简体繁体 English

将SSL证书上传到AWS Elastic Load Balancer

[英]Uploading SSL Certificate to AWS Elastic Load Balancer

原文 2015-08-01 17:50:51 8 1 ssl/ amazon-web-services/ elastic-beanstalk

My SSL Certificate on my AWS Elastic Load Balancer is going to expire very soon and I need to replace it with a new one. 我的AWS Elastic Load Balancer上的SSL证书即将过期，我需要用一个新证书替换它。

I've got the new certificate / bundle / key, uploaded to IAM but it won't show in the drop down in the Load Balancer settings that should let me choose the certificate to apply. 我已经将新证书/捆绑包/密钥上传到IAM，但不会在Load Balancer设置的下拉列表中显示，应该让我选择要应用的证书。

Here is the output when I put aws iam list-server-certificates 这是我将aws iam list-server-certificates放入时的输出

To my mind this shows that I have uploaded the new certificate to IAM ok. 我认为这表明我已将新证书上载到IAM ok。 The top certificate in the list is the one which is due to expire any moment now and the other two are ones I have recently uploaded with the intention of replacing it (They are actually two attempts to upload using the same pem files). 列表中最重要的证书是一个现在即将到期的证书，另外两个是我最近上传的证书，目的是替换它（实际上是两次尝试使用相同的pem文件上传）。

The image below shows that only one certificate is available to choose to apply to the load balancer. 下图显示只有一个证书可供选择以应用于负载均衡器。 Unfortunately it is the one that is about to expire. 不幸的是，它即将到期。

The one thing that does strike me as a little odd is that the certificate name in the dropdown - ptdsslcert - is different to the names in the aws iam list-server-certificates output, even though it is the same certificate that expires imminently. 令我感到有些奇怪的是，下拉列表中的证书名称ptdsslcert-与aws iam list-server-certificates输出中的名称不同，即使它是即将到期的同一证书。

I'm really stuck here and if I don't figure this out soon I'm going to have an expired certificate on my domain so I would be really appreciative of any help on this. 我真的很困在这里，如果我很快不知道这一点，我将在我的域上拥有一个过期的证书，因此，我将非常感谢对此的任何帮助。

1 个解决方案

The AWS CLI uses a provider chain to look for AWS credentials in a number of different places, including system or user environment variables and local AWS configuration files. AWS CLI使用提供程序链在许多不同的地方查找AWS凭证，包括系统或用户环境变量以及本地AWS配置文件。

http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

Although it's hard to guess the specific local machine configuration issue that resulted in the behavior observed, as noted in the comments, this appeared to be an issue where aws cli was using two different sets of credentials to access two different services, and these two sets of credentials were actually from two different AWS accounts. 如评论中所述，尽管很难猜测导致观察到行为的特定本地计算机配置问题，但这似乎是一个问题，其中aws cli使用两组不同的凭据访问两组不同的服务，而这两组凭证实际上来自两个不同的AWS账户。

The ServerCertificateName returned by the API (accessed through the CLI) should have matched the certificate name shown in the console drop-down for Elastic Load Balancer certificate selection. API（通过CLI访问）返回的ServerCertificateName应该与用于Elastic Load Balancer证书选择的控制台下拉列表中显示的证书名称匹配。

The composition of ARNs (Amazon Resource Names) varies by service, but often includes the AWS account number. ARN（Amazon资源名称）的组成因服务而异，但通常包括AWS帐号。 In this case, the account number shown in the CLI output did not match what was visible in the AWS console... leading to the conclusion that the issue was that an AWS account other than the intended one was being accessed by aws cli . 在这种情况下，CLI输出中显示的帐号与AWS控制台中可见的帐号不匹配...导致得出的结论是问题是aws cli正在访问非预期帐号的AWS帐号。

As cross-confirmed by the differing display names, the "existing" certificate, uploaded a year ago, may have had the same content but was in fact a different IAM entity than the one seen in the dropdown, as the two certificates were associated with entirely different accounts. 如显示名称不同所交叉确认，一年前上载的“现有”证书可能具有相同的内容，但实际上与下拉列表中的IAM实体不同，因为这两个证书与完全不同的帐户。