-
Notifications
You must be signed in to change notification settings - Fork 28
Using AWS managed certificate. (acm) #24
Comments
Hi Engrun, This is not currently implemented and is something we'd like to implement at some point. However you can currently do this manually by following these steps:
cheers, Pete |
Thanks for the tip. We had been discussing the same approach. However, running And now concourse-up has generated a self-signed certificate. |
I have already run with the |
oops yeah The load balancer can be used with a certificate you will need to manually generate in AWS Certificate Manager |
Yes, I understand I have to generate the certificate and use that with the ELB. However, when running concourse-up, a self-signed certificate is generated. (not by AWS). When pointing the ELB to the webnode, the webnode has a certificate that is not "trusted". My question is whether the ELB will accept this self-signed certificate. I guess I will find out :) My initial thought was to perhaps terminate SSL at the ELB |
Yes you will need to terminate SSL on the ELB and forward unencrypted traffic to the Concourse web node on port 80
On 9 November 2017 at 18:15:40, Rune Engseth (notifications@github.com) wrote:
Yes, I understand I have to generate the certificate and use that with the ELB.
However, when running concourse-up, a self-signed certificate is generated. (not by AWS). When pointing the ELB to the webnode, the webnode has a certificate that is not "trusted". My question is whether the ELB will accept this self-signed certificate. I guess I will find out :)
My initial thought was to perhaps terminate SSL at the ELB
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
hi This yields
|
To sum up. |
That's odd — so to clarify, you are accessing the ELB using HTTPS (eg |
It looks like Concourse always redirects to https when a cert is provided So you may have to re-deploy the concourse using BOSH manually with the TLS bind port set to null, or by removing the tls cert and key from the BOSH manifest http://bosh.io/jobs/atc?source=github.com/concourse/concourse&version=3.6.0#p=tls_bind_port https://github.com/concourse/concourse/blob/master/jobs/atc/templates/atc_ctl.erb#L101-L104 |
-> https: yes, getting a redirect: yes
This is a path we are not going to take. However |
@engrun can you display your ELB configuration? Specifically I'm curious if you had to tell it to trust the self signed cert or if just ignored SSL errors by default. |
Just as an addition to my last note, there is no requirement to give the ELB the self signed cert. This configuration works like a charm. |
That being said once I had the ELB running I wasn't able to intercept containers. Is anyone else running into this? |
@JasonMorgan I'm about to go down this path myself; did you ever get intercept working? I saw this:
Curious if you got there with an ELB; just getting my pre-planning ducks in a row before I start doing all my deployment work. |
We want to use an AWS managed SSL certificate (e.g. generated by ACM), and as far as I can tell, there is no way for us to get our hands on this certificate's private key. Do you know if it's possible to run concourse-up with a ACM requested certificate (not imported)? If so, how?
The text was updated successfully, but these errors were encountered: