Linux 在 EC2 实例上设置 SSL 证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10115322/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Setup an SSL certificate on an EC2 instance
提问by style-sheets
I'm having hard time trying to setup an SSL certificate (it's a Comodo PositiveSSL purshased from NameCheap) on my EC2 micro instance (I'm using Amazon Linux AMI 2012.3, which is based on CentOS if I'm not mistaken).
我很难在我的 EC2 微型实例上设置 SSL 证书(它是从 NameCheap 购买的 Comodo PositiveSSL)(我使用的是 Amazon Linux AMI 2012.3,如果我没记错的话,它基于 CentOS)。
Here's what I did:
这是我所做的:
I installed mod_ssl & OpenSSL
I enabled port 443 on my EC2's instance security group
I CHMODed the *.key & *.crt files to 777 as Comodo suggested
I'm certain the IP address & files path are correct (put a bunch of 0s in the example but it iscorrect in my ssl.conf)
I added this VirtualHost entry to ssl.conf
我安装了 mod_ssl 和 OpenSSL
我在 EC2 的实例安全组上启用了端口 443
我按照 Comodo 的建议将 *.key 和 *.crt 文件修改为 777
我确定 IP 地址和文件路径是正确的(在示例中放了一堆 0,但在我的 ssl.conf 中是正确的)
我将此 VirtualHost 条目添加到 ssl.conf
<VirtualHost 00.000.000.00:443>
############# I tried both with & without this section ##############
ServerName www.mydomain.com:443
ServerAlias www.mydomain.com
DocumentRoot /var/www
ServerAdmin [email protected]
######################################################################
SSLEngine on
SSLCertificateKeyFile /etc/ssl/mydomain_com.key
SSLCertificateFile /etc/ssl/mydomain_com.crt
SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>
Then I restarted apache...but I stil cannot accesshttps://www.mydomain.com/!!!
然后我重新启动了 apache...但我仍然无法访问https://www.mydomain.com/!!!
I checked with ssltool.com, it says
我检查了ssltool.com,它说
The Common Name on the certificate is: ip-00-00-00-000
The certificate chain consists of:
SomeOrganization, ip-00-00-00-000. Expires on: Apr 10 13:39:41 2013 GMT - that's 363 days from today.
The site tested mydomain.com is NOT the same as the Subject CN ip-00-00-00-000!.
I even went & copied the VistualHost to httpd.conf instead of ssl.conf & restarted apache, all in vain.
我什至将 VistualHost 复制到 httpd.conf 而不是 ssl.conf 并重新启动了 apache,但都是徒劳的。
I've been banging my head against the wall for days now. I'm pretty sure I'm missing a tiny something to make this work, I just don't know what exactly.
这几天我一直在用头撞墙。我很确定我错过了一个小东西来完成这项工作,我只是不知道究竟是什么。
I'd be infinitely grateful if someone can suggest something to make this work!
如果有人能提出一些建议来完成这项工作,我将不胜感激!
采纳答案by TheDude
Sometimes this section
有时这部分
<VirtualHost _default_:443>
preventsyour real SSL certificate from being used. If this is the case either comment VirtualHost defaultor move the SSLCertificate* attributes to it, ie.
防止您的真实 SSL 证书被使用。如果是这种情况,请注释VirtualHost default或将 SSLCertificate* 属性移动到它,即。
<VirtualHost _default_:443>
SSLCertificateKeyFile /etc/ssl/mydomain_com.key
SSLCertificateFile /etc/ssl/mydomain_com.crt
SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>
Make sure you restart apache after that.
确保在那之后重新启动apache。
回答by Sebastien Horin
Amazonnow provide a certificate manager! (for free)
亚马逊现在提供证书管理器!(免费)
If you use Elastic Beanstalk this is the new way to do: It's free, You avoids errors due to the configuration and it's a better choice on a performance point of vue:
如果您使用 Elastic Beanstalk,这是一种新的方式:它是免费的,您可以避免由于配置而导致的错误,并且在 vue 的性能点上是更好的选择:
Because ELB supports SSL offload, deploying a certificate to a load balancer (rather than to the EC2 instances behind it) will reduce the amount of encryption and decryption work that the instances need to handle.
由于 ELB 支持 SSL 卸载,将证书部署到负载均衡器(而不是其后面的 EC2 实例)将减少实例需要处理的加密和解密工作量。
from the doc:
从文档:
The new AWS Certificate Manager (ACM) is designed to simplify and automate many of the tasks traditionally associated with management of SSL/TLS certificates. ACM takes care of the complexity surrounding the provisioning, deployment, and renewal of digital certificates! Certificates provided by ACM are verified by Amazon's certificate authority (CA), Amazon Trust Services (ATS).
Even better, you can do all of this at no extra cost. SSL/TLS certificates provisioned through AWS Certificate Manager are free!
ACM will allow you to start using SSL in a matter of minutes. After your request a certificate, you can deploy it to your Elastic Load Balancers and your Amazon CloudFront distributions with a couple of clicks. After that, ACM can take care of the periodic renewals without any action on your part.
新的 AWS Certificate Manager (ACM) 旨在简化和自动化许多传统上与 SSL/TLS 证书管理相关的任务。ACM 负责处理数字证书配置、部署和更新的复杂性!ACM 提供的证书由 Amazon 的证书颁发机构 (CA)、Amazon Trust Services (ATS) 验证。
更好的是,您无需额外付费即可完成所有这些工作。通过 AWS Certificate Manager 配置的 SSL/TLS 证书是免费的!
ACM 将允许您在几分钟内开始使用 SSL。在您请求证书后,您只需单击几下即可将其部署到您的弹性负载均衡器和您的 Amazon CloudFront 分配中。之后,ACM 可以处理定期续订,而您无需采取任何行动。
the doc:
文档:
https://aws.amazon.com/fr/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
https://aws.amazon.com/fr/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
回答by shabany
Looking at your list, it happens that you forget to enable your configuration with your Virtual host.
查看您的列表,碰巧您忘记使用虚拟主机启用配置。
sudo a2enmod ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart
There is a complete guide on how to install an SSL certificate on your EC2 here https://medium.com/@adnanxteam/how-to-add-ssl-certificate-to-laravel-on-ec2-aws-18104cc036d1
这里有关于如何在 EC2 上安装 SSL 证书的完整指南https://medium.com/@adnanxteam/how-to-add-ssl-certificate-to-laravel-on-ec2-aws-18104cc036d1
