-30 minutes) and you will get status as verified.

Once this certificated is issued we can use this certificate in cloudfront.



Note : SOME COMON ISSUE THAT WE FACED IN TOMCAT AS BACKEND SERVER AND USEING CLASSIC LOAD BALANCER AS FRONT END FOR REQUEST HANDLING.

Some time when we took server restart after deploying war file. classic load balancer will go . "OutofServices" to reslove this issue we have to change timing of Health Check in classic load balancer because what happen when we took the restart tomcat may take more time then usually healthcheck happen so if healthcheck failed continuously then it go out of service. so to resolve this issue we can change health check timing as shown.


NOTE : SOME TIME WHEN WE TRY TO ACCESS ASSTIC ASSETS FROM CLOUDFRONT THEN WE WAY GET AN ERROR LIKE CROSS ORIGIN PROBLEM SO HOW TO SLOVE THIS PROBLEM.

A) If you want to solve CROS problem then we have to change in cloudfront by changing Whtelist Header

as shown in picture.


Comments

Popular posts from this blog

Android & iOS Application Development For Dummies

App Development ProcessApp Development Process explained in the most simplified way This tutorial will guide all the beginners how an app is developed from scratch and will help in letting the beginners know how the process works.Phase-1 (Conceptualization): Even a concept or an idea starts with an approach to introduce something after acknowledging the inkling of amiss or what's missing in the existing market. Developing the aftermath ideas involves critical questioning and rational thinking towards the wire-framing stage. Phase-2 (Design): After analyzing the idea thoroughly and looking through all possible dimensions, comes the design part, where a feasible layout of the model is planned to move ahead for the further development processes. Phase-3 (Coding): Development process begins with designing a user-friendly UI. Prototypes of the model are prepared with the combined agreement of developers and designers to increase the efficiency and capitalization. The expedience checking r…

Amazon EC2 Server Setup & Installing JDK 8 and Tomcat 8, Running on Port 80 & 443 and Redirect Request from port 80 to 8080 and 443 to 8443

Amazon EC2 Server Setup & Installing JDK 8 and Tomcat 8, Running on Port 80 & 443 and Redirect Request from port 80 to 8080 and 443 to 8443.Step 1 : Log in to youraws account by following this link then click on my account and choose option aws management console.
Note: I am assuming you created your account with aws and you are ready with you account if you haven’t done then you can check out on google you will get many and it's a straight forward steps if you have still problem while creating an account you can comment in comment box i will also provide tutorial for that.
Once you logged in aws management console you are able to see window like this one


Note : Before we go ahead we have to select proper reason from right and side.I choose ohio region for this example.
Step 2 : Now you have to choose EC2 Server from Services tab on left side top corner then choose EC2 Services from “Compute option”

You will get window like this one and right now i have one instance is running for…
Why Do We Need Social Media Marketing For Our Business.
A long time ago when businesses wanted the market to expose their products or service to the public, the most viable options were print marketing or television and radio advertising. Websites were slowly started establishing their way into the mainstream for business, and people were without hesitantly boarding the internet train one-by-one. Fast forward to 2017 and the ways in which businesses can market to their customers have changed very tremendously! Websites for businesses are now more than mainstream, they’ve become a necessity for business purpose. Millions of customers were using search engines to find everything they need to know about a business before even making a purchase. Videos were the new shiny attention-getters and anyone who has a Twitter or Facebook account to keep up with their friends, acquaintances, and near and dear ones.
With all of these rapidly-made new advancements in technology, has opened a door not on…