I have a EC2 Instance in which I've installed an SSL certificate via LetsEncrypt
The Instance hosts a FastApi and Gunicorn which serves as server for a mobile app
There's an elastic IP attached to the EC2 instance
All inbounds and outbounds EC2 ports are opened
I have imported in the Certificate Manager (east-2 Virginia) the SSL certificate generated by LetsEncrypt
I have created an hosted zone in Route53 adding a domain (www.example.com) and creating the CAA (0 issue "letsencrypt.org") + changed the nameservers in godaddy as per the ones in the Route53 NS
I have created a CloudFront distribution having as origin the Public IPv4 DNS of the EC2 instance, redirecting HTTP to HTTPS, setting the Custom SSL certificate equal to the one uploaded in the Certificate Manager (LetsEncrypt) and in the Alternate domain name (CNAME) added the www.example.com
I have added in Route53, in the A record, the CloudFront Distribution domain name
Given these premises, in the EC2 instance there is not a landing html page (like hello world!) to be reached if the CloudFront Distribution domain name or the domain name is pinged.
However, If I ping it, I get the 502 error (502 ERROR The request could not be satisfied.
CloudFront wasn't able to connect to the origin. We can't connect to the server for this app or website at this time).
The domain was validated in the SSLlab without throwing errors except a "Chain issues Incorrect order, Extra certs" in the "Additional Certificates section" (not in the "Server Key and Certificate #1") and the X-Cache says: Error from CloudFront.
How can I fix the 502 error?
EDIT
I've posted the solution in the comment
The solution was to keep everything as above stated but:
remove the ssl certificate from the instance
generate a new ssl certificate in Certificate Manager from Amazon (this also implies creating records in Route 53 of the CNAME of the new certificate and selecting the new certificate in the Cloudfront distribution).
At the end the issue was a conflict between the two ssl certificates. Only one had to be kept.
Related
I have set up an EC2 instance. Logged in with server and set up apache2 in it.
Example Domain: www.example.com
Created Route53 for example.com and pointed NS record to Domain provider. So, I am going to use Route53 for DNS.
In DNS, I have created A record with EC2 IP.
In apache2 set up VirtualHost for www.example.com, Reloaded apache2 server, and also enable site www.example.com.
Now, I have purchased a certificate from the AWS certificate manager for www.example.com. I have added the CNAME record in Route53 and also validated the domain. The certificate was also activated.
Now, I am going to hit the site www.example.com, It's redirecting to https://www.example.com but the page is giving an error regarding HTTPS.
I have also opened 443 port for that instance.
I think you forget to add a Load Balancer (ALB) or a CloudFront Distribution in front of your EC2 instance since Certificates produced with ACM must be configured on these kind of components. Not possible with EC2. And it can not suggest where to use it.
I followed the following tutorial to setup an SSL Certificate with a parent domain hosted at another provider than aws to create a secure connection to my REST Api.
https://medium.com/#sonalishah_63223/how-to-host-subdomain-in-aws-route-53-for-an-existing-parent-domain-with-different-service-9b4dde061b85
Setup:
Hosted Zone -> Record pointing to - Elastic Load Balancer - Beanstalk -> EC2 (Spring Application)
Setup Description:
I created a hosted zone (sub.mydomain.at).
In that hosted zone I created a record (api.sub.mydomain.at) pointing to the Elastic Load Balancer.
Everything works fine, API is callable.
Afterwards I created a certificate through ACM.
(*.mydomain.at) which has been successfully issued.
I attached it to my load balancer and it seems to work, when calling the API via https://.
But Postman throws the following error.
SSL Error: Hostname/IP does not match certificate's altnames
I could turn off "Enable SSL certificate verification" and it would work, but this does not seem to be the right solution.
So I created another Certificate for the domain api.sub.mydomain.at which is not verifying. According to nslookup the server can't find the domain even if the CNAME is setup. (I assume it is not possible to create a CNAME with multiple 'sub-domains')
_12312<long-_number>.api.sub.mydomain.at
So how can I resolve the Issue "Hostname/IP does not match certificates alt names"?
