I'm trying to run Jupyterhub (TLJH) in AWS EC2 using the steps provided here. The setup works over http. However, I run into trouble when I try to map a subdomain and simultaneously use a SSL certificate and key from AWS Certificate Manager.
The steps outlined in this link describes how to encrypt if we use lets encrypt, or if we can download the SSL key and certificate. Unfortunately, its not simple to download the SSL certificate from AWS Certificate Manager.
So, my question is, how to use the AWS Certificate Manager that has certificate for a subdomain to encrypt traffic and connect to the jupyterhub.
Related
So my team just moved my website from another host to Amazon Lighsail (Wordpress) on the previous host it's already secure (HTTPS), my team also already upload my own cert using Certificate Manager but how to connect it to the Lightsail ?
PS : we already ask the support there, but they only give me the documentation how to use load balancer, ignoring that we already said our own cert
my own cert using Certificate Manager but how to connect it to the Lightsail ?
You can't use AWS ACM SSL certificates on instances. They can be only used on load balancers, CloudFront distribution and API Gateway. It does not matter that it is imported cert or not.
To use your own SSL cert, you have to setup your Lightsail instance yourself, without ACM. Usually it is done by using nginx as a reverse-proxy in front of your application and manually configuring it to use your SSL certificate. ACM is not involved in this process. Its fully manual setup on your behalf.
I am trying to use an amazon SSL certificate for my app. Currently, I have dockerized application hosting on the AWS server with envoy front-proxy. I am using lets-encrypt SSL certificates for a trusted domain certificate. Now I want to switch it with amazon's SSL certificates.
I am exploring this but I didn't get any clear idea. This blog show how to enable traffic encryption between services in AWS App Mesh using AWS Certificate Manager. but they have not mentioned how to do it with enovy proxy.
For envoy, we have to provide cert and key files. But as per this question, we are not able to download these files from amazon. Is it possible to use the Amazon certificate with envoy front-proxy? If yes then can you please give me the idea/example of how to do it?
Thanks in advance..
Only AWS Services can use AWS SSL Certificates. If you want to use an AWS SSL Certificate for TLS/HTTP traffic you would use an Application Load Balancer to handle the certificate and send it to your Envoy proxy hosted on an EC2 box. Ideally you would keep the network traffic encrypted which would require you to use a LetsEncrypt certificate between the Application Load Balancer and EC2.
Right now I have a server which should only be accessible by clients who have a particular valid certificate installed in their browser. This is called two-way SSL and it's a way to authenticate clients. I was wondering if it is possible to implement this in AWS Certificate Manager?
I'm asking this because when I do this manually, I have to generate client certificates on my machine individually using the CA's certificate and key. But when I use AWS Certificate Manager I don't think the key is accessible for me to generate the client certificates. Is that right? Does that mean that I can not use AWS Certificate Manager if I want to implement two-way SSL?
Currently you cannot use AWS ACM issued certificates as client certificates since it only allows to associate with following AWS services.
AWS API Gateway
AWS CloudFront
AWS ELB/ALB
I'm familiar with creating a CSR (via openssl) on a webserver and submitting it to a CA to purchase an SSL cert.
A site we're building (using Elastic Beanstalk) has a requirement that certificates are managed via a HSM. I think AWS CloudHSM is the correct tool to use here? I have:
Created the EB environment in a VPC with public and private subnets
Requested and assigned an SSL cert to the environment via AWS Cert
Manager (at this point, I have a working site over https, just no HSM)
Created a HSM cluster in the same VPC, and downloaded its
CSR.
At this point, the docs (http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr) leave me a bit stuck.
It says, "Your CA signs the CSR, which creates a signed certificate. Then you provide the signed certificate and your CA's issuing certificate to initialize the cluster."
Fine. Except if I try to upload this CSR to (ie, Verisign, GlobalSign) I get "Certificates with internal names are no longer permitted". Which makes sense - I'm not requesting a cert for a site's external domain name, the cert is for the HSM: which, I'm guessing, I'll then use to create an openssl cert once its CSR has been signed.
Basically, I'm very confused about how a HSM fits into the otherwise simple SSL-requesting procedure of: generate CSR, submit to CA, install cert on webserver. Especially given my added complications of doing this all with Elastic Beanstalk and AWS ACM rather than just dumping a cert file on the server and updating the Nginx conf.
How does it all work ??
Since posting this question a year ago, AWS have updated their documentation on how to set up SSL offload with a CloudHSM. By following that documentation, I was able to set up a separate EC2 instance - outside of ElasticBeanstalk - for SSL termination. It's still not possible, AFAIK, to use a CloudHSM directly from within ElasticBeanstalk.
I ask this because there are many resources out there for Lets Encrypt to auto renew and deploy (via Lambda) to ELBs. Doesn't AWS' Certificate Manager do the same thing?
https://aws.amazon.com/certificate-manager/faqs/
Says:
Q: What can I do with AWS Certificate Manager?
...
ACM manages certificate renewals and certificate deployment for you.
However the AWS docs don't talk about this at all.
So if I understand this correctly...
I request a cert
Verify the cert in my email
Manually deploy the cert
ACM will every year renew my cert and deploy my cert back to all the resources I deployed it to previously
Is this correct? Is there documentation that talks about this explicitly?
Any direction on this would be helpful.
If you are using AWS SSL Certificates from Certificate Manager, renewal is automatically handled and changing the certificate from your application load balancer or CloudFront is not required.
Check this documentation for more details.