AWS の ELB はワイルドカードが使えるのか試してみたヨ!!
ELB で日本語ドメインでワイルドカードしましょう
ELB は Elastic Load Balancing の略で HTTP なんかの負荷分散をしてくれる素敵サービスなわけですが、HTTPS を使いたい場合には秘密鍵と証明書を AWS に upload して使います。ELB ではワイルドカードやら日本語ドメインが使えるかというのも気になるところなので試してみました。
ELB の作り・使い方に関しては ELB & Auto Scaling & CloudWatch 詳細 -ほぼ週刊AWSマイスターシリーズ第5回- を見ればいいはず。
自己署名証明書を作りましょう
で、証明書を作りたいのですがせめて 2 階層がっつーことで先ずは自己署名証明書を作ります。今回は GnuTLS を使ってみます。Debian/Ubuntu であれば
$ sudo aptitude install gnutls-bin
ってすると /usr/bin/certtool ってコマンドがインストールされます。
証明書を作るために先ず秘密鍵を作ります。
$ /usr/bin/certtool -p > ca.key
これを使って証明書を作ります。適切に Extension を選んであげた方がいいに違いありません。
$ certtool -s --load-privkey ca.key Generating a self signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. Country name (2 chars): JP Organization name: してみむとて Organizational unit name: Locality name: 熱海 State or province name: 静岡 Common name: してみむとて CA UID: This field should not be used in new certificates. E-mail: Enter the certificate's serial number in decimal (default: 1321717005): Activation/Expiration time. The certificate will expire in (days): 365 Extensions. Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): 3 Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): Enter the e-mail of the subject of the certificate: Will the certificate be used to sign other certificates? (y/N): y Will the certificate be used to sign CRLs? (y/N): y Will the certificate be used to sign code? (y/N): y Will the certificate be used to sign OCSP requests? (y/N): y Will the certificate be used for time stamping? (y/N): y Enter the URI of the CRL distribution point: X.509 Certificate Information: Version: 3 Serial Number (hex): 4ec7cd0d Validity: Not Before: Sat Nov 19 15:37:04 UTC 2011 Not After: Sun Nov 18 15:37:24 UTC 2012 Subject: C=JP,O=してみむとて,L=熱海,ST=静岡,CN=してみむとて CA Subject Public Key Algorithm: RSA Modulus (bits 2048): a3:b4:d4:1d:3c:17:25:46:1a:88:36:a8:4d:8f:a4:b8 1f:a8:47:c7:f7:21:aa:97:4e:84:c6:ea:fe:62:65:f9 37:b6:60:a0:20:50:35:21:6c:ba:2b:14:52:9f:d8:b1 1a:33:38:67:88:9c:f8:6d:65:9a:d5:c5:40:3c:9c:c6 9d:74:96:fc:d4:46:6f:c6:02:a9:f3:dc:42:83:ca:57 6e:ac:81:5b:d6:ec:e0:dd:68:35:67:01:e5:83:5e:35 63:8c:93:3e:d0:79:ad:77:26:4f:71:df:0b:c9:70:82 90:84:28:16:00:7c:d8:25:68:5f:f3:23:79:a6:6b:04 ab:e9:01:f7:fe:ee:ea:15:93:61:51:5f:3b:90:a4:b9 28:48:8d:5a:d3:12:bc:7c:13:c1:5a:5f:52:e7:c1:b8 35:84:d9:aa:1c:86:39:10:d4:45:95:6f:31:1f:46:ff 92:8a:47:23:82:67:03:b9:33:59:f9:60:42:73:70:03 4c:b8:81:30:b3:a6:fc:ad:cc:84:3c:0f:dc:1d:1b:95 22:2f:cd:44:45:d0:cf:a5:74:32:b4:2b:28:72:46:d2 c5:f0:36:a8:06:d3:25:d1:76:ba:93:0c:a7:8a:fb:6e e8:49:89:15:e1:60:d5:8c:88:cb:bb:8f:64:1e:bb:bb Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Path Length Constraint: 3 Key Purpose (not critical): Code signing. OCSP signing. Time stamping. Key Usage (critical): Certificate signing. CRL signing. Subject Key Identifier (not critical): 3555beafdc4b66e0c3a65b7637104e01cd0b0602 Other Information: Public Key Id: 3555beafdc4b66e0c3a65b7637104e01cd0b0602 Is the above information