使用自动 SSL 证书在 AWS Elastic Beanstalk 上部署 Spring Boot 应用程序

Question

Let's say I have a Spring Boot project that produces a JAR file www.example.com.jar which using its embedded HTTP server shows a example page showing the word "Example".

• I want to deploy this bare JAR file on AWS Elastic Beanstalk.
• I want SSL/TLS support for my custom domain, ie https://www.example.com/ .
• I want to use Amazon's own Amazon Certificate Manager.
• I want Amazon Certificate Manager to automatically renew the certificate as needed.
• I am happy to use Amazon's Route 53 if necessary for DNS.
• I am willing to use load balancer(s) if necessary.
• I am willing to use Amazon's CloudFront if necessary.
• I do not want a solution that makes me manually renew a certificate and copy it somewhere from time to time.
• I do not want a solution that requires me to create an EC2 instance; I want to deploy a bare JAR.

What are the options to meet all these requirements? (Most of the tutorials I've seen skip the SSL part altogether, even though SSL is mandatory on today's web).

Lastly if this is simply not possible with a bare JAR file, but would be possible with a bare Docker image, I would be interested in meeting these same requirements using a bare Docker image.

Answer 1

• I want to deploy this bare JAR file on AWS Elastic Beanstalk.

• I do not want a solution that requires me to create an EC2 instance; I want to deploy a bare JAR.

These two statements don't make sense to me. You want to use Elastic Beanstalk, but you don't want to use EC2 instances? Elastic Beanstalk is nothing more than a service that manages EC2 instances for you. When you deploy your application with Elastic Beanstalk it is going to create one or more EC2 instances and deploy your application on those.

To deploy your Spring Boot application to Elastic Beanstalk, follow this official guide .

To meet your SSL requirements, you need to create an SSL certificate in AWS ACM for the domain you own ( www.example.com ), and pick DNS validation. Then create the DNS record it tells you to, to validate your ownership of the domain.

Next, deploy your Java application to Elastic Beanstalk with a load balancer. Then attach the AWS ACM certificate to the load balancer. Finally, create a DNS CNAME record for www.example.com that points to the DNS name of the load balancer. You don't need to use Route53 for this unless you are trying to point a root domain ( example.com instead of www.example.com ) to your load balancer.

Answer 2

Might have stumbled through to satisfaction of all of these requirements except for potentially the automatic renewal / re-installation of the certificate:

• yes, bare Spring Boot JAR file on AWS Elastic Beanstalk.
• yes, SSL/TLS support for my custom domain, ie https://www.example.com/ .
• yes, did use Amazon's own Amazon Certificate Manager.
• I don't know, but I'm hopeful that Amazon Certificate Manager will automatically renew the certificate as needed.
• yes, Amazon's Route 53 is something I'm using for DNS.
• yes, I broke down and became willing to use load balancer(s) and used one
• I don't know about CloudFront yet.
• didn't have to set up an EC2 instance directly

One of the most difficult parts was arranging for the redirection of HTTP traffic to HTTPS. The documentation was leading me to an.ebextensions config solution -- but that seemed problematic because it seemed to be setting up a chicken-and-egg problem for testing the configuration. I felt relieved when I found some documentation about how to configure load balancer rules that actually led me to functionality I needed to set up the redirection in the load balancer itself: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html#edit-rule

Prior to redirecting to HTTPS, I had to set up HTTPS on the load balancer. The doc I used for that was https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html

To get the public certificate set up for my custom domain, I used ACM: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html

And originally, I got going with a hosted zone for my custom domain with Route 53. And I had to go to my domain registrar, godaddy, to set up the DNS entries to utilize Route 53. Once DNS was pointed to the AWS Hosted Zone DNS hosts, I didn't really have to go back to godaddy any more.

I'm about 4 or 5 days into this effort, so my head is still spinning a bit. The directions I followed to get the application launched initially were the ones at https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/java-se-platform.html .