Dynamically generated SSL sites












2














I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.



For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.

Cheers!
VJ










share|improve this question





























    2














    I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
    Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.



    For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.

    Cheers!
    VJ










    share|improve this question



























      2












      2








      2







      I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
      Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.



      For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.

      Cheers!
      VJ










      share|improve this question















      I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
      Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.



      For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.

      Cheers!
      VJ







      java amazon-web-services tomcat ssl amazon-route53






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 13 at 9:17

























      asked Nov 13 at 8:28









      Knerdist

      1613




      1613
























          2 Answers
          2






          active

          oldest

          votes


















          1














          You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..



          For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.



          Now you just have to setup the certificate for your Tomcat (programatically).






          share|improve this answer



















          • 1




            "You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
            – Michael - sqlbot
            Nov 13 at 13:35



















          0














          There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.



          For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
          https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html



          For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.



          For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.



          Here's the useful links:
          https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html



          https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html






          share|improve this answer





















          • Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
            – Knerdist
            Nov 13 at 9:14










          • Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
            – Bernardo Salazar
            Nov 13 at 9:49











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53276752%2fdynamically-generated-ssl-sites%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..



          For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.



          Now you just have to setup the certificate for your Tomcat (programatically).






          share|improve this answer



















          • 1




            "You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
            – Michael - sqlbot
            Nov 13 at 13:35
















          1














          You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..



          For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.



          Now you just have to setup the certificate for your Tomcat (programatically).






          share|improve this answer



















          • 1




            "You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
            – Michael - sqlbot
            Nov 13 at 13:35














          1












          1








          1






          You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..



          For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.



          Now you just have to setup the certificate for your Tomcat (programatically).






          share|improve this answer














          You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..



          For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.



          Now you just have to setup the certificate for your Tomcat (programatically).







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 13 at 9:01

























          answered Nov 13 at 8:34









          Fabian Barney

          10.8k32958




          10.8k32958








          • 1




            "You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
            – Michael - sqlbot
            Nov 13 at 13:35














          • 1




            "You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
            – Michael - sqlbot
            Nov 13 at 13:35








          1




          1




          "You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
          – Michael - sqlbot
          Nov 13 at 13:35




          "You cannot generate certificates for IPs" using Let's Encrypt or any other public CA is 100% correct.
          – Michael - sqlbot
          Nov 13 at 13:35













          0














          There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.



          For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
          https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html



          For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.



          For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.



          Here's the useful links:
          https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html



          https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html






          share|improve this answer





















          • Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
            – Knerdist
            Nov 13 at 9:14










          • Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
            – Bernardo Salazar
            Nov 13 at 9:49
















          0














          There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.



          For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
          https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html



          For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.



          For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.



          Here's the useful links:
          https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html



          https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html






          share|improve this answer





















          • Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
            – Knerdist
            Nov 13 at 9:14










          • Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
            – Bernardo Salazar
            Nov 13 at 9:49














          0












          0








          0






          There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.



          For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
          https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html



          For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.



          For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.



          Here's the useful links:
          https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html



          https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html






          share|improve this answer












          There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.



          For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
          https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html



          For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.



          For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.



          Here's the useful links:
          https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html



          https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 13 at 9:00









          Bernardo Salazar

          487




          487












          • Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
            – Knerdist
            Nov 13 at 9:14










          • Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
            – Bernardo Salazar
            Nov 13 at 9:49


















          • Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
            – Knerdist
            Nov 13 at 9:14










          • Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
            – Bernardo Salazar
            Nov 13 at 9:49
















          Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
          – Knerdist
          Nov 13 at 9:14




          Thanks. However let me clarify. These instances will not be clustered. For e.g. User A has his own instance and his own Server. User B has his own instance and his own server. Hence when an instance for User A needs to be provisioned, the access will be only for him and needs to be SSL enabled. I already use cloudformation for automatically provisioning tomcat and the war file, I am stuck on the auto generation of ssl certificates.
          – Knerdist
          Nov 13 at 9:14












          Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
          – Bernardo Salazar
          Nov 13 at 9:49




          Maybe you can abstract SSL from the app server and move it to the load balancer. And use CF + ACM to provision the certificate dynamically. Do you control the DNS routes?
          – Bernardo Salazar
          Nov 13 at 9:49


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53276752%2fdynamically-generated-ssl-sites%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Guess what letter conforming each word

          Port of Spain

          Run scheduled task as local user group (not BUILTIN)