ok? (Y/N): y Signing certificate... -----BEGIN CERTIFICATE----- MIIDvzCCAqmgAwIBAgIETsfNDTALBgkqhkiG9w0BAQUwbDELMAkGA1UEBhMCSlAx GzAZBgNVBAoMEuOBl+OBpuOBv+OCgOOBqOOBpjEPMA0GA1UEBwwG54ax5rW3MQ8w DQYDVQQIDAbpnZnlsqExHjAcBgNVBAMMFeOBl+OBpuOBv+OCgOOBqOOBpiBDQTAe Fw0xMTExMTkxNTM3MDRaFw0xMjExMTgxNTM3MjRaMGwxCzAJBgNVBAYTAkpQMRsw GQYDVQQKDBLjgZfjgabjgb/jgoDjgajjgaYxDzANBgNVBAcMBueGsea1tzEPMA0G A1UECAwG6Z2Z5bKhMR4wHAYDVQQDDBXjgZfjgabjgb/jgoDjgajjgaYgQ0EwggEg MAsGCSqGSIb3DQEBAQOCAQ8AMIIBCgKCAQEAo7TUHTwXJUYaiDaoTY+kuB+oR8f3 IaqXToTG6v5iZfk3tmCgIFA1IWy6KxRSn9ixGjM4Z4ic+G1lmtXFQDycxp10lvzU Rm/GAqnz3EKDyldurIFb1uzg3Wg1ZwHlg141Y4yTPtB5rXcmT3HfC8lwgpCEKBYA fNglaF/zI3mmawSr6QH3/u7qFZNhUV87kKS5KEiNWtMSvHwTwVpfUufBuDWE2aoc hjkQ1EWVbzEfRv+SikcjgmcDuTNZ+WBCc3ADTLiBMLOm/K3MhDwP3B0blSIvzURF 0M+ldDK0KyhyRtLF8DaoBtMl0Xa6kwynivtu6EmJFeFg1YyIy7uPZB67uwIDAQAB o28wbTASBgNVHRMBAf8ECDAGAQH/AgEDMCcGA1UdJQQgMB4GCCsGAQUFBwMDBggr BgEFBQcDCQYIKwYBBQUHAwgwDwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUNVW+ r9xLZuDDplt2NxBOAc0LBgIwCwYJKoZIhvcNAQEFA4IBAQASwu2lHk2TgiorXKbi NHnAvnU/6cMOy8mGe8+aOcnfVqBkk3pPKiQ23cttsUHE0tnNiFG1BJie0sj6aPAS is6Ii63+4qM07Jc+Mx5aQhcmvesbuzukFE92V3PZ0hFF+kZ5+19lgosXGu0/SJQV WiYT5/cmF5ZGrBdzbpCwB1w+CPb/MHY5lKkuQBOoDazH2r6/NHnV3oatgUKbOJAt ggNgGXhBzJ/Hoi4rTNo3C8GgIWrUAcHRkU1zSz8XZAR35Un1VoYd850wFXJyDjHh Jr2WPApeEtNaYFM529uk3enmhTq7bha+ejCITJUSD5oXWC8L8ngdDxObcRl2MS88 S+f3 -----END CERTIFICATE-----
これを ca.crt にでも入れておきましょう。
サーバ証明書を作りましょう
まぁ、同じかんじなんですが certtool のオプションがちょっと違います。あと、途中で聞かれる dnsName の答え方を少し工夫してるかも。
$ certtool -p > end.key $ certtool -c --load-ca-privkey abc.key --load-ca-certificate abc.crt --load-privkey end.key Generating a signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. Country name (2 chars): JP Organization name: してみむとて Organizational unit name: Locality name: 熱海 State or province name: 静岡 Common name: *.礼.jp UID: This field should not be used in new certificates. E-mail: Enter the certificate's serial number in decimal (default: 1321717353): Activation/Expiration time. The certificate will expire in (days): 365 Extensions. Does the certificate belong to an authority? (y/N): Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: *.礼.jp Enter a dnsName of the subject of the certificate: *.xn--diz.jp Enter a dnsName of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y X.509 Certificate Information: Version: 3 Serial Number (hex): 4ec7ce69 Validity: Not Before: Sat Nov 19 15:42:34 UTC 2011 Not After: Sun Nov 18 15:42:36 UTC 2012 Subject: C=JP,O=してみむとて,L=熱海,ST=静岡,CN=*.礼.jp Subject Public Key Algorithm: RSA Modulus (bits 2048): d5:bb:33:15:54:73:31:3f:a2:ac:9a:7e:a2:8d:d8:3e 1e:a2:f7:5c:d3:63:ee:00:c4:d5:8f:b3:8e:61:d4:a3 84:48:25:9d:a6:7b:51:db:14:c4:4a:6e:1c:5a:84:49 2d:0d:85:33:98:19:6e:5a:65:5e:c2:2b:f2:71:98:2b 98:58:08:a7:5a:b3:11:e4:db:05:6e:8a:2d:3c:18:a7 f4:c4:90:48:f4:bb:93:03:bd:72:6e:97:5d:71:f5:e9 7c:4a:6a:e4:e7:e0:47:c1:6a:87:3a:ff:12:72:0d:65 f7:b9:9c:cf:cb:eb:d2:f0:c6:6f:a3:d9:7f:7d:95:13 