Uly.me

cloud engineer

ssl

AWS ELB SSL Listener

Here’s how to update SSL certificates to AWS ELB.

Import SSL certificate

aws acm import-certificate \
--certificate fileb://example.crt \
--private-key fileb://example.key \
--certificate-chain fileb://example-bundle.crt \
--tags Key=Name,Value=mydomain.com_20220107 \
--profile default

Add SSL to a listener.

aws elbv2 add-listener-certificates \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \
--certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \
--profile default

Modify listener. Set SSL certificate as default.

aws elbv2 modify-listener \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \
--certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \
--profile default

Remove SSL from a listener.

aws elbv2 remove-listener-certificates \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxxx:listener/app/elbname/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx \
--certificates CertificateArn=arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx \
--profile default

SSL PEM Expiration

Find out when SSL expires from a PEM file.

$ openssl x509 -enddate -noout -in your.cert
notAfter=Jan  5 07:08:14 2032 GMT

notAfter date is returned.

AWS ACM List Certificates

How to list SSL certificates in AWS Certificate Manager.

aws acm list-certificates

Result

{
    "CertificateSummaryList": [
        {
            "CertificateArn": "arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "DomainName": "mydomain.com"
        }
    ]
}

Describe details about the certificate.

aws acm describe-certificate \
--certificate-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
--region us-east-1 \
--profile my-profile

Wiki SSL Certificate Location

Here’s where the Wiki keeps its SSL certificate keys.

/etc/pki/tls/certs/yourdomain.crt
/etc/pki/tls/private/yourdomain.key

In some cases, SSL needs to be converted so it doesn’t prompt you for a password if you restart Apache.

Conversion

openssl rsa -in /etc/pki/tls/private/yourdomain.key.new -out /etc/pki/tls/private/yourdomain.key.new_no_pass

Check Certificate Expiration

Here’s the openssl command to find out if a cert is expired.

$ openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2> /dev/null | openssl x509 -noout -dates

Result

notBefore=Apr  9 00:00:00 2020 GMT
notAfter=Apr  9 23:59:59 2022 GMT

GCP Create SSL Certificate

gcloud compute ssl-certificates create certificate-name \
--description="ssl cert for domain-name.com" \
--domains=domain-name.com \
--certificate=certificate-file \
--private-key=private-key \
--region=us-central1-c \
--global

Ubuntu 20.04 LTS Lamp Server

Here’s how to install a LAMP server on the latest Ubuntu 20.04 LTS.

Install Apache.

apt install apache2
systemctl status apache2
systemctl is-enabled apache2

Install MariaDB.

apt install mariadb-server mariadb-client
systemctl status mariadb
systemctl is-enabled mariadb
mysql_secure_installation

Install PHP.

apt install php libapache2-mod-php php-mysql
systemctl restart apache2

Enable ssl and mod_rewrite.

a2enmod ssl
a2enmod rewrite
systemctl restart apache2

GCP SSL Certificates

Here’s how to create a regional SSL Certificate.

gcloud compute ssl-certificates create my-ssl-cert \
--description "describe ssl certificate" \
--domains=domain1.com,domain2.com \
--certificate=cert.pem \
--private-key=private.key \
--region=us-central1

List the SSL certificates.

gcloud compute ssl-certificates list --project=project-id

Describe the SSL certificate.

gcloud compute ssl-certificates describe my-ssl-cert \
--region=us-central1 \
--project=project-id

Delete SSL certificate.

gcloud compute ssl-certificates delete my-ssl-cert \
--region=us-central1 \
--project=project-id