我是AWS新手,让我的基于Java的RESTAPI在单实例EBS上工作。现在我正在尝试将SSL证书安装到上面的单实例EBS中,以便它可以用于https请求。
我正在尝试在我的Windows计算机上创建自签名证书以获取证书。我跟着this article创建了证书。
我已关注AWS Documentation,可以看到示例脚本来创建SSL配置文件(singlessl.config)。
我不确定从哪里或如何获得<certificate file contents>
和<private key contents>
配置文件。你能给些建议么。
修改
这是在添加证书内容
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: {"Ref" : "AWSEBSecurityGroup"}
# GroupId: {"Ref" : "AWSEBSecurityGroup"}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
packages:
yum:
mod_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000755"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
<certificate file contents>
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
<private key contents>
-----END RSA PRIVATE KEY-----
services:
sysvinit:
httpd:
enabled: true
ensureRunning: true
files : [/etc/httpd/conf.d/ssl.conf,/etc/pki/tls/certs/server.key,/etc/pki/tls/certs/server.crt]
我添加证书内容后再次验证失败
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: {"Ref" : "AWSEBSecurityGroup"}
# GroupId: {"Ref" : "AWSEBSecurityGroup"}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
packages:
yum:
mod_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000755"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
MIIFrjCCA5agAwIBAgIQnWFbX+HcXIBD15PWJMbowzANBgkqhkiG9w0BAQ0FADBd
MQ4wDAYDVQQGEwVJbmRpYTEMMAoGA1UECxMDREVWMR4wHAYDVQQKExVWNSBCdXNp
bmVzcyBTb2x1dGlvbnMxHTAbBgNVBAMTFE1BU2dlbmllIERldiBSb290IENBMB4X
DTE0MTIzMTE4MzAwMFoXDTE5MDEzMDE4MzAwMFowGzEZMBcGA1UEAxMQZGV2Lm1h
c2dlbmllLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMEHn/iC
9iGQHAKwxscFdnun2Q1qr0M0jBIt4JcwTsT5NjRfII7RBHvCnTWrQUo4QBoIqVdR
OkG4PkAS0Q3wqcuACyCAknx//k9O0DQHbkk2jI0aNrrD0iDFlHX9P/e+zS6VA5Qg
2Wrzf4nHNDC3ITsGYkNvXXFn6Uhl0o7WHrQ7njHpd26kNFGQPwVbFdjDm2uYDUqz
SnnlxXWVI1bgIoKVrZOqe61XCmgaFP0fIMXw4nZGT1GzfWmrzg9qjglMldxjoHL2
XpOtF6l8jRnVMLQqytlDb3CkQSYdoDqKWhiqNvq1l0ZsLupuPebdjTD11KMybW2k
q/0R5WCrNBBLRwxFq6DZgzyhhHvBhxFA567uafSRDhlpCz8C0Ll3SM1TrU8ySyVN
JgRIH2E3CPJ5wAiIWEuz4LKJ/Pip+j/7iuqsRgX7QBh7kJN3oRghoAKmkoWvBuJ8
n4azmtO+B4WDDwaoV7+JYX79dwpI+dzYAZXG1MhJv0SSIx4F3eCw5tSJqpbtj9om
KluKd8RGHpZW9qUQCcLY3Expx74Ehnm+Lbgov5C1ba7JYab+JRyM1tz5k/Z+sy2m
3PUUZz2WxBeysrnjjfCYrLtXGOwG13jO2rf4e9PakRBQd4Ybx2Z45IximaFT38r5
DQZXlLgq+BkekGuV7FVtzPSZH3FV86UIRBeTAgMBAAGjgaswgagwEwYDVR0lBAww
CgYIKwYBBQUHAwEwgZAGA1UdAQSBiDCBhYAQKxykerZGsDqRGnXn8lBmoqFfMF0x
DjAMBgNVBAYTBUluZGlhMQwwCgYDVQQLEwNERVYxHjAcBgNVBAoTFVY1IEJ1c2lu
ZXNzIFNvbHV0aW9uczEdMBsGA1UEAxMUTUFTZ2VuaWUgRGV2IFJvb3QgQ0GCEE/8
C0XD+iW3TMfyC51vkw0wDQYJKoZIhvcNAQENBQADggIBAHggcAILANfMtdSJd9XW
2BsFXORtKrWzrlsYEOkM8sIjqI0QoDI1KE7NwFbzhue5OdxB8uOq1nD/J8HZUovH
Ij4np58yJjp6K43zaxrFjQNO7UyHJmcJ0rPRet7WuCTwqs4DY4/J4foEe1mNE3kL
7HiAAEKHmZ0/sLwu6TKa3QOajWxIV/MCLAuNEvTc4hPAesmyuUlnRWa8Uk/8cOCB
HFgpe/jWN8wxAcj1YS60RBGTeneiutW+/ZZr9YKlTjZgmnbR3LEDdSTsP6eLGocl
KHT0MdTqIm0uphmr8jUeUw2iNOrbm1FRZoTW9hKboIdM0Uksr778WK5A3MlsakZP
2J2G1cvQAC1fEckTS9p39QhLRTes5gCpLROySfWY9ZeMam2AXQyeVHZ6kbqdAdNG
TpOysl8j13m/O5Lh1QM26fJ9P+IIqKOffXxty4C4bZCVoR270QEP42az9G61mQZ9
d0c2yMsCvIhS1UxguF3cjGz3CK90SMo3l5TFDnNU71a0M5DIuuViIB8f40Jp5HL3
hjq+l2vzIxrmFbKyCvL5+dbEy46q9dIjqOFJECsu9khqHNbA7Wn5GBzBNxGLTkh/
2kaeIvUbRPrDFE67J/gHL4NPXSp+NohnQvjFRvGn/+3GKjhdrLDu+rlXrcEkNUv3
c4XR9gJqVsCoSiWRnoZP05FB
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
<private key contents>
-----END RSA PRIVATE KEY-----
services:
sysvinit:
httpd:
enabled: true
ensureRunning: true
files : [/etc/httpd/conf.d/ssl.conf,/etc/pki/tls/certs/server.key,/etc/pki/tls/certs/server.crt]
错误:
(<unknown>): could not find expected ':' while scanning a simple key at line 56 column 1
答案 0 :(得分:2)
该行
MIIFrjCCA5agAwIBAgIQnWFbX + HcXIBD15PWJMbowzANBgkqhkiG9w0BAQ0FADBd
应与
处于同一缩进级别----- BEGIN CERTIFICATE -----
这意味着,您的文件应如下所示:
content: |
-----BEGIN CERTIFICATE-----
MIIFrjCCA5agAwIBAgIQnWFbX+HcXIBD15PWJMbowzANBgkqhkiG9w0BAQ0FADBd
因此,在证书和密钥内容之前给出空格,它应该有效。