AWS Elastic Beanstalk load balancer not showing SSL certificate - amazon-web-services

I'm running an Express.js application on AWS Elastic Beanstalk, and I recently created a SSL/TLS certificate to implement HTTPS for the web application. When I'm in the process of creating an 'Application Load Balancer Listener', as specified in this set of instructions:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html
the SSL/TLS certificate is not showing up.
I created a certificate using AWS Certificate Manager and have confirmed both were created in the same region: US East (Ohio) us-east-2
Why isn't the certificate showing up when I go to add the listener to the load balancer in my Elastic Beanstalk app?

I found the answer to my question. AWS won't allow you to integrate Amazon Certificate Manager(ACM) created certificates that have "4096-bit RSA keys or EC keys" with a load balancer on AWS Elastic Beanstalk.
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html
In other words, if you're creating a SSL/TLS certificate with ACM and given the choice of what encryption algorithm to use, only the RSA 2048 option will allow you to use the certificate with an AWS Elastic Beanstalk load balancer.

Related

how to enable (https) SSL certificate AWS EC2 hosted site

So far i did below configuration.
I hosted my site on EC2 AWS machine. Public ip and public DNS.
I can access my website by ip as well as public DNS.
I purchased domain name from GoDaddy. www.xxtrasc.com
On AWS I created Hosted Zone then map www.app.xxtrasc.com successfully.
Now i access my website directly www.app.xxtrasc.com
Next want to enable https
On AWS Certificate Manager order certificate with domain name *.xxtrasc.com
Did everything to add CNAME and all. I can see status gree colored Issued on ACM.
Now how i can attached this certificate to my web site so that i can access https://www.app.xxtrasc.com
You cannot use ACM to directly install your ACM Certificate on your AWS based website or application
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-install.html
You must use one of the following services:
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway
AWS CloudFormation
Please read the official doc : https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
So to install the certificate directly under apache2/nginx configuration you need to obtain the certificate from other third parties like Lets Encrypt, GoDaddy etc. you can read about that here - https://in.godaddy.com/help/manually-install-an-ssl-certificate-on-my-apache-server-centos-5238
On AWS I recommend using an ELB an placing your EC2 instances behind this ELB. This will allow you to select your ACM certificate from ELB itslef. Please read following doc to use classic load balancer with HTTPS https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html
If you want to enable SSL on your site, you need to purchase SSL certificate. You can purchase it with Godaddy and then setup it on AWS server. Without SSL certificate, your https site won't work.

How to get SSL certificate

I have purchased a domain from godaddy provider and I launched an application with AWS route 53 service.
My questions:
Where to get a SSL certificate? GoDaddy or AWS
How to setup SSL certificate?
Please tell me
This depends upon your use case or where are you running your application like ECS or EC2 or some static website over s3?
If you are using load balancer on the top of your application then the certificate from AWS is best. you don't need to worry about renewal etc and any other configuration just create load balancer with AWS Certificate Manager.
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
CloudFront:
Here is the link how you can configure with CloudFront.
If you to configure directly on your EC2 instance then it's not possible.
Although you install your website on an Amazon EC2 instance, you
cannot directly deploy an ACM Certificate on that instance source AWS Doc
Here is the list on which you can AWS certificate.
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway
AWS CloudFormation
Services Integrated with AWS Certificate Manager
You mention that you launched application with Route53 so want to clear one thing
Amazon Route 53 is a highly available and scalable cloud Domain Name
System (DNS) web service.
So Route 53 in DNS and it can be configured with
Amazon Route 53 effectively connects user requests to infrastructure
running in AWS – such as Amazon EC2 instances, Elastic Load Balancing
load balancers, or Amazon S3 buckets – and can also be used to route
users to infrastructure outside of AWS.
Amazon Route 53
As we are using AWS certificate and we feel good with AWS services, far better than any other service provider in our case.
Let me know if you need further details.

