Home > Software design >  How to use ACM certificate in a websocket application deployed to EB?
How to use ACM certificate in a websocket application deployed to EB?

Time:09-13

I have a .net application using websocket, deployed to AWS EB with a load balancer. I have a domain name and ACM certificate set up, and I would like to enable TLS. In my local server, it is set up like this:

var certificate = X509Certificate2.CreateFromPemFile("Path/To/Pem", "Path/To/Key"); //replace the local file with an ACM certificate
if(certificate != null)
{
    var socket = new WebSocketServer($"wss://example.com:3000");
    socket.SslConfiguration.ServerCertificate = certificate;

    //other configs
}

How to do the same set up with ACM? If I use a third party certificate, and upload that to the ec2 instances, these instances will be replaced by EB because of auto scaling. Is it possible to get a path to the ACM certificates?

EDIT: I need my app to get the certificate from Amazon Certificate Manager, and construct an X509Certificate for my custom websocket listener.

CodePudding user response:

Forget what you're used to, it doesn't work that way in AWS, i.e. putting the certificate on the EC2.

AWS Certificate Manager is used for handling certificates, i.e. either generating them for you, or you can upload your own.

You apply a certificate from AWS Certificate Manager to your Application Load Balancer which offloads the SSL then sends the traffic to the upstream server, i.e. EC2.

I'm assuming the acronym EB means Elastic Beanstalk? If so, AWS Elastic Beanstalk is an abstraction on top of EC2 instances ( more AWS services). In these setups, you shouldn't be playing around with the EC2 that sits behind it as Elastic Beanstalk is designed to be a simpler way of managing infrastructure. If you're just going to bypass it as/when you feel, don't use Elastic Beanstalk, just use an EC2 instance.

As you say, Elastic Beanstalk will replace these instances if you have auto-scaling turned on so you don't want to do anything to these EC2 instances as they can be binned off and new ones started over time.

Hope that helps

CodePudding user response:

So I found the API in this answer: Is it possible in a .NET Core application to retrieve a certificate from AWS Certificate Manager and use it in a HttpClient post?

To construct the certificate, I use

var cert = new AmazonCertificateManagerClient();
GetCertificateResponse cert = await cert.GetCertificateAsync("ARN...");

One additional step for my case is that I need to add the policy to the elastic beanstalk role to allow the use of GetCertificate()

  • Related