objective: Moving a website to Google Cloud with a load balancer using Google's managed SSL without downtime.
current configuration:
A Google Load Balancer with unmanaged instance group that currently has 1 VM.
The website is using a cpanel which I have access to update the DNS settings.
The domain has a wildcare positiveSSL certificate.
The website is also using cloudfront SSL.
Problem: The main issue I have is configuring and provisioning SSL.
Mentally, before making the move, I'm thinking it should be a breeze. No.....!
Situation:
I set up the load balancer but it can't provision the SSL because the domain is using positiveSSL on another server.
I read that I need to have a A record pointed to the load balancer in order for it to provision. I also read that for cpanel, if I were to make any changes to the A record, it will affect the mail service. I don't want the mail services to be disrupted.
I tried adding a new A record pointing to the load balancer's IP but it doesn't allow because the current A record is using Alias pointing to cloudfront's and I have to detach them first. I don't think this is a good move.
My planned ideal steps are to ensure the load balancer is functioning properly and pointing to the website correctly before I update the DNS.
I'm not sure if this approach makes sense technically, I set up a A record for a random subdomain to point to the load balancer's IP, the provisioning is successful but it returns an error
curl: (35) error:14084210:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
How should I go about doing it? I didn't know switching a server is so difficult.
Discard the wildcare SSL and cloudfront SSL from your domain and provision a google managed SSL instead.But before that, you need to create a managed zone in cloud DNS add your website as A record there pointing to server’s IP address, only then you will be able to provision SSL. It might require a little downtime which you can reduce using tactics mentioned in John’s link.
Check here for help in managing cloud DNS records.
Refer to this for help in provisioning google managed SSL certificates.
Related
We are trying to setup ssl certificate for our domain, api.rideonstyle.in. We encountered a situation where the certificate status is in FAILED_NOT_VISIBLE. Tried all the steps that are suggested in the documentation .
Here are the screenshots,
We checked the conditions given in the documentation, when certificate status shows FAILED_NOT_VISIBLE. Looks like all the required conditions are met, but still we face this issue.
Updated the DNS records with the load balancer IP address.
Result from finding the IP.
IP address mapping to domain name
Load balancer IP details on Google cloud
SSL certificate is attached to the load balancer proxy, and added a forwarding rule to port 443.
specification about load-balancer proxy and forwarding rule
Even after reading a few articles on stack-overflow / some other articles, we couldn't find the exact reason why it is happening this way. Previously it used to work properly, but in recent times, we are getting error from certificate.
certificate details
Can you please clarify how long have you waited after updating the DNS record pointing to the load balancer ip?
I'm requesting this information, since as per gcp documentation,it might take upto 24 hours for DNS record can be propagated and could take time for managed certificate to be provisioned.
Additionally, I would also recommend verifying the load balancer from GKE service and make sure you have attached the certificate to the correct load balancer.
SSl Certificate will not work for a TCP load balancer. It has to be HTTPS. In the screenshot where you see "Service Details" and the external endpoint, please scroll down until you see something like:
Load Balancer
Cluster IP
Load balancer IP
Load balancer (here you will have the LB name)
Copy it and then go to Network Services > Load Balancing. Find your load balancer, and if it says TCP it won't work. It HAS to be an HTTPS load balancer. Alternatively, you can install a self managed certificate in the backend. This would be done entirely on your own.
My instance is a single instance, no load balancer.
I cannot seem to add a load balancer to my existing app instance.
Other recommendations regarding Elastic Load Balancer are obsolete - there seems to be no such service in AWS.
I do not need caching or edge delivery - my application is entirely transactional APIs, so probably don't need CloudFront.
I have a domain name and a name server (external to AWS). I have a certificate (generated in Certificate Manager).
How do I enable HTTPS for my Elastic Beanstalk Java application?
CloudFront is the easiest and cheapest way to add SSL termination, because AWS will handle it all for you through its integration with certificate manager.
If you add an ELB, you have to run it 24/7 and it will double the cost of a single instance server.
If you want to support SSL termination on the server itself, you're going to have to do that yourself (using your web container, such as apache, nginx, tomcat or whatever you're running). Its not easy to setup.
Even if you don't need caching, CloudFront is going to be worth it just for handling your certificate (which is as simple as selecting the certificate from a drop-down).
I ended up using CloudFront.
That created a problem that cookies were not being passed through.
I created a custom Caching Policy to allow the cookies, and in doing so, I also changed the caching TTLs to be very low. This served my purposes.
Good evening, I am currently trying to set up a load balancer for my server, I successfully set everything up, however when I go to google domains to set ip record I get the following error "mysite.com unexpectedly closed the connection."
http://prntscr.com/npm04o
http://prntscr.com/npm0ot
Also when i type the ip manually in the browser I get the same error. However when I set my ip record to a VM machine ip that comes from my instance group the load balancer ip starts to redirect to my site. I would like to get the load balancer ip to work with my google domain records.
Picture of configuration
http://prntscr.com/npm3ye
I think you are connecting to the load balancer using HTTPS. You do not have a front-end configured for HTTPS. Specify http:// and try again. If this is not the case, then go to Stackdriver and check the logs for your HTTP(s) Load Balancer.
Note: You have not provided enough information in your question. You need to provide the frontent, backend and healthcheck configurations.
Once you have everything working, your DNS resource record TTL should be longer than 1 minute - clients will constantly have to resolve your DNS names. Using a CNAME instead of A record adds another lookup. Use an A record instead.
I'm currently working on upgrading my company's application infrastructure.
We started off with having the basic infrastructure - One EC2 instance which is our web server linked to RDS, MySQL database.
The new infrastructure requires a VPC with 2 Public Subnets with EC2 instances and 2 Private subnets for the DB.
So, here's what I did, I created an image from the existing EC2 instance which has SSL certificate installed in it and it matches with the domain name.
From that image, I launched 2 new AMI and added a load balancer. Now the whole infra has been set up but here's the issue now - after pointing the load balancer's DNS to to the mobile app (via API), there's an error that's coming up,
javax.net.ssl.SSLException: hostname in certificate didn't match: != OR OR
03-10 13:41:23.641 29743-30234/example.hr W/System.err: at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:190)
03-10 13:41:23.641 29743-30234/example.hr W/System.err: at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:59)
From what I understand is that I'll have to add the load balancer DNS to the root domain (can be done but we cant put down the existing server). Will that work? I can do it but it will take a while for the domain service provider to add it as a CNAME record (Since it is a .hr domain, it's controlled and some records can't be added easily. It will take more than a day for it to be done)
Secondly, if I were to add an SSL cert on the load balancer's level, will it create conflicts with the SSL cert on instance level?
I'm also looking at getting a new domain and to configure on an instance level, will be a nuisance. Is there an alternative to this?
Terminating secure connections at the load balancer and using HTTP on the backend may be sufficient for your application. However, if you are developing an application that needs to comply with strict external regulations(EX: HIPPA Cert), you may be required to secure all network connections.
ELB does SSL Offloading/Termination. The load balancer uses the certificate to terminate the connection and then decrypt requests from clients before sending them to the instances and then the instance can use the self-signed certificates.
Ref:
Elastic Load Balancer SSL Support Options
Classic ELB HTTPS Listeners
What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"