As anyone who has moved their webserver from 1&1 to the EC2
infrastructure will know, one of the down sides of using EC2 for a
web server is that you can only have a single IP address per
instance. This poses a somewhat tricky problem when you need to
have multiple SSL driven sites on one instance all with different
domains! This post is set out to try outline and answer most
of the problems and questions I had during our on going transition
from two 1&1 cloud servers onto a couple of Win2008 EC2
instances.
After quite a substantial amount of time reading blogs posts and
forums, I came to a little conclusion… If you are using a Windows
instance and want to use the AWS management console, then online
tutorials are very hard to come by (They are all Apache based
and
most EC2 API command line driven).
Through speaking with friends, and spending countless hours
(I actually spent weeks on this) refactoring search terms
I managed to collate a lot of useful information and links, so
thought I would share these here for future reference and to
hopefully help out someone else looking to do the same thing.
Solution
In short, the only way to have multiple SSL's on a single
instance with EC2 is to use their Elastic Load Balancers
(ELB) and install the SSL directly on the ELB -
Then route all normal (80) and secure traffic
(443) to the ELB and let it do the rest.
http://aws.amazon.com/elasticloadbalancing/
What You'll Need To Start
Before you start trying to get this implemented you will have to
have the following tools/applications installed on your
computer.
You will need to install Open SSL as this is used to generate
the keys/pem files that you will need to install the certificate on
the ELB, when installing make sure you save the binaries to the
'\bin' and NOT the windows
directory during the installation.
Ylastic
We use Ylastic to manage our instances, snapshots, route53
domains and volumes… I can't speak highly enough of it!
Some tasks we still use the AWS console, but 90% of the time we
use Ylastic as its just easier to use and it also does and has very
useful features that (At the time of writing this) the AWS console
does not have. In addition, again at the time of writing
this… There is currently no way of updating an SSL certificate via
the AWS console, so once your SSL expires you will have
no choice but to use the command line tools or have a whole
load of changing and moving things about.
But Ylastic have said this is now going to be added, hopefully
in the next 2 to 4 weeks - A nice easy to use UI of updating SSL
certificates when they expire! That's exactly what we like…
One of the big features of using Ylastic is that you can set up
scheduled snapshots of your volumes, so you can easily swap out a
volume with an historic snapshop - This alone is worth the Ylastic
subscription! But of course its not 100% necessary for what we are
trying to achieve.
http://ylastic.com/
SSL/PFX File
Because we use 1&1 to manage our domains and servers, all
our SSL certificates came as PFX files so the next step is using
OpenSSL above to do this - I tinkered with this for AGES, until I
found this BRILLIANT blog post from John Mendez which
walks you through the entire process.
http://www.xdevsoftware.com/blog/post/Upload-IIS-SSL-Certificate-into-Amazon-Elastic-Load-Balancer.aspx
After you have followed the above you'll have all the files
needed to move to the next section.
Setting Up The ELB
This is where I tripped up initially! Make sure you do the
following
- Set port 80 on the load balancer to forward to port 80 on the
instance
- Set port 443 (SSL) on the load balancer to forward to
port 80 on the instance (Yes you read that correctly,
SSL termination is handled on the ELB)
Once you have your PEM and Key files, you need to copy and paste
the body of these files (Open in Notepad) into the correct
textboxes in this ELB setup wizard - John explains which key goes
where at the bottom of the post in the link above
- Open the file server.key that was created from above with
openssl and paste into the Private Key textbox
- Open the file cert.pem that was created from above with
openssl and copy the text from ----BEGIN till the end of the file
and paste that into Public Key Certificate textbox
Then follow the wizard until the end - Once you have completed
it, you have to assign the ELB to the instance you want to use it
with. This can take a couple of hours to go through.
Domain Names
Now you have your ELB setup with your SSL installed into it, you
just need to point your domain at the ELB - We use Amazon Route 53 now for
all domains that need SSLs, as its just easier to manage with ELB's
and also we could not use the url which Amazon provided for a CNAME
as 1&1 limit the characters in their control panel for
CNAME's!! so our only option was to use Route 53 (Some more
info on using Route
53 with Ylastic)
Here is amazons official page on using domain names with
ELB's
http://docs.amazonwebservices.com/ElasticLoadBalancing/latest/DeveloperGuide/index.html?using-domain-names-with-elb.html
SSL Redirect Issues On Websites
After you have all the above setup, you may notice a little
gotcha on some sites that force SSL with the code - One example is
nopCommerce, when you enable 'useSSL' in the web.config of the
store software it tries to redirect the user but as you can see
from this post below. This ends up in an endless loop, and I
explain how to change nopcommerce to get round this.
/blog/2011/9/8/running-nopcommerce-with-ssl-through-ec2-elb/
Using EC2 API Command Line Tool for Windows
As I have mentioned a few times above, the most common way
(So it seems anyway) for most system admins is to use the
API command line tools and most of the online tutorials you find
will use these. Another post from John Mendez below walks you
through how to get started using the Command line tools.
http://www.xdevsoftware.com/blog/post/How-to-Install-the-EC2-API-Command-Line-Tool-for-Windows.aspx
Useful Links
I collated some useful links / references along the way,
although all the below refer to using the API Command line tools
(See above)
Creating and Uploading Server Certificates
http://docs.amazonwebservices.com/IAM/latest/UserGuide/index.html?InstallCert.html
Setting Up An ELB With SSL
http://docs.amazonwebservices.com/ElasticLoadBalancing/latest/DeveloperGuide/index.html?US_SettingUpLoadBalancerHTTPSIntegrated.html
Amazon EC2 AMI Tools
http://aws.amazon.com/developertools/368?_encoding=UTF8&jiveRedirect=1
