I am trying to add HTTPS connection to the server API I have in elastic beanstalk, using CloudFlare as DNS. Steps I have followed:
Go to AWS certificate manager and create a certificate for *.nameofmydomain.com
Verified the certificate
Created a listener in elastic beanstalk loader section, port 443 and the previously created certificate
Created a CNAME record in cloudflare that points api.nameofmydomain.com to the elastic beanstalk (xxxxx.yyyyy.eu-west-1.elasticbeanstalk.com)
When I open the https://xxxxx.yyyyy.eu-west-1.elasticbeanstalk.com I get the following error
And when I open the api.nameofmydomain.com I get this
I found the issue, turns out that wildcard ACM certificates in AWS only work for one level, and I was trying to create a domain in that was xxx.yyy.nameofmydomain.com changing it to just one level made it work
Related
All of the tutorials I read pertain to an Elastic Beanstalk Load Balancer, which I am not using with a Single Instance.
I can access my app deployed through Elastic Beanstalk by either using the environment url or simply redirecting my Route 53 Type A record to either the Elastic Beanstalk environment or the ec2 public domain.
I want my webapp use HTTPS, so I created an SSL Cert through ACM and attempted to deploy the cert on my webapp through CloudFront. I created a CloudFront distribution domain but this is where I am stuck: I cannot use my Elastic Beanstalk environment as an Origin Domain, only an S3 bucket.
How do I get CloudFront to talk to Elastic Beanstalk/EC2?
Directly accessing S3 is not an option, not only do I get 403 errors but my project is an Angular App and .NET WebApi, which needs to be deployed and run, not simply accessed from an S3 folder. I also cannot bypass CloudFront and put the cert in my project, because you cannot download ACM certs.
it should communicate with ElasticBeanstalk in HTTPS right?
Sadly this is not how it works. To have HTTPS between CF and EB, you must have valid, public SSL certificate on your EB instance. You can't use self-signed certificates nor EB gives you any SSL by default. If you do not have ALB on EB, you have to get SSL certificate from a third party (not ACM), such as LetsEncrypt and deploy in on the instance. You also must have your own domain for that to work.
Only if the above is satisfied, you will have HTTPS on the entire path:
Client --- (https) --> CF ---- (https) ----> EB
Otherwise, you can only have:
Client --- (https) --> CF ---- (http) ----> EB
Which is a security risk as you use http (plain text) over the internet.
Background of the Application
I have MERN Stack Application running (where frontend reactJS is running inside NodeJS backend server)
The whole application is then wrapped inside Docker Container
Then Deployed in AWS ECS EC2 (using single Service & Task) behind a single Application Load Balancer.
Created a Hosted Zone in AWS Route 53 to Point my domain name to Load Balancer
Now the application is successfully running when I visit my domain name.
Problem Araised Here
The website is "Not Secure"!! — I want to install SSL Certificate
I went to AWS Certificate Manager
Successfully got a certificate by adding CNAME in the AWS Hosted Zone Records
Configured Security Group, Load balancer Listeners to HTTPS
Added that Certificate to Load Balancer listener
Actual Problem
I got the certificate, connected to load balancer,
I can see my certificate in the address bar - "Certificate is Valid"
And still, it shows my the Site is "Not Secure" - Below image is for your reference.
Error in the Console (Edited)
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, but requested an insecure resource 'http://my-alb-XXXXXXX.us-xxxx-X.elb.amazonaws.com/api/goals'. This request has been blocked; the content must be served over HTTPS.
My Assumption of What Went Wrong
Since AWS ALB has its own DNS Name, which is "Not Secure"
Connecting my new secured domain name TO an unsecured AWS ALB DNS name would be the problem.
Appreciate Your Response
Thank you,
ARUN
I followed the following tutorial to setup an SSL Certificate with a parent domain hosted at another provider than aws to create a secure connection to my REST Api.
https://medium.com/#sonalishah_63223/how-to-host-subdomain-in-aws-route-53-for-an-existing-parent-domain-with-different-service-9b4dde061b85
Setup:
Hosted Zone -> Record pointing to - Elastic Load Balancer - Beanstalk -> EC2 (Spring Application)
Setup Description:
I created a hosted zone (sub.mydomain.at).
In that hosted zone I created a record (api.sub.mydomain.at) pointing to the Elastic Load Balancer.
Everything works fine, API is callable.
Afterwards I created a certificate through ACM.
(*.mydomain.at) which has been successfully issued.
I attached it to my load balancer and it seems to work, when calling the API via https://.
But Postman throws the following error.
SSL Error: Hostname/IP does not match certificate's altnames
I could turn off "Enable SSL certificate verification" and it would work, but this does not seem to be the right solution.
So I created another Certificate for the domain api.sub.mydomain.at which is not verifying. According to nslookup the server can't find the domain even if the CNAME is setup. (I assume it is not possible to create a CNAME with multiple 'sub-domains')
_12312<long-_number>.api.sub.mydomain.at
So how can I resolve the Issue "Hostname/IP does not match certificates alt names"?
I think in your case, you are forwarding the requests (cname record api.sub.mydomain.at from alb public dns to your custom domain)
So you need to add ALB public dns name on hearder like this:
request({host: 'ALB public DNS'... headers: req.headers
I am trying to implement SSL certificate on my EC2 instance which is running a laravel project. I have issued the certificate and it is also in use but when I try https://domainName my browser shows
Unable to connect
I have used:
EC2
Route53
Certificate Manager
