Change / Update SSL certificate for Amazon Elastic Load Balancer

This is in continuation to Amazon ELB SSL Termination HowTo. Earlier we have seen how to setup Elastic Load Balancer with SSL termination on Amazon. Now we will see how do we change the SSL certification once we renew it or revoke it for some reason.

To enable to change the certificate used by Elastic Load Balancer (ELB) we need to install the ELB and IAM command line tool. To install these tools you need to do as follows.

  1. Download and install Java JDK or JRE (minimum 1.6) from here.
  2. Set JAVA_HOME environment variable.
  3. Download and install IAM Client tool from here.
  4. Download and install ELB Client tool from here.

Installing IAM tool

Once downloaded the IAMCli.zip file extract the zip content now do the following:

  1. Create an environment variable AWS_IAM_HOME pointing to IAM client folder ‘AWS_IAM_HOME=/path/to/iam/folder’.
  2. Add $AWS_IAM_HOME/bin to your path (in Windows: %AWS_IAM_HOME%bin).
  3. Change $AWS_IAM_HOME/aws-credential.template change AWSAccessKeyId and AWSSecretKey to yours
  4. Create an environment variable AWS_CREDENTIAL_FILE pointing to aws-credential.template file ‘AWS_CREDENTIAL_FILE=$AWS_IAM_HOME/aws-credential.template’ (in windows ‘AWS_CREDENTIAL_FILE=%AWS_IAM_HOME%/aws-credential.template’).
  5. If you are behind proxy change $AWS_IAM_HOME/client-config.template (this is self explanatory).
  6. Create an environment variable CLIENT_CONFIG_FILE poting to client-config.template file ‘CLIENT_CONFIG_FILE=$AWS_IAM_HOME/client-config.template’ (in windows ‘CLIENT_CONFIG_FILE=%AWS_IAM_HOME%/client-config.template’).

Installing ELB tool

Once downloaded the ElasticLoadBalancing.zip file extract the zip content now do the following:

  1. Create an environment variable AWS_ELB_HOME pointing to ELB client folder ‘AWS_ELB_HOME=/path/to/elb/folder’.
  2. Add $AWS_ELB_HOME/bin to your path (in Windows: %AWS_ELB_HOME%bin).
  3. Now login to your AWS web console create the private file. You will be prompted to download the private key file save it as my-pk.pem.
  4. Now go to X.509 Certificate tab create your X509 certificate and download it save it as my-cert.pem.
  5. Now create an environment variable named EC2_CERT pointing to my-cert.pem ‘EC2_CERT=/path/to/my-cert.pem’.
  6. Now create an environment variable named EC2_PRIVATE_KEY pointing to my-pk.pem ‘EC2_PRIVATE_KEY=/path/to/my-pk.pem’.
  7. Now create an environment variable named SERVICE_JVM_ARGS to set JVM parameter if you are behind the proxy ‘SERVICE_JVM_ARGS=”-Dhttp.proxyHost=my.pro.xy.ip -Dhttp.proxyPort=8080 -Dhttps.proxyHost=my.pro.xy.ip -Dhttps.proxyPort=8080″.

Now we are set to upload new certificates to Amazon and apply it to ELB. To upload new certificate we need following:

  1. New Certificate (PEM Encoded).
  2. Private Key (Used to generate the CSR PEM Encoded)
  3. Chain Certificate (Optional)

Uploading the Certificate

To upload the certificate to amazon issue below command on command line.

iam-servercertupload -b domain_com.crt -c chain_cert.pem -k private.key -s NewCertificateName

Now to verify that your certificate has been uploaded successfully issue following command on command line.

iam-servercertlistbypath

This will give output as follows

arn:aws:iam::accountnumber:server-certificate/CertLB
arn:aws:iam::accountnumber:server-certificate/CertLBNEW
arn:aws:iam::accountnumber:server-certificate/UATCert
IsTruncated: false

Now its time to apply the new certificate to ELB. To do this issue following command on command line.

elb-set-lb-listener-ssl-cert –region eu-west-1 –lb mylb –lb-port 443 –cert-id arn:aws:iam::accountnumber:server-certificate/CertLBNEW

Now open your browser and go to your https://domain.com and verify that you have latest Certificate listed.

4 Comments

  1. Nice guide, worked perfectly up until the last command. It’s missing the –lb switch so it should be;

    elb-set-lb-listener-ssl-cert –region eu-west-1 –lb mylb –lb-port 443 –cert-id arn:aws:iam::accountnumber:server-certificate/CertLBNEW

  2. hello I am getting this error while I do wget for server IP which is under ELB.

    #wget http://10.10.10.10/
    — 20:28:07– https://10.10.10.10/
    Connecting to 10.10.10.10:443… connected.
    ERROR: certificate common name `www.mydomain.in’ doesn’t match requested host name `10.10.10.10′.
    To connect to 10.10.10.10 insecurely, use `–no-check-certificate’.
    Unable to establish SSL connection.

    where 10.10.10.10 is my server’s elastic IP.

    I need to establish this to work what should I do.?

    My ELB port configuration is:
    1.ELB port 80 to instance port 80
    2. ELB port 443 to instance port 443

    What changes I need to made in this??

    Please help me on this.

    Thanks,
    Mahesh

    • Mahesh,

      First you need change the mapping of 443 on ELB it should be mapped to port 80 of your apache. Once that is done in your httpd.conf make sure that “LoadModule headers_module modules/mod_headers.so” line is uncommented.

      After that in your vhost entry for port 80 add following entry “RequestHeader set X-Forwarded-Proto “http””. Restart your apache server and try again. This should work.

      Regards,

      Mohan

Leave a Reply

Your email address will not be published.


*


CommentLuv badge