I think in your case, you are forwarding the requests (cname record api.sub.mydomain.at from alb public dns to your custom domain)
So you need to add ALB public dns name on hearder like this:
request({host: 'ALB public DNS'... headers: req.headers
I am trying to setup HTTPS across my app which consists in a frontend (S3 bucket distributed with CloudFront), and a backend (node.js app inside Elastic Beanstalk).
For the CloudFront part, I created an SSL certificate in N. Virginia (apparently I don't have a choice here) and I made the binding in the CloudFront distribution. It works and my app is served over HTTPS.
For the Elastic Beanstalk part, I created an SSL certificate in Ireland (where my EBS app is hosted) and I bound this certificate to the EBS load balancer using the port 443. It works and I can reach my server with HTTPS using Postman.
However, when my frontend tries to make an API call to the backend I get this error :
I guess I made a mistake while creating the certificates, but I cannot find it. I gave both certificates the same set of CNAMES, I am not sure if I am supposed to do that.
EDIT :
I get the exact same error after updating the frontend so that it points the DName of the load balancer (also mapped to subdomain with Route 53).
CloudFront is attempting to load an HTTPS URL from your load balancer. I assume you have an SSL certification assigned to the load balancer. The domain name of the SSL certificate on the load balancer needs to match the domain name that CloudFront is requesting.
For example if the load balancer's SSL certificate is something like beanstalk.mydomain.com then CloudFront would need to be making requests for https://beanstalk.mydomain.com. The error CloudFront is giving you says that the domain name of the SSL certificate served by the load balancer does not match the domain name djumbo-back-debug.eu-west-1.elasticbeanstalk.co.
You need to setup something like the following:
DNS Name www.mydomain.com points to CloudFront Distribution
Configured to serve www.mydomain.com
Configured with an SSL certificate for the domain www.mydomain.com
Configure to pull from the origin beanstalk.mydomain.com
DNS Name beanstalk.mydomain.com points to Elastic Beanstalk application
With a Load Balancer, with an SSL certificate for beanstalk.mydomain.com
I recently migrated my WordPress to an EC2 instance. I attached an Elastic IP address to it and created an A record in my Route 53. But all my requests were HTTP so I wanted to use CloudFront to redirect all my HTTP to https.
I created a CloudFront distribution and now all my HTTP requests are redirected to https. And since my SSL certificate is active, my site is secure.
But now my site (blog.insisivecloud.io) doesn't load and I get a 502 Error which says "CloudFront wasn't able to connect to the origin." I have given the public DNS of the EC2 instance as my origin.
When I go to the public DNS of the EC2 where the blog is hosted it works fine. (ec2-54-167-212-65.compute-1.amazonaws.com)
Where am I going wrong here?
As official documentation says:
For HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL certificate on your origin server must match the domain name that you specify for Origin Domain Name. Otherwise, CloudFront responds to the viewer requests with an HTTP status code 502 (Bad Gateway) instead of returning the requested object. For more information, see Requirements for Using SSL/TLS Certificates with CloudFront.
We got a certificate from ACM for our domain say example.com. On the application load balancer I deployed this and created a HTTPS listener with forwarding to my target group. The target group is an EC2 instances in a ASG.
Now the issue is when I access my LB URL with HTTPS I get the SSL_ERROR_BAD_CERT_DOMAIN error with the description
XXXXXX.us-west-2.elb.amazonaws.com uses an invalid security certificate. The certificate is only valid for example.com
I now this is probably the expected behavior, but in this case, how do I apply a ACM certificate of my domain on the application load balancer?
Thanks,
You have created a certificate for a specific domain, say 'example.com'. But you are not using this domain when accessing the ALB. Since there is a mismatch between the domain/hostname you are using ('XXXXXX.us-west-2.elb.amazonaws.com') and the certificates domain ('example.com'), your HTTP client shows you an error.
Create a DNS entry
example.com CNAME XXXXXX.us-west-2.elb.amazonaws.com
and access the domain using example.comas a hostname.