(3 of 4) Amazon ELB Multi-domain SSL forwarding to NGINX and Play Servers

Posted on Wednesday, April 10, 2013

(3 of 4  Signed Multi-domain ssl certificate from godaddy)

This guide goes over setting up an ELB with a multi-domain SSL certificate.  The servers attached to the ELB will run multiple Play servers on different ports with an nginx server running in front of them to handle routing based on domain/subdomain names.

I know that is quite a mouthful but here is what I am trying to accomplish….

I want to run more than one Play Server on an ec2 instance.  Each Play Server will run on its own port.   I want to have a domain name to route to a specific Play server.  Ex.  www.example.com routes to the Play server running on port 9000 and  www2.example.com routes to the Play server running on port 8000.   In addition I want all the communication to be secure using ssl certificates.

For an individual server you could simply put a nginx server in front of the Play servers and have the nginx handle routing based on domain name.  But, in this case I want to add an AWS ELB (Elastic Load Balancer) in front of several EC2 machines.

Here is what I have found out thus far.   The ELB can handle the ssl certificate, but it can only have one certificate per ELB.  This forces you to use a multi-domain SSL certificate.   Also the ELB cannot port forward based on domain name so you still need an nginx server in front of the Play servers.

I want something like this.  The ELB handles the certificate and the nginx server handles the domain name routing.

Create an SSL certificate

On the Ubuntu 12.10 machine run the following to create an ssl certificate

Create a directory to save the ssl files (temporarily)

>  cd
>  cd ssl

Create the whiteboardcoder server key

openssl genrsa -des3 -out whiteboardcoder.key 2048

Enter a passphrase.  For mine I put TEST as I was going to remove it later anyway

Create the certificate signing request

>  openssl req -new -key whiteboardcoder.key -out whiteboardcoder.csr

Enter the passphrase, then enter in your relevant information

It will ask for the passphrase here,  enter it in.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:Superior
Organization Name (eg, company) [Internet Widgits Pty Ltd]:10x13
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ssl-test.whiteboardcoder.com
Email Address []: myemail@10x13.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

At this point it’s a good idea to remove the passphrase from the key (as every time you restart your server you will have to reenter this phrase.

> cp whiteboardcoder.key whiteboardcoder.key.BACK
> openssl rsa -in whiteboardcoder.key.BACK -out whiteboardcoder.key

Now to get a signed certificate from godaddy.com

Signed certificate from godaddy.com

For this example I am going to go buy a multi-domain ssl certificate from godaddy.com


Remember this costs real money!
Here are the steps I followed to purchase my own SSL certificates.

Log into your godaddy.com account then select "All Products" And click on SSL & Security

Scroll down and select the "Multiple Domains UCC"

I selected a 1 yr agreement with up to 5 domains and then clicked "add to cart"

Godaddy is always trying to upsell you on something.  I added nothing and clicked next

I clicked on the promo code option (there is always some kind of promo code for godaddy.com out there)

I found one for 33% off.   Not sure if it will work for you but it was iapwd33m  (used 3/28/2013 successfully)

That reduced my costs down to $60.29 for a 1 year certificate.   I then clicked on checkout

A login screen popped up (probably just to make sure)

I confirmed my billing information and then clicked on "Place Your Order"

After this I got a confirmation page and an email sent to me.

Obtain the SSL certificate

After logging into you godaddy.com account select "All Products" then SSL c& Security and finally click on "SSL Certificate Management"

Click on "SSL Certificates" to open the ssl certificate tools.  Then click on the setup button.

I got this notice about when the certificate will expire.  Click Setup.

I then got this SSL certificate added successfully notification.

Close it.

OK, it looks like it disappeared….

Looks like I just had to wait a minute and refresh the page to have it come up.

Click on Launch

This page should come up.

Get Certificate Signing Request 

From my ubuntu server I ran this cat command to get the text of the .csr file

>  cd
>  cd ssl
>  cat whiteboardcoder.csr

Select Third party.  And paste your csr text into the text box  (I am of course blacking mine out.

Click next.

You should see your domain name here.  Click next.

Click on Finished

This new screen will come up and you can see that you have 1 request in the pending state.

Now you have to play the waiting game.  I waited 16 minutes before I realized I was the hold up… It sent me an email asking that I verify this certificate.  It sent an email to the person they found on the whois for the domain.


Clicking the link godaddy.com sent me in my email opened this page, where I clicked on approve.


After this they sent another email out with a link that when clicked on opened the same godaddy ssl tool.  I do not think you need to click on this link to keep the process going.

Now we play the waiting game….
10 minutes….
20 minutes….
30 minutes…

If I click on "what's the hold up?" 
I get this screen.

Which talks about 2-24 hrs to check the name  I guess something about my name looks funny.    I hope you do not run into this, but it looks like I get to wait a bit for approval.

In my case it took almost 4 hours to get the certificate approved.
I hope you do not run into the issue I did J

Click On Certificates

Check the box of the certificate you want to download then click the Download button.

Select the type of certificate you want to download, in my case I chose Nginx.   Then click Download.

It will download the certificate in a zip file.  

In that zip file there should be two files gd_bundle.crt and your ssl certificate .crt

Opps I need to add alternate Names

This certificate, as it stands, is only good for ssl-test.whiteboardcoder.com.  I need to add ssl-test2.whiteboardcoder.com to it.

To fix this do the following

Select the certificate and then click Manage.

Enter the second domain name and click Add.

Click OK

That change has become a Pending Request…

It sent another verification email out I had to click on to approve as the domain owner.

Clicking on the "What's the hold up" Link got me

The same phising issue again…  I guess it's not a good idea to have ssl in your domain name?
This time it took less than an hour to get approved.

Now if I click on certificate I will see that there are two present

If I click on the first certificate I see this.

I guess they give you a little bit of overlap so you can update your certificates within the next 24 hours.

Select the second (new) certificate and click Download

This time I selected Other and clicked download.

A zip file downloads.

Inside is a ssl-test.whiteboardcoder.com.crt file.  Open it in a text editor.  This text will be used in the ELB later.

Here is a link to all the guides in this series
1  - http://www.whiteboardcoder.com/2013/04/1-of-4-amazon-elb-multi-domain-ssl.html
2  - http://www.whiteboardcoder.com/2013/04/2-of-4-amazon-elb-multi-domain-ssl.html
3  - http://www.whiteboardcoder.com/2013/04/3-of-4-amazon-elb-multi-domain-ssl.html
4  - http://www.whiteboardcoder.com/2013/04/4-of-4-amazon-elb-multi-domain-ssl.html

No comments:

Post a Comment