I think I misunderstand the concept of adding ssl protection to my aws ec2 instance with a load balancer!
I have an Ionic app web, ios and android. I want to switch all http requests to https.
What I did:
Purchasing a url with route53
getting certificate with acm
setting up a load balancer like this...
https:443 -> ec2 instance (Here a applied the certificate)
http:80 -> https:443
http:8080 -> https:443
In Hosted Zones I added an A type record that points from my url to the Load balancer.
In my Ionic code I changed the endpoint addresses to https://my-backend-api-url.com/ (Yes I changed the my-backend-url.com in the real url :)
in the web deployment this set up lets me call the backend. But in the ios and android deployments it doesnt work and returns a 0 unknown error.
In the load balancer i can see that the requests from mobile deployments produce client tls negotiation errors.
My Attempt to fix this:
If I understand it right ( and there is a big if) I need a ssl/tls certificate that is in my app build in a certificate folder and i need the same certificate on my load balancer. Since aws ACm certificates only work for other aws services I think I can not use the certificate I created and applied via ACM.
So I think I need an ssl certificate from an ca and tried to get one with:
sudo certbot certonly --apache
When i enter my url it says:
"Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80"
Maybe also helpful to know is that I can access my backend api with the browser but it shows me that its unsecure and certificate is not valid:
Am I on the right track with my approach or did I completely misunderstand something? If my approch is correct what do I have to do that certbot can access port 80.
Any hint, link to a good tutorial, or help in any way is highly appreciated.
I think there is no need to get an ssl certificate from an external provider. You are accessing without ssl your load balancer. Your load balancer is doing the decryption for you. So, just check that your load balancer is in a security group with an open 443-port.
Related
I have a backend service i'm running in Fargate. I need this service to have an SSL cert on its load balancer so that it can talk to other HTTPS services. I've created the load balancer and it gives me an AWS domain (my-cool-app.us-east-1.elb.amazonaws.com).
Now, when I try to request a certificate through acm, it fails and says "Additional verification required". So i'm not sure if it's possible to add an SSL cert to this load balancer without registering a custom domain?
Also, this is a Django app and I haven't done anything other than keep it as runserver which I know isn't good for production but I just need to start by making it work as a dev environment. Do I need to change the way Django runs in order for SSL to work? Or is the load balancer sufficient?
To use an SSL for a domain you need to have control over that domain. For the AWS managed certificate service (ACM) you can verify through either DNS validation or email validation both of which you must essentially have domain control to validate.
As you're trying to use ACM for a AWS owned domain, someone from AWS would need to approve the SSL (which they won't).
Regarding your second point what you're describing is SSL offloading, in which the load balancer will serve HTTPS and then terminate encryption in transit. It will then forward the request to the Fargate container using the protocol and port defined in the target group.
The only thing you want to consider is how you display to the user, for example ensure that all CSS, JS ans links on your site are HTTPS. You can detect whether the incoming request used HTTPS at the load balancer by inspecting the X-Forwarded-Proto header in your application.
I am using AWS and I'm trying to get an SSL Certificate up and running, I have done the following:
Created an instance via EC2 and installed Ubuntu on that instance, all my code is on there and is working with http
Added an A record for my domain via Route 53. All is working there, I am able to goto my domain and see the website that is on Ubuntu.
Created a public SSL Certificate via Amazon Certificate Manager. I added the CNAME to where my domain was hosted, but the status never changed to Success so I added the CNAME via Route 53 where my A record is and I now have a status of Success.
I really don't know what to do next, I tried following the steps here:
https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22
But that did not work, can anyone point me in the right direction on what I am suppose to do next? When I try to goto my website with https I get error saying the site cant be reached.
You need to add load balancer listener and target group.Need to create two PATH 80 -> 443 redirection and 443 -> actual target group. 443 listener can have the certificate. (If its validated in ACM). See the attached image.Add Route53 -> Load Balancer. When you load the website it will pic the certificate from load balancer.
Thanks
Ashish
I've created a public SSL certificate through AWS Certificate Manager and installed it on my EB Classic Load Balancer. The certificate was selectable from the load balancer's menu and the Certificate Manager now says it's "in use". So, I assume everything is set up correctly, but when I visit my site using https:// the page won't load. It just says waiting for ... until it ultimately gives up. Is there a time delay for this to enact or is there something more I need to do?
EDIT:
I appreciate the comments thus far, though I'm not sure how to redirect the traffic (kinda new to this). Here is a screenshot of my configuration.
Looks like you need to redirect traffic from 443 (AWS ELB) to your backend service.
The same listener that you have configured for http (port 80) > backend service.
443(https) > port
80(http) > port
Edit:
If you are using security groups, you will have to allow incoming traffic on port 443.
I have a web page i would like to work with ssl (https)
for now it is working but with the private certification which alerts the user of "connection is not secure".
I issued a aws certification by following the link :
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html#dns-add-cname
And set my tomcat server to work with certificate by as shown in this link
http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/
but i can not seem to get ride of the "connection is not secure" issue
The blog post is too old around 11 years. not sure it working or not.
But you can generate a new free certificate using AWS Certificate Manager Link and add it to load balancer for terminate SSL connection.Your servers will be behind of that load balancers.
On AWS ACM you will need to have a load balancer in front of your web server, you can then terminate the SSL at the load balancer and forward HTTP connections to your tomcat webserver:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
Alternatively if you don't want to have a load balancer (cost etc), then you can look at using a free CA, such as letsencrypt. I've never used letsencrpt with tomcat before but a quick google came up with a few sensible solutions e.g. https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416
Once up and running with SSL I suggest you check how strong your SSL config is using https://www.ssllabs.com/
Greeting
I have created the Certificate through Certificate Manager in AWS, the free one. And successfully verified as well as put it in the Elastic Load Balancer (ELB). The status of the certificate shows it's issued and Is Used? shows Yes in the Certificate Manager.
Overall, I have completed these two steps without any problem, but the SSL does not work with my domain name. When I type "mydomain.com" with or without prefix http://, it works, but when I type "mydomain.com" with https:// prefix, it does not work
I have researched to find the solution and a way to install SSL into Microsoft Windows IIS on AWS, but no document describes about that.
Can anyone share this experience? I really appreciate
Looking forward for the reply and thanks
You do not need to setup SSL on your web server when you use a load balancer. Assign the SSL certificate to the load balancer (as you did). Then in your HTTPS listener in the load balancer listen on HTTPS, but connect to your web server over HTTP.
In the Amazon Console for your load balancer under the "Listeners" tab, the "Load Balancer Protocol" will be HTTPS and the "Instance Protocol" will be HTTP.
This has the benefit of offloading SSL to the load balancer which decreases CPU load on your web server.
If you do want to setup SSL on your web server, then you cannot use the Amazon SSL certificate. You will need to use the standard methods and purchase a certificate from someone else.