I have deployed my .NET Core Web API application to AWS Elastic Beanstalk , then I purchased a domain from hostinger to get a free SSL certification from Amazon ACM .
After I validated the ownership of the domain by DNS , the SSL certification was issued by ACM , after that I headed to my environment , and edited in configuration section Load Balancers .
I added a Listener with Port 443 and HTTPS protocol , then chose the certificate and the SSL policy TLS-1-2-2017...
then saved the changes .
The configuration was successfully carried , but when I access my Elastic Beanstalk url with https it gives certificate not valid like that in the picture below :
enter image description here
can someone please guide , I have been stuck for 2 days and didn't find a solution .
Related
Background of the Application
I have MERN Stack Application running (where frontend reactJS is running inside NodeJS backend server)
The whole application is then wrapped inside Docker Container
Then Deployed in AWS ECS EC2 (using single Service & Task) behind a single Application Load Balancer.
Created a Hosted Zone in AWS Route 53 to Point my domain name to Load Balancer
Now the application is successfully running when I visit my domain name.
Problem Araised Here
The website is "Not Secure"!! — I want to install SSL Certificate
I went to AWS Certificate Manager
Successfully got a certificate by adding CNAME in the AWS Hosted Zone Records
Configured Security Group, Load balancer Listeners to HTTPS
Added that Certificate to Load Balancer listener
Actual Problem
I got the certificate, connected to load balancer,
I can see my certificate in the address bar - "Certificate is Valid"
And still, it shows my the Site is "Not Secure" - Below image is for your reference.
Error in the Console (Edited)
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, but requested an insecure resource 'http://my-alb-XXXXXXX.us-xxxx-X.elb.amazonaws.com/api/goals'. This request has been blocked; the content must be served over HTTPS.
My Assumption of What Went Wrong
Since AWS ALB has its own DNS Name, which is "Not Secure"
Connecting my new secured domain name TO an unsecured AWS ALB DNS name would be the problem.
Appreciate Your Response
Thank you,
ARUN
I am trying to add HTTPS connection to the server API I have in elastic beanstalk, using CloudFlare as DNS. Steps I have followed:
Go to AWS certificate manager and create a certificate for *.nameofmydomain.com
Verified the certificate
Created a listener in elastic beanstalk loader section, port 443 and the previously created certificate
Created a CNAME record in cloudflare that points api.nameofmydomain.com to the elastic beanstalk (xxxxx.yyyyy.eu-west-1.elasticbeanstalk.com)
When I open the https://xxxxx.yyyyy.eu-west-1.elasticbeanstalk.com I get the following error
And when I open the api.nameofmydomain.com I get this
I found the issue, turns out that wildcard ACM certificates in AWS only work for one level, and I was trying to create a domain in that was xxx.yyy.nameofmydomain.com changing it to just one level made it work
I am trying to map an external sub domain into my Elastic Beanstalk Environment. I know, the common way is to use Route53 but I see no use of using it when my client's domain provider has already provided CPanel and stuff to set the CName and things. So, I am about to follow the below method to set domain to Beanstalk.
Login to your provider website and select your domain
Click on "Advanced DNS"
Create a CNAME record.
host: www
value: {{enter-your-subdomain}}.elasticbeanstalk.com.
Create a URL Redirect record.
host: #
value: http://www.{{your-custom-domain}}.com
By doing the above, I expect to have subdomain.example.com instead of subdomain-region.elasticbeanstalk.com
You can see detailed info in this - https://colintoh.com/blog/map-custom-domain-to-elastic-beanstalk-application
I am going to apply this to 2 things.
The REST API which resides in Beanstalk. (Will be used by few mobile and web apps)
The Web Portal app which resides in Beanstalk.
Now, I can see my client already has couple of subdomains for other purposes with SSL enabled. They have purchased SSL from a CA. Therefor, can we enable SSL in CPanel and point the SSL enabled sub domains to Beanstalk? Or we have to reconfigure everything in Route53 and go through their complex process of setting up the SSL?
