I followed the following tutorial to setup an SSL Certificate with a parent domain hosted at another provider than aws to create a secure connection to my REST Api.
https://medium.com/#sonalishah_63223/how-to-host-subdomain-in-aws-route-53-for-an-existing-parent-domain-with-different-service-9b4dde061b85
Setup:
Hosted Zone -> Record pointing to - Elastic Load Balancer - Beanstalk -> EC2 (Spring Application)
Setup Description:
I created a hosted zone (sub.mydomain.at).
In that hosted zone I created a record (api.sub.mydomain.at) pointing to the Elastic Load Balancer.
Everything works fine, API is callable.
Afterwards I created a certificate through ACM.
(*.mydomain.at) which has been successfully issued.
I attached it to my load balancer and it seems to work, when calling the API via https://.
But Postman throws the following error.
SSL Error: Hostname/IP does not match certificate's altnames
I could turn off "Enable SSL certificate verification" and it would work, but this does not seem to be the right solution.
So I created another Certificate for the domain api.sub.mydomain.at which is not verifying. According to nslookup the server can't find the domain even if the CNAME is setup. (I assume it is not possible to create a CNAME with multiple 'sub-domains')
_12312<long-_number>.api.sub.mydomain.at
So how can I resolve the Issue "Hostname/IP does not match certificates alt names"?
I think in your case, you are forwarding the requests (cname record api.sub.mydomain.at from alb public dns to your custom domain)
So you need to add ALB public dns name on hearder like this:
request({host: 'ALB public DNS'... headers: req.headers
Related
Background of the Application
I have MERN Stack Application running (where frontend reactJS is running inside NodeJS backend server)
The whole application is then wrapped inside Docker Container
Then Deployed in AWS ECS EC2 (using single Service & Task) behind a single Application Load Balancer.
Created a Hosted Zone in AWS Route 53 to Point my domain name to Load Balancer
Now the application is successfully running when I visit my domain name.
Problem Araised Here
The website is "Not Secure"!! — I want to install SSL Certificate
I went to AWS Certificate Manager
Successfully got a certificate by adding CNAME in the AWS Hosted Zone Records
Configured Security Group, Load balancer Listeners to HTTPS
Added that Certificate to Load Balancer listener
Actual Problem
I got the certificate, connected to load balancer,
I can see my certificate in the address bar - "Certificate is Valid"
And still, it shows my the Site is "Not Secure" - Below image is for your reference.
Error in the Console (Edited)
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, but requested an insecure resource 'http://my-alb-XXXXXXX.us-xxxx-X.elb.amazonaws.com/api/goals'. This request has been blocked; the content must be served over HTTPS.
My Assumption of What Went Wrong
Since AWS ALB has its own DNS Name, which is "Not Secure"
Connecting my new secured domain name TO an unsecured AWS ALB DNS name would be the problem.
Appreciate Your Response
Thank you,
ARUN
I am trying to add HTTPS connection to the server API I have in elastic beanstalk, using CloudFlare as DNS. Steps I have followed:
Go to AWS certificate manager and create a certificate for *.nameofmydomain.com
Verified the certificate
Created a listener in elastic beanstalk loader section, port 443 and the previously created certificate
Created a CNAME record in cloudflare that points api.nameofmydomain.com to the elastic beanstalk (xxxxx.yyyyy.eu-west-1.elasticbeanstalk.com)
When I open the https://xxxxx.yyyyy.eu-west-1.elasticbeanstalk.com I get the following error
And when I open the api.nameofmydomain.com I get this
I found the issue, turns out that wildcard ACM certificates in AWS only work for one level, and I was trying to create a domain in that was xxx.yyy.nameofmydomain.com changing it to just one level made it work
I already have a domain, like exmaple.com and I have a simple app running on an ec2 instance.
I've allocated an elastic IP for this instance, and created a zone on route 53, created A record, and also an alias record.
I have updated the nameservers from route53 NS records in GoDaddy domain settings(and I should mention that I've waited 48 hours for ns to be propagated, and that part is fine).
When I ping example.com on my own computer, the DNS Name resolve to the correct IP address.
