Using AWS managed certificate. (acm)

[engrun]

We want to use an AWS managed SSL certificate (e.g. generated by ACM), and as far as I can tell, there is no way for us to get our hands on this certificate's private key. Do you know if it's possible to run concourse-up with a ACM requested certificate (not imported)? If so, how?

[peterellisjones]

Hi Engrun,

This is not currently implemented and is something we'd like to implement at some point. However you can currently do this manually by following these steps:

• deploy concourse-up using the custom-domain flag
• create your certificate in AWS for that domain
• create an ELB in AWS and attach the certificate
• point the ELB at the Concourse web node
• update the DNS settings in route 53 to point at the ELB rather than directly at the web node

cheers,

Pete

[engrun]

Thanks for the tip. We had been discussing the same approach. However, running concourse-up help deploy no such flag, custom-domain, is listed?

And now concourse-up has generated a self-signed certificate.
We probably need to disable this. I guess the loadbalancer will not accept the self-signed certificate?

[engrun]

I have already run with the domain flag. I guess that's what you meant.

[peterellisjones]

oops yeah domain not custom-domain

The load balancer can be used with a certificate you will need to manually generate in AWS Certificate Manager

[engrun]

Yes, I understand I have to generate the certificate and use that with the ELB.

However, when running concourse-up, a self-signed certificate is generated. (not by AWS). When pointing the ELB to the webnode, the webnode has a certificate that is not "trusted". My question is whether the ELB will accept this self-signed certificate. I guess I will find out :)

My initial thought was to perhaps terminate SSL at the ELB

[peterellisjones]

Yes you will need to terminate SSL on the ELB and forward unencrypted traffic to the Concourse web node on port 80 On 9 November 2017 at 18:15:40, Rune Engseth (notifications@github.com) wrote: Yes, I understand I have to generate the certificate and use that with the ELB. However, when running concourse-up, a self-signed certificate is generated. (not by AWS). When pointing the ELB to the webnode, the webnode has a certificate that is not "trusted". My question is whether the ELB will accept this self-signed certificate. I guess I will find out :) My initial thought was to perhaps terminate SSL at the ELB — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[engrun]

hi
We have tried to configure this now.
You say we should forward the ELB for concourse-web on port 80.
This does not work as concourse will redirect to https.
Proved by (request webnode on port 80 directly)
curl -H 'Host: ci.example.com' -H 'X-Forwarded-Proto: https' 54.x.x.x.

This yields

HTTP/1.1 301 Moved Permanently
Location: https://ci.example.com/

[engrun]

To sum up.
I think the problem is that concourse-up enforces a self-signed certificate, and cannot, as of now, be configured to use port 80.

[peterellisjones]

That's odd — so to clarify, you are accessing the ELB using HTTPS (eg https://ci.example.com/), and you are getting a redirect?

[peterellisjones]

It looks like Concourse always redirects to https when a cert is provided

https://github.com/concourse/atc/blob/01e6614e28056eb101fe7340ac27bd97e65badf7/atccmd/command.go#L414-L421

https://github.com/concourse/atc/blob/01e6614e28056eb101fe7340ac27bd97e65badf7/atccmd/command.go#L1124-L1126

So you may have to re-deploy the concourse using BOSH manually with the TLS bind port set to null, or by removing the tls cert and key from the BOSH manifest

http://bosh.io/jobs/atc?source=github.com/concourse/concourse&version=3.6.0#p=tls_bind_port

https://github.com/concourse/concourse/blob/master/jobs/atc/templates/atc_ctl.erb#L101-L104

[engrun]

That's odd — so to clarify, you are accessing the ELB using HTTPS (eg https://ci.example.com/), and you are getting a redirect?

-> https: yes, getting a redirect: yes

So you may have to re-deploy the concourse using BOSH manually

This is a path we are not going to take.
(One of the "weaknesses" of Concourse is failing to provide a detailed install instructions for the most common cloud providers).
And btw, that's why we see concourse-up as a very nice tool!

However
I assumed that, when forwarding the ELB to a HTTPS endpoint (webnode in our case) with a self-signed cert, the ELB would not allow this.
But, we tried, and it works.
That is, without terminating SSL at the ELB
So
Browser -> HTTPS -> ELB -> HTTPS -> webnode

[JasonMorgan]

@engrun can you display your ELB configuration? Specifically I'm curious if you had to tell it to trust the self signed cert or if just ignored SSL errors by default.

[JasonMorgan]

Just as an addition to my last note, there is no requirement to give the ELB the self signed cert. This configuration works like a charm.

[JasonMorgan]

That being said once I had the ELB running I wasn't able to intercept containers. Is anyone else running into this?

[walked]

@JasonMorgan I'm about to go down this path myself; did you ever get intercept working? I saw this:

If you're using an AWS ELB, you have to make sure that the protocol forwarding to concourse:web on port 8080 is ssl and not https.

concourse/concourse#1342

Curious if you got there with an ELB; just getting my pre-planning ducks in a row before I start doing all my deployment work.