AWS Certificate Manager Certificate is not visible to AWS Beanstalk from Console

I am new to AWS and need help to select the AWS Certificate Manager provisioned Certificate from Elastic Beanstalk Loadbalancer using AWS Console.
Deployed my Java application on Linux instance using Elastic
Beanstalk and that worked fine with Http.
Provisioned a new wildcard certificate using AWS Certificate Manager.
Under Elastic Beanstalk Configuration - Network Tier - Load Balancing Settings gear Icon, I changed "Secure listener port" = 443 and "Protocol" =
HTTPS.
But the "SSL Certificate ID" does not list the certificate to pick.
Please suggest what is that I am missing here.
I have read many suggestions to do by CLI but I am not an CLI expert and wanted to use the console feature for simplicity.
EDIT-1:
I can see the certificate under EC2 - Load Balancer - Listener TAB if I try to add HTTPS, but not under Beanstalk. I am not sure if I shall add this listener under EC2 or not, but I think I need to add SSL to Beanstalk as My application get deployed using Beanstalk into EC2.
This will happen if you created your SSL Certificate on a different Region to your Elastic Beanstalk instance. An easy gotcha!
To setup a SSL certificate for your Elastic Beanstalk environment, please see Configuring Your Elastic Beanstalk Environment's Load Balancer to Terminate HTTPS
There is a console setup step as you describe in step 3, so that looks good. Also note you need to update the EB configuration as shown in the above document.
From AWS documentation:
For Classic Load Balancer and Application Load Balancer, if the
drop-down menu doesn't show any certificates, you should create or
upload a certificate for your custom domain name in AWS Certificate
Manager (ACM) (preferred). Alternatively, upload a certificate to IAM
with the AWS CLI.
I guess AWS CLI with IAM must be used as described here

Configure SSL certificate by ACM on single instance tomcat on AWS

I have created a single instance web application on AWS with Elastic Beanstalk. Now I want to add ssl certificate to enable https access on it.
I created a ssl certificate using ACM and I was folowing this! link to add it to my web app in Elastic Beanstalk.
But I could not find and anywhere in acm.
How can i find them??
You can only use ACM with CloudFront or Elastic Load Balancers. Since you don't have an Elastic Load Balancer in a single instance Elastic Beanstalk environment, you can't use ACM, unless you want to put CloudFront in front of it.

AWS Certificate Manager (ACM Certificate) with Elastic Beanstalk

I have tried the following solutions but no one of them solved my problem:
Using AWS Certificate Manager (ACM Certificate) with Elastic Beanstalk
Set load balancer listener ssl certificate - can not give a link because I don't have 10 reputation
Configuring Your Elastic Beanstalk Environment's Load Balancer to Terminate HTTPS - can not give a link because I don't have 10 reputation
I have issued SSL Certificate in the ACM and I have configured it to work correctly for my cloundfront. But when I try to add the same certificate to my loadbalancer I get: "Updating load balancer named: ... failed Reason: Server Certificate not found for the key: arn:aws:acm:us-east-1:..."
I have also tried to add the SSL Certificate manually to the load balancer but there I'm not able to click on "Choose an existing certificate from AWS Identity and Access Management (IAM)"
Download the certificate from ACM.
Via AWS API
Via CLI
Reccommended uploading your own cert to IAM.
ACM is only available in Virgina, which beta-tests many AWS Services. For this reason, Virgina often has numerous performance and stability issues.
Add the Cert to IAM
Get the AWS CLI Installed and set-up.
Add the cert to IAM via the CLI.
Add it to your EB Load Balancer
Elastic Beanstalk > Application > Environment
Configuration > Load Balancing > config (gear-icon)
Set the SSL-Cert
Apply.
Make sure your public domain is pointed to your environment-domain
yourdomain CNAME environment-name.elasticbeanstalk.com
Ok I have found the solution to my problem. The Amazon Certificate Manager (ACM) is available only for USA East N.Virginia region but my elastic beanstalk was in USA West Oregon and that's why I was not able to see my SSL Certificate from the ACM in the loadbalancer. When I created a new elastic beanstalk in the same region as the Amazon Certificate Manager (N.Virginia) which created a load balancer in the N.Virginia too then I was able to create HTTPS Listener for the load balancer and to assign the SSL Certificate to it.