Dynamically generated SSL sites
I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.
For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.
Cheers!
VJ
java amazon-web-services tomcat ssl amazon-route53
asked Nov 13 at 8:28
Knerdist
1613
add a comment |
I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.
For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.
Cheers!
VJ
java amazon-web-services tomcat ssl amazon-route53
asked Nov 13 at 8:28
Knerdist
1613
add a comment |
I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.
For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.
Cheers!
VJ
java amazon-web-services tomcat ssl amazon-route53
asked Nov 13 at 8:28
Knerdist
1613
I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.
For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.
Cheers!
VJ
java amazon-web-services tomcat ssl amazon-route53
java amazon-web-services tomcat ssl amazon-route53
asked Nov 13 at 8:28
Knerdist
1613
asked Nov 13 at 8:28
Knerdist
1613
edited Nov 13 at 9:17
asked Nov 13 at 8:28
Knerdist
1613
asked Nov 13 at 8:28
Knerdist
1613
asked Nov 13 at 8:28
Knerdist
1613
1613
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..
For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.
Now you just have to setup the certificate for your Tomcat (programatically).
answered Nov 13 at 8:34
Fabian Barney
10.8k32958
1
"You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
– Michael - sqlbot
Nov 13 at 13:35
add a comment |
There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.
For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.
For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.
Here's the useful links:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html
answered Nov 13 at 9:00
Bernardo Salazar
487
Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
– Knerdist
Nov 13 at 9:14
Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
– Bernardo Salazar
Nov 13 at 9:49
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53276752%2fdynamically-generated-ssl-sites%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..
For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.
Now you just have to setup the certificate for your Tomcat (programatically).
answered Nov 13 at 8:34
Fabian Barney
10.8k32958
1
"You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
– Michael - sqlbot
Nov 13 at 13:35
add a comment |
You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..
For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.
Now you just have to setup the certificate for your Tomcat (programatically).
answered Nov 13 at 8:34
Fabian Barney
10.8k32958
1
"You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
– Michael - sqlbot
Nov 13 at 13:35
add a comment |
You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..
For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.
Now you just have to setup the certificate for your Tomcat (programatically).
answered Nov 13 at 8:34
Fabian Barney
10.8k32958
You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..
For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.
Now you just have to setup the certificate for your Tomcat (programatically).
answered Nov 13 at 8:34
Fabian Barney
10.8k32958
edited Nov 13 at 9:01
answered Nov 13 at 8:34
Fabian Barney
10.8k32958
answered Nov 13 at 8:34
Fabian Barney
10.8k32958
answered Nov 13 at 8:34
Fabian Barney
10.8k32958
10.8k32958
1
"You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
– Michael - sqlbot
Nov 13 at 13:35
add a comment |
1
"You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
– Michael - sqlbot
Nov 13 at 13:35
1
1
"You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
– Michael - sqlbot
Nov 13 at 13:35
"You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
– Michael - sqlbot
Nov 13 at 13:35
add a comment |
There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.
For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.
For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.
Here's the useful links:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html
answered Nov 13 at 9:00
Bernardo Salazar
487
Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
– Knerdist
Nov 13 at 9:14
Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
– Bernardo Salazar
Nov 13 at 9:49
add a comment |
There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.
For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.
For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.
Here's the useful links:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html
answered Nov 13 at 9:00
Bernardo Salazar
487
Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
– Knerdist
Nov 13 at 9:14
Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
– Bernardo Salazar
Nov 13 at 9:49
add a comment |
There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.
For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.
For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.
Here's the useful links:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html
answered Nov 13 at 9:00
Bernardo Salazar
487
There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.
For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.
For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.
Here's the useful links:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html
answered Nov 13 at 9:00
Bernardo Salazar
487
answered Nov 13 at 9:00
Bernardo Salazar
487
answered Nov 13 at 9:00
Bernardo Salazar
487
answered Nov 13 at 9:00
Bernardo Salazar
487
487
Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
– Knerdist
Nov 13 at 9:14
Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
– Bernardo Salazar
Nov 13 at 9:49
add a comment |
Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
– Knerdist
Nov 13 at 9:14
Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
– Bernardo Salazar
Nov 13 at 9:49
Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
– Knerdist
Nov 13 at 9:14
Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
– Knerdist
Nov 13 at 9:14
Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
– Bernardo Salazar
Nov 13 at 9:49
Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
– Bernardo Salazar
Nov 13 at 9:49
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53276752%2fdynamically-generated-ssl-sites%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
