First I'm not talking about emitting my own certs to the dev environment, I need a CA cert for the prod environment. I have a Node app running into an EC2 instance using PM2. That being said my doubt is when I buy a cert I have to put a domain, but freaking ec2 is just an IP, should I put the IP as the domain for the SSL?
To get proper HTTPS for your instance you must have your own domain. IP can't be used. Ssl cert for the instance can be obtained for free if you have domain. Popular choice is LetsEncrypt which is also used by Stackoverflow for its own Ssl certificate.
Best and easiest solution is to use AWS certificate manager and tie that cert to an Elastic load balancer, with the EC2 instance behind it.
If you prefer to use a 3rd party cert, then you will need a domain in Route 53, an alias the IP number to the domain.
Related
I have created a nodejs app and hosted it on aws ec2.
Enabled HTTPS, HTTP in the security. I purchased a domain from an external domain provider and connected nameservers using route53.
Now, when I am opening the domain it showing not secure. How Can I make it secure. I tried listen port in 443 but then domain was not opening.
Can Someone please help how to make it secure or provide some good documentation for begineers.
If you don't want use a load balancer to front your instance, then you have to get and install a third party SSL certificate on your instance for your domain.
A popular choice are certificates from https://letsencrypt.org/ (StackOverflow uses them as well). They also provide https://certbot.eff.org/ tool for easy installation and setup of the SSL certs on a variety of operating systems and servers.
I already have a domain, like exmaple.com and I have a simple app running on an ec2 instance.
I've allocated an elastic IP for this instance, and created a zone on route 53, created A record, and also an alias record.
I have updated the nameservers from route53 NS records in GoDaddy domain settings(and I should mention that I've waited 48 hours for ns to be propagated, and that part is fine).
When I ping example.com on my own computer, the DNS Name resolve to the correct IP address.
When I check the elastic IP, it's working and shows my website, but when I check example.com it does not show my app and shows This site can’t be reached:
this is a screenshot of what it shows
I cannot see where's the problem!
Based on the comments.
The issue was due to using https, rather then http. The http connection works. To setup https the following general procedure needs to be undertaken:
Get a public SSL certificate. Since you are using instance, you can't use AWS ACM for that. In this case a popular choice is https://letsencrypt.org/ where you can register free SSL certificate for your domain and its subdomains.
Setup ssl connectivity on your instance. Often this is done by using nginx as a revers proxy. The nginx will provide HTTPS for your instance using the SSL certificates from step 1.
Open port 443 (HTTPS) in your security group.
The alternative is to front your instance with an application load balancer (ALB). Using it, you can easily get free AWS ACM free certificate and deploy it on the ALB. No actions required on your instance in this case.
My certificate has expired and I recreated and reassociated with a load balancer.
The certificate has *.example.com and example.com attached (?) to it
and I can see that certificate works by visiting https://example.com.
Then I try to visit https://log.example.com and it errors with NET::ERR_CERT_DATE_INVALID (It must be the old expired certificate which is causing the error)
Question is, how can I let the new certificate to be used for the ec2 machine?
EDIT
log.example.com is not behind loadbalancer, it's directly mapped via IP address
The certificate being served by log.example.com is not using the ACM certificate attached to load balancer for example.com as it is served directly by the IP address.
You are limited to the following options:
If you want to use an ACM certificate you will need to either add a CloudFront distribution or a load balancer in front of your application. The DNS record for log.example.com would need to be changed to the new resource.
If you want to use direct connection to your instance then you are limited to using another certificate authority. You can use certbot to generate a free certificate, or purchase one from another provider. This will then need to be installed and configured on your server to use.
I created an SSL certificate last night for use with an API (Tomcat, Spring Boot) on AWS Elastic Beanstalk using instructions provided by Amazon Certificate Manager.
When creating the cert, I entered the URL of my static site that calls the API, which is hosted by GoDaddy. ACM sent an email to my URL which I opened and approve and I now see the cert as issued, by Amazon, in my certs. I am also able to select it when I configure HTTPS for my EB load balancer. I am not able to export this cert though as it isn't private.
My question is, how is domain name used? I think I'm a little confused about how to use SSL on both my API and my static site AS WELL as the small bit of static content I'll host out of Tomcat.
Thanks.
ACM certs can only be used with AWS services - Cloudfront (if the cert is issued in us-east-1) and regionally on the classic load balancer and application load balancer.
You cannot export the cert for use in other products, so if you wanted to have Tomcat handle SSL you would need to get either a commercial cert or use something like Let's Encrypt.
If you have multiple host names you want to protect, you have different options.
You can get one cert per hostname if they are running on completely separate infrastructure; you can also have multiple host names in a single cert - even if there are multiple domains; and finally you can get a wildcard cert.
Recently, I started searching about security procedures and came across SSL. Actually, I already knew about SSL, but I found to be too expensive at the time.
Luckily, yesterday I found out that Amazon gives SSL certificates for free!
However, I have spent a whole day trying to set it up but it didn't work.
I have a domain registered at GoDaddy, let's assume its www.mydomain.com. My website is hosted, however, on Amazon Web Services (AWS). I also have access to edit the GoDaddy's DNS records and full access to my AWS account. I have seen LetsEncrypt, but my website runs in ASP.NET (IIS Windows) and currently they only support Linux OS.
Here's what I've tried to do:
Get a SSL Certificate from AWS Certificate Manager
I have chosen to setup via DNS, which means I had to add a CNAME record to GoDaddy domain records.
If you look above carefully on the two images, the CNAME record on AWS is on the center of the page. I've added a record as CNAME containing the values.
Add HTTPS to Load Balancer Listeners:
Allowed HTTPS on Security Groups
NOTE: Both Inbound and Outbund rules are just like above. I have also set the Load Balancer and my Running Instance to use this security group.
Added records to Route 53 Hosted Zones
The A type record points to my instance IP.
The NS record was generated by Amazon (I added GoDaddy's Name servers as well).
The SOA record was generated by Amazon and I didnt touch it.
The CNAME was added by me, It's again the SSL protocol.
I don't know what else to do or if I have a wrong setup.
If I'm not mistaken, you have an EC2 instance behind an ELB (Classic/Application/NLB), requested an ACM certificate which has been issued successfully for *.mydomain.com, created HTTPS listener to use the SSL certificate but getting connection time out on port 443.
The issue is the DNS record of mydomain.com still points to the EC2 instance's IP, which might not be listening on port 443 (and the ELB is not being used at all).
So, to resolve this, you have to use the ELB's DNS name and use it as CNAME in your DNS record (not sure whether in Route 53 or GoDaddy because I don't know which is authoritative NS).
Also, you might consider requesting a new certificate with mydomain.com and *.mydomain.com and update the listener because ACM cert with *.mydomain.com does not protect mydomain.com.