Ssl – How to create an SSL certificate for an AWS application load balancer without a domain

amazon-cloudformationamazon-web-serviceshttpsload balancingssl

I am trying to create a Cloudformation stack that can be provisioned by anybody (basically I want to share it either in the marketplace, or make it public in GitHub), which includes a set of EC2 instances behind an ALB (no autoscaling, but rather a fixed number of instances).
I want to create a single listener for the ALB listening on a non default port (let's say 9999) that uses HTTPS. In order to do this, ALB forces me to use an SSL certificate. I only care about the encryption, and not about the CA validation (because this is meant for internal traffic.)
What I would like to do, is to have encryption enabled between a client and a load balancer like: https://my-loadbalancer-1234567890.us-west-2.elb.amazonaws.com:9999. This is a rest api, so I don't care about the browser pop up complaining about "Your connection is not private"

I can't rely on having a domain, since I want to share this template, I don't expect everybody to own a domain. I can think of 3 solutions, but I don't like any of these (and I don't even know if they will work):

Generate a self signed cert on the userdata script. Push this cert to ACM. Then use this cert from the ALB.
Downside: This will probably require to remove manually the cert, if the stack is destroyed, as the certificate was not created from cloudformation, but from ec2 bootstrap.
Generate a self signed cert on the userdata script, but instead of pushing to ACM, install it on an ec2 alb (using something like haproxy/nginx).
Downside: We don't get the benefits of aws alb.
Have the end user to create a subdomain (myrestapi.example-domain.com) beforehand, and generate a cert with that domain from the cloudformation stack.
Downside: requires extra step from the user, plus touching their existing infrastructure.

Best Answer

Option 3 is the only valid one. Have the user to create a Route53 domain and ACM cert beforehand and provide the domain name and certificate ARN as parameters for the CloudFormation template.

Provide a README.md your GitHub repo with instructions on how to do that. ACM certs are free, no reason why not to use them.

Hope that helps :)

Create lambda function

Go to lambda home page, and select your favourite region
Select "Blank Function" as template
Click "Next" (don't configure any triggers)
Fill in:
- Name: CloudFormationIdentity
- Description: Returns what it gets, variable support in Cloud Formation
- Runtime: python2.7
- Code Entry Type: Edit Code Inline
- Code: see below
- Handler: index.handler
- Role: Create a Custom Role. At this point a popup opens that allows you to create a new role. Accept everything on this page and click "Allow". It will create a role with permissions to post to cloudwatch logs.
- Memory: 128 (this is the minimum)
- Timeout: 3 seconds (should be plenty)
- VPC: No VPC

Then copy-paste the code below in the code field. The top of the function is the code from the cfn-response python module, that does only get auto-installed if the lambda-function is created through CloudFormation, for some strange reason. The handler function is pretty self-explanatory.

from __future__ import print_function
import json

try:
    from urllib2 import HTTPError, build_opener, HTTPHandler, Request
except ImportError:
    from urllib.error import HTTPError
    from urllib.request import build_opener, HTTPHandler, Request


SUCCESS = "SUCCESS"
FAILED = "FAILED"


def send(event, context, response_status, reason=None, response_data=None, physical_resource_id=None):
    response_data = response_data or {}
    response_body = json.dumps(
        {
            'Status': response_status,
            'Reason': reason or "See the details in CloudWatch Log Stream: " + context.log_stream_name,
            'PhysicalResourceId': physical_resource_id or context.log_stream_name,
            'StackId': event['StackId'],
            'RequestId': event['RequestId'],
            'LogicalResourceId': event['LogicalResourceId'],
            'Data': response_data
        }
    )
    if event["ResponseURL"] == "http://pre-signed-S3-url-for-response":
        print("Would send back the following values to Cloud Formation:")
        print(response_data)
        return

    opener = build_opener(HTTPHandler)
    request = Request(event['ResponseURL'], data=response_body)
    request.add_header('Content-Type', '')
    request.add_header('Content-Length', len(response_body))
    request.get_method = lambda: 'PUT'
    try:
        response = opener.open(request)
        print("Status code: {}".format(response.getcode()))
        print("Status message: {}".format(response.msg))
        return True
    except HTTPError as exc:
        print("Failed executing HTTP request: {}".format(exc.code))
        return False

def handler(event, context):
    responseData = event['ResourceProperties']
    send(event, context, SUCCESS, None, responseData, "CustomResourcePhysicalID")

Click "Next"
Click "Create Function"

You can now test the lambda function by selecting the "Test" button, and select "CloudFormation Create Request" as sample template. You should see in your log that the variables fed to it, are returned.

Use variable in your CloudFormation template

Now that we have this lambda function, we can use it in CloudFormation templates. First make note of the lambda function Arn (go to the lambda home page, click the just created function, the Arn should be in the top right, something like arn:aws:lambda:region:12345:function:CloudFormationIdentity).

Now in your template, in the resource section, specify your variables like:

Identity:
  Type: "Custom::Variable"
  Properties:
    ServiceToken: "arn:aws:lambda:region:12345:function:CloudFormationIdentity"
    Arn: "arn:aws:lambda:region:12345:function:CloudFormationIdentity"

ClientBucketVar:
  Type: "Custom::Variable"
  Properties:
    ServiceToken: !GetAtt [Identity, Arn]
    Name: !Join ["-", [my-client-bucket, !Ref ClientName]]
    Arn: !Join [":", [arn, aws, s3, "", "", !Join ["-", [my-client-bucket, !Ref ClientName]]]]

ClientBackupBucketVar:
  Type: "Custom::Variable"
  Properties:
    ServiceToken: !GetAtt [Identity, Arn]
    Name: !Join ["-", [my-client-bucket, !Ref ClientName, backup]]
    Arn: !Join [":", [arn, aws, s3, "", "", !Join ["-", [my-client-bucket, !Ref ClientName, backup]]]]

First I specify an Identity variable that contains the Arn for the lambda function. Putting this in a variable here, means I only have to specify it once. I make all my variables of type Custom::Variable. CloudFormation allows you to use any type-name starting with Custom:: for custom resources.

Note that the Identity variable contains the Arn for the lambda function twice. Once to specify the lambda function to use. The second time as the value of the variable.

Now that I have the Identity variable, I can define new variables using ServiceToken: !GetAtt [Identity, Arn] (I think JSON code should be something like "ServiceToken": {"Fn::GetAtt": ["Identity", "Arn"]}). I create 2 new variables, each with 2 fields: Name and Arn. In the rest of my template I can use !GetAtt [ClientBucketVar, Name] or !GetAtt [ClientBucketVar, Arn] whenever I need it.

Word of caution

When working with custom resources, if the lambda function crashes, you're stuck for between 1 and 2 hours, because CloudFormation waits for a reply from the (crashed) function for an hour before giving up. Therefore it might be good to specify a short timeout for the stack while developing your lambda function.

Best Answer

Related Solutions

Generate RSA Key Without Passphrase – Apache 2.2 HTTPS OpenSSL

AWS CloudFormation – Custom variables in templates

Create lambda function

Use variable in your CloudFormation template

Word of caution

Related Topic