[英]Using AWS Certificate Manager (ACM Certificate) with Elastic Beanstalk
When you have a certificate for your domain issued through AWS Certificate Manager, how do you apply that certificate to an Elastic Beanstalk application. 当您拥有通过AWS Certificate Manager颁发的域证书时,如何将该证书应用于Elastic Beanstalk应用程序。
Yes, the Elastic Beanstalk application is load balanced and does have an ELB associated with it. 是的,Elastic Beanstalk应用程序是负载平衡的,并且确实有一个与之关联的ELB。
I know I can apply it directly to the ELB my self. 我知道我可以将它直接应用到ELB我自己。 But I want to apply it through Elastic Beanstalk so the env configuration is saved onto the Cloud Formation template.
但我希望通过Elastic Beanstalk应用它,以便将env配置保存到Cloud Formation模板中。
I found out, you cannot do it through the elastic beanstalk console (at least not yet). 我发现,你不能通过弹性beanstalk控制台(至少还没有)。 However you can still set it via the eb cli, or aws cli.
但是你仍然可以通过eb cli或aws cli设置它。
Basically what we are trying to do is to update the aws:elb:listener
setting, you can see the possible settings in the general options docs. 基本上我们要做的是更新
aws:elb:listener
设置,你可以在常规选项文档中看到可能的设置。
Using the EB CLI is pretty simple. 使用EB CLI非常简单。 Assuming we already setup the
awsebcli
tool for our project we can use the eb config
command. 假设我们已经为项目设置了
awsebcli
工具,我们可以使用eb config
命令。
It will open up your default terminal editor and allow you to change settings which are written as a YAML file. 它将打开您的默认终端编辑器,并允许您更改写为YAML文件的设置。 When you make a change and save it, the
eb config
cmd will automatically update the settings for your Elastic Beanstalk environment. 当您进行更改并保存时,
eb config
cmd将自动更新Elastic Beanstalk环境的设置。
You will need to add the following settings to your config file: 您需要将以下设置添加到配置文件中:
aws:elb:listener:443:
InstancePort: '80'
InstanceProtocol: HTTP
ListenerEnabled: 'true'
ListenerProtocol: HTTPS
PolicyNames: null
SSLCertificateId: CERTIFICATE_ARN_HERE
Change the value for CERTIFICATE_ARN_HERE
to your AMC Certificates ARN. 将
CERTIFICATE_ARN_HERE
的值更改为您的AMC证书ARN。 You can find it in the AWS Certificate Manager console: 您可以在AWS Certificate Manager控制台中找到它:
IMPORTANT: Your aws:elb:listener:443
setting MUST be placed above the aws:elb:listener:80
setting. 重要提示:你的
aws:elb:listener:443
设置必须放在aws:elb:listener:80
设置之上。 Otherwise the environment configuration update will error out. 否则,环境配置更新将出错。
The same can be accomplished using the general aws cli
tools via the update-environment command. 通过update-environment命令使用常规
aws cli
工具可以实现相同的目的。
aws elasticbeanstalk update-environment \
--environment-name APPLICATION_ENV --option-settings \
Namespace=aws:elb:listener:443,OptionName=InstancePort,Value=80 \
Namespace=aws:elb:listener:443,OptionName=InstanceProtocol,Value=HTTP \
Namespace=aws:elb:listener:443,OptionName=ListenerProtocol,Value=HTTPS \
Namespace=aws:elb:listener:443,OptionName=SSLCertificateId,Value=CERTIFICATE_ARN_HERE
NOTE: When you update it via either of the methods above, the Elastic Beanstalk console will not show HTTPS as enabled. 注意:通过上述任一方法更新它时,Elastic Beanstalk控制台不会将HTTPS显示为已启用。 But the load balancer will, and it will also apply to the Cloudformation template as well get saved into the EB's configuration.
但负载均衡器将会,也将应用于Cloudformation模板,并保存到EB的配置中。
You can do this purely with CloudFormation; 您可以使用CloudFormation完全执行此操作; however, as seems to be quite common with Elastic Beanstalk the configuration options are much harder to find in the docs than they are for the individual components that comprise Elastic Beanstalk.
然而,正如Elastic Beanstalk似乎很常见的那样,配置选项在文档中比在构成Elastic Beanstalk的单个组件中更难找到。 The info is here:
信息在这里:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elbloadbalancer http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elbloadbalancer
But basically what you need to do is add the creation of the cert to your template and then reference it in OptionSettings
in AWS::ElasticBeanstalk::ConfigurationTemplate
: 但基本上您需要做的是将模板的创建添加到模板中,然后在
AWS::ElasticBeanstalk::ConfigurationTemplate
中的OptionSettings
中引用它:
"Certificate" : {
"Type": "AWS::CertificateManager::Certificate",
"Properties": {
"DomainName": "example.com",
}
},
// ...
"ElasticbeanstalkTemplate": {
"Type": "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties": {
"SolutionStackName": "MyEBStack",
"ApplicationName": "MyAppName",
"Description": "",
"OptionSettings": [{
"Namespace": "aws:elb:listener:443",
"OptionName": "InstancePort",
"Value": "80"
}, {
"Namespace": "aws:elb:listener:443",
"OptionName": "InstanceProtocol",
"Value": "HTTP"
}, {
"Namespace": "aws:elb:listener:443",
"OptionName": "ListenerProtocol",
"Value": "HTTPS"
}, {
"Namespace": "aws:elb:listener:443",
"OptionName": "SSLCertificateId",
"Value": {
"Ref": "Certificate"
}
}, /*More settings*/]
Check in which zone you created the certificate and if it matches the Elastic Beanstalk zone. 检查您创建证书的区域以及它是否与Elastic Beanstalk区域匹配。 I had them in different zones so it didn't work.
我把它们放在不同的区域,所以它不起作用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.