When I check the elastic IP, it's working and shows my website, but when I check example.com it does not show my app and shows This site can’t be reached:
this is a screenshot of what it shows
I cannot see where's the problem!
Based on the comments.
The issue was due to using https, rather then http. The http connection works. To setup https the following general procedure needs to be undertaken:
Get a public SSL certificate. Since you are using instance, you can't use AWS ACM for that. In this case a popular choice is https://letsencrypt.org/ where you can register free SSL certificate for your domain and its subdomains.
Setup ssl connectivity on your instance. Often this is done by using nginx as a revers proxy. The nginx will provide HTTPS for your instance using the SSL certificates from step 1.
Open port 443 (HTTPS) in your security group.
The alternative is to front your instance with an application load balancer (ALB). Using it, you can easily get free AWS ACM free certificate and deploy it on the ALB. No actions required on your instance in this case.
I have created an microservice API application and hosted it on AWS ECS cluster and attached this cluster to AWS Application Load Balancer (ALB). Added a certificate from AWS Certificate Manager to the ALB. When I try to call using the link provided by AWS ALB, from my frontend app, it returns an error:
net::ERR_CERT_COMMON_NAME_INVALID
The link from ALB is sonething like this:
xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com
I attached a SSL certificate to the listener. The SSL is issued using AWS Certificate Manager for my-site.xyz and *.my-site.xyz
The frontend application is react application hosted on different-site.ai using AWS Amplify
Edit
The OP wanted this to resolve for their root/apex domain example.com, as they use Namecheap (which support an Alias record) a value was added for the root domain following these instructions.
Alias records are also supported in Route 53.
It needed to be an alias record as a root domain traditionally can only resolve to an IP address which would be an A record, whereas Alias will map the IP of the CNAME record to the value instead.
Original
The error thrown is because the SSL certificate that is attached is not applicable for the domain you're trying to access.
For example the cert is for example.com but you're trying to access xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com.
To access this you must access on a valid domain name, to do this add a DNS record so that example.com resolves to xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com. Then when accessing example.com the SSL will be valid.
In my case, when I was requesting a certificate, I failed to list the domain names correctly.
For example, if your website was www.somewhere.com, you would need to add
www.somewhere.com
and also add
somewhere.com
I am attempting to add HTTPS to my AWS Elastic Load Balancer.
I obtained a certificate through AWS Certificate Manager:
I have enabled HTTPS on the load balancer:
I made sure the security group for the load balancer accepts 0.0.0.0/0 on 443:
When going to my domain on HTTP, it works.
However, when trying to load my domain with HTTPS, it does not work ("ERR_CONNECTION_TIMED_OUT")
EDIT and UPDATE:
It is the API that I am attempting to get HTTPS working for, not necessarily the domain. The domain serve's a static file (angular web app) from S3, and it is angular that is calling the load balancer (to transfer the request to an EC2 instance) for DB data.
When angular calls the api directly via the load balancer domain name over HTTP, the request responds as expected.
When angular makes the same api call over HTTPS, I get the following error:
You enabled HTTPS for your domain name, not the ELB domain which Amazon owns. You can only create SSL certificates for domains that you own. You can't enable SSL for "mydomain.com" and then excpect that to somehow work on a completely different domain. You need to change your AngularJS code to reference the API by your custom domain name which you have created an SSL certificate for. You need to point the domain to the ELB and install the SSL certificate for the domain on the ELB.
Mark B provided the almost full solution.
As my javascript code is calling the elastic load balancer (ELB) via it's DNS name provided by AWS, I can't obtain an SSL certificate for the domain I don't own.
As Mark B pointed out, I need to point my javascript code to the domain I do own, and have an SSL cert for.
So I can create a sub domain (e.g. api.mydomain.com) of the domain I own that then points to the ELB.
An A Record (e.g domain pointing to an IP) looks like it could fit the need.
However, an A Record can't point to the ELB because it's IP could change.
The missing step was to use AWS Route 53 to point the A Record to an alias (Route 53 allows you to do this) that represented my AWS Elastic Load Balancer.