7b:6e:6e:e2:e5:95:1f:14:1f:62:96:82:2f:89:20:26 92:87:de:a5:ba:34:10:80:db:7e:71:cb:b8:1e:45:a1 61:0f:83:0d:57:e8:18:5a:00:76:6f:44:b4:28:95:1e 36:af:08:2b:87:4c:61:63:fe:7c:e1:65:c5:5f:4f:04 ec:a1:36:f0:23:94:12:47:ae:db:ed:1f:23:e3:e8:20 f2:fc:98:50:31:96:a4:dc:ec:7e:f9:ff:e2:28:b7:a2 f5:d3:55:67:81:1a:e2:84:f4:75:74:16:58:17:50:1e 72:94:a2:3e:4b:12:56:9b:ba:39:b5:7f:da:e1:13:23 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Subject Alternative Name (not critical): DNSname: *.礼.jp DNSname: *.xn--diz.jp Key Purpose (not critical): TLS WWW Server. Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical): c51a0ac361caa6dcf71feb2b3baada8541159622 Authority Key Identifier (not critical): 3555beafdc4b66e0c3a65b7637104e01cd0b0602 Other Information: Public Key Id: c51a0ac361caa6dcf71feb2b3baada8541159622 Is the above information ok? (Y/N): Y Signing certificate... -----BEGIN CERTIFICATE----- MIID3jCCAsigAwIBAgIETsfOaTALBgkqhkiG9w0BAQUwbDELMAkGA1UEBhMCSlAx GzAZBgNVBAoMEuOBl+OBpuOBv+OCgOOBqOOBpjEPMA0GA1UEBwwG54ax5rW3MQ8w DQYDVQQIDAbpnZnlsqExHjAcBgNVBAMMFeOBl+OBpuOBv+OCgOOBqOOBpiBDQTAe Fw0xMTExMTkxNTQyMzRaFw0xMjExMTgxNTQyMzZaMF8xCzAJBgNVBAYTAkpQMRsw GQYDVQQKDBLjgZfjgabjgb/jgoDjgajjgaYxDzANBgNVBAcMBueGsea1tzEPMA0G A1UECAwG6Z2Z5bKhMREwDwYDVQQDDAgqLuekvC5qcDCCASAwCwYJKoZIhvcNAQEB A4IBDwAwggEKAoIBAQDVuzMVVHMxP6Ksmn6ijdg+HqL3XNNj7gDE1Y+zjmHUo4RI JZ2me1HbFMRKbhxahEktDYUzmBluWmVewivycZgrmFgIp1qzEeTbBW6KLTwYp/TE kEj0u5MDvXJul11x9el8Smrk5+BHwWqHOv8Scg1l97mcz8vr0vDGb6PZf32VE3tu buLllR8UH2KWgi+JICaSh96lujQQgNt+ccu4HkWhYQ+DDVfoGFoAdm9EtCiVHjav CCuHTGFj/nzhZcVfTwTsoTbwI5QSR67b7R8j4+gg8vyYUDGWpNzsfvn/4ii3ovXT VWeBGuKE9HV0FlgXUB5ylKI+SxJWm7o5tX/a4RMjAgMBAAGjgZowgZcwDAYDVR0T AQH/BAIwADAhBgNVHREEGjAYgggqLuekvC5qcIIMKi54bi0tZGl6LmpwMBMGA1Ud JQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFMUaCsNh yqbc9x/rKzuq2oVBFZYiMB8GA1UdIwQYMBaAFDVVvq/cS2bgw6ZbdjcQTgHNCwYC MAsGCSqGSIb3DQEBBQOCAQEAK5cYm8osEh9ZSBaXnA/6HYZTTAwwVZEOZxPdgrb+ w016Lalz8+notHsrI4r91yPZFDRs78YCD28+O/CFFOX7Wu9lTz4Ffs3DlXuFEXKX emftxGkOcaTpxrzyKxgACou4aa8LmZwksERsmfLTc3EDRKJC3zgmwAINnlnYI6Vt 5zJXc2FKvAZ+LZRnzyViEjlD/aA4O1UEYVEMQl67NsP+qOWGtRDrRejWwkrS+LYX EGWUvG+KuBVMOVECZWANH9tm5tZ9WrpBi06cM85gdvUDNwLELFaoVM88no5ty2q3 GQKvPu6CCuWSopy9XrLK29Omq2ZGPipEAWBzMWfmIBXcrA== -----END CERTIFICATE-----
自己署名証明書をブラウザに読み込みましょう
ca.crt をブラウザにインポートします。Firefox だったら [設定] - [詳細] - [暗号化] - [証明書を表示] - [認証局証明書] でインポートしましょう。Web サイトの識別に利用するようにインポートしましょう。
ELB に設定しましょう
api-tools を使います。適当にインストールして下さい。SDKs and Programming Toolkits for AWS と SDKs and Programming Toolkits for AWS を用意しときましょう。
iam-servercertupload で AWS に秘密鍵・証明書を upload します
$ iam-servercertupload -b end.crt -k end.key -s wild-diz arn:aws:iam::xxxxxxxxxxxx:server-certificate/wild-diz
で、これを使いながら ELB の listener を作ります
$ elb-create-lb-listeners MyELB --listener "lb-port=443,instance-port=80,protocol=https,cert-id=arn:aws:iam::xxxxxxxxxxxx:server-certificate/wild-diz" OK-Creating LoadBalancer Listener
接続してみましょう
自己署名証明書をインポートしたんで悲しいところはありますが
わーい、見れました。