In order to support SSL for a simple Tornado server on EC2, a certificate is required. This process seems harder than it should be, so I thought I’d share the process that recently worked for me.
There are several tradeoffs to consider:
- Certificate Authority (CA) Reputation (‘Self Sign’ – VeriSign)
- Price (Free – $3000/year)
- Domain Coverage: (Single, Multi, Wildcard)
After considering these options and reading about other people’s experiences, I concluded that GoDaddy is the least expensive, reasonably well respected CA. At GoDaddy the wildcard option is 15 times as expensive as the standard single domain certificate (with discount), so it’s a better deal to buy single domain certs even if you need a few.
Steps I took:
- Search Google for GoDaddy SSL deal.
- Login to GoDaddy and buy a single domain certificate for $12.99/year.
- Go to ‘My Account’, click SSL Certificates. Activate your purchased token. Wait a few minutes.
- Configure your cert. Choose “Third party server”. Provide a Certificate Signing Request (CSR) for your domain (see below).
- Download the cert. Use the cert along with your .key file from the CSR generation process to setup SSL on your server(s).
The resulting certificate can be used on any server that is accessible via the domain specified in the common name of the CSR. This means for example that you can have a group of web servers, each one configured with the same certificate and use Round-robin DNS or a load balancer to decide which server handles any particular request.
How to Generate a CSR
Generating a certificate signing request for sub.yourdomain.com is fairly easy and does not need to be done on the machine(s) that will eventually host the SSL certificate.
1) Generate key file. This requires choosing a temporary password.
>>> openssl genrsa -des3 -out sub.yourdomain.com.key.pw 2048 Generating RSA private key, 2048 bit long modulus ...................+++ ......+++ e is 65537 (0x10001) Enter pass phrase for sub.yourdomain.com.key.pw: Verifying - Enter pass phrase for sub.yourdomain.com.key.pw: >>> ls sub.yourdomain.com.key.pw
2) Create a passwordless key file.
>>> openssl rsa -in sub.yourdomain.com.key.pw -out sub.yourdomain.com.key Enter pass phrase for sub.yourdomain.com.key.pw: writing RSA key >>> ls sub.yourdomain.com.key sub.yourdomain.com.key.pw >>> rm sub.yourdomain.com.key.pw
3) Create CSR. This requires your domain information. Follow these guidelines.
>>> openssl req -new -key sub.yourdomain.com.key -out sub.yourdomain.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Palo Alto Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company's Official Name Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:sub.yourdomain.com Email Address []:yourname@yourdomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: >>> ls sub.yourdomain.com.csr sub.yourdomain.com.key
Tornado Handler SSL Example
This is a simple example of how to plug the newly created cert into Tornado.
if __name__ == "__main__":
application = tornado.web.Application([
(r"/", MainHandler),
])
http_server = tornado.httpserver.HTTPServer(application, ssl_options={
"certfile": os.path.join(data_dir, "sub.mydomain.com.crt"),
"keyfile": os.path.join(data_dir, "sub.mydomain.com.key")})
http_server.listen(8888)
tornado.ioloop.IOLoop.instance().start()
On AWS, SSL can also be easily enabled on an Elastic Load Balancer (ELB) that sits in front of your web server(s). This alternative approach allows your web servers to avoid the overhead associated with SSL requests.
References
- http://www.zimbra.com/forums/installation/34353-manual-certificate-installation-godaddy-2048-requirement.html
- http://support.godaddy.com/help/article/5343
- https://groups.google.com/forum/?fromgroups#!topic/python-tornado/CKsG1Tk2iPI
To add your new SSL certificate to an existing load balancer (ELB) on AWS, you will need to:
– Add the certificate to Amazon’s system
– Download the ELB command line interface (cli) and issue a command like this one:
elb-create-lb-listeners <your elb name> –listener “protocol=HTTPS,lb-port=443,instance-port=80,instance-protocol=HTTP, cert-id=arn:aws:iam::<your aws account id>:server-certificate/<your certificate id>/
Any reason why startssl.com’s free certificates weren’t appropriate? I’ve found them excellent.
From the little bit of research I did, it seemed that GoDaddy was more well known and more widely recognized as a trusted certificate authority, which was an important criteria for me.