Using SSL certificates issued by external vendor
From the side of SSL vendor you would need three files : certificate-chain.pem, https-cert.crt and private-key.pem .
Steps would be as follows:
Import certificate to ACM
aws acm import-certificate –certificate file://https-cert.crt
–private-key file://private-key.pem –certificate-chain
file://certificate-chain.pem
Once the import is complete to edit Load Balancer settings in AWS Elasticbeanstalk from Console to choose the imported certificate. For detailed step by step instruction refer https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html .
Using SSL certificates from AWS ACM
Steps would be as follows:
Create a Public Hosted Zone in Route 53 with the subdomain in discussion (say app.mydomain.com). AWS will return multiple ns server names.
Create an SOA record in the existing domain registrar for app.mydomain.com pointing to the ns server names returned in step 1.
Go to ACM and create domain validated certificates for app.mydomain.com .
Edit Load Balancer settings in AWS Elasticbeanstalk from Console to choose the new ACM certificates. For detailed step by step instruction refer https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html .
I am trying to setup HTTPS across my app which consists in a frontend (S3 bucket distributed with CloudFront), and a backend (node.js app inside Elastic Beanstalk).
For the CloudFront part, I created an SSL certificate in N. Virginia (apparently I don't have a choice here) and I made the binding in the CloudFront distribution. It works and my app is served over HTTPS.
For the Elastic Beanstalk part, I created an SSL certificate in Ireland (where my EBS app is hosted) and I bound this certificate to the EBS load balancer using the port 443. It works and I can reach my server with HTTPS using Postman.
However, when my frontend tries to make an API call to the backend I get this error :
I guess I made a mistake while creating the certificates, but I cannot find it. I gave both certificates the same set of CNAMES, I am not sure if I am supposed to do that.
EDIT :
I get the exact same error after updating the frontend so that it points the DName of the load balancer (also mapped to subdomain with Route 53).
CloudFront is attempting to load an HTTPS URL from your load balancer. I assume you have an SSL certification assigned to the load balancer. The domain name of the SSL certificate on the load balancer needs to match the domain name that CloudFront is requesting.
For example if the load balancer's SSL certificate is something like beanstalk.mydomain.com then CloudFront would need to be making requests for https://beanstalk.mydomain.com. The error CloudFront is giving you says that the domain name of the SSL certificate served by the load balancer does not match the domain name djumbo-back-debug.eu-west-1.elasticbeanstalk.co.
You need to setup something like the following:
DNS Name www.mydomain.com points to CloudFront Distribution
Configured to serve www.mydomain.com
Configured with an SSL certificate for the domain www.mydomain.com
Configure to pull from the origin beanstalk.mydomain.com
DNS Name beanstalk.mydomain.com points to Elastic Beanstalk application
With a Load Balancer, with an SSL certificate for beanstalk.mydomain.com
I am trying to host my frontend on AWS using cloudfront and backend on a EC2 behind a classic loadbalancer. I have imported my SSL certificate in ACM. Using ACM the certifcate has been installed on Cloudfront and classic Loadbalancer.
Cloudfront configuration:
Alternate Domain Names (CNAMEs) = mydomain.com
SSL Certificate = mydomain.com (xxx-yyy-zzz............)
Classic loadbalancer Configuration:
The load balancer is hosted on api.mydomain.com and SSL certificate installed using ACM.
Security group inbound rules configuration:
EC2 is running a Nodejs server listening on port 80. I haven't installed SSL certificate on EC2 because it was not mentioned in AWS documentation.
The home page opens up but when I try to login I get an error:
LoginSignUp.js:84 OPTIONS https://api.mydomain.com/user/signin net::ERR_INSECURE_RESPONSE
So the browser is blocking backend response because it is not secure. Do I need to install SSL certificate on EC2 also? Or did I make any configuration mistake?
It appears from your question that your SSL certificate is for mydomain.com and you are trying to request api.mydomain.com
Create a new ACM certificate that includes api.domain.com as either the domain name or as a Subject Alternative Name (SAN).
At a glance, the rest of the build looks correct.