在AWS EBS单实例(Tomcat)上安装SSL证书

时间:2016-11-04 10:52:33

标签: apache tomcat ssl amazon-ec2 elastic-beanstalk

在我的AWS EBS单一实例 - Tomcat(来自http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-tomcat.html的说明)上安装SSL证书(从CA获得)的过程中,我在部署期间遇到以下错误。

  

实例上的命令失败。返回代码:1输出: httpd:找不到进程。 .ebextensions / https-instance.config中的container_command killhttpd失败。

我创建了ssl.config(如下所示)文件,该文件在部署期间被拾取。但不幸的是,部署失败并出现上述错误。 

Resources:
  sslSecurityGroupIngress: 
   Type: AWS::EC2::SecurityGroupIngress
   Properties:
   GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
   IpProtocol: tcp
   ToPort: 443
   FromPort: 443
   CidrIp: 0.0.0.0/0

packages:
 yum:
    mod_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>
        ServerName            www.mydomain.com
        SSLEngine             on
        SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
        ErrorLog /var/log/httpd/elasticbeanstalk-error_log
        TransferLog /var/log/httpd/elasticbeanstalk-access_log
     </VirtualHost>

 /etc/pki/tls/certs/server.crt:
   mode: "000400"
   owner: root
   group: root
   content: |
     -----BEGIN CERTIFICATE-----
     ....
     -----END CERTIFICATE-----

/etc/pki/tls/certs/server.key:
  mode: "000400"
  owner: root
  group: root
  content: |
    -----BEGIN RSA PRIVATE KEY-----
    ....
    -----END RSA PRIVATE KEY-----

 container_commands:
   killhttpd:
     command: "killall httpd"
   waitforhttpddeath:
     command: "sleep 3"

如果从文件中删除container_command,则部署成功完成,但最后无效,并且未启用https。我确保端口443已启用与关联的安全组。

帮助我了解过程中缺少的内容。

1 个答案:

答案 0 :(得分:1)

在部署的服务器上窥探一下后,AWS已将其工作进程配置为httpd.worker而不是httpd。这可以在服务器上的/ etc / sysconfig / httpd中找到。我没有改变YAML文件中的killall命令,而是改用我的方法:

container_commands:
  killhttpd:
    command: "/sbin/service httpd stop"
  waitforhttpddeath:
    command: "sleep 3"

我还没有测试完整的HTTPS功能,但至少解决了这篇文章中指定的错误。

相关问题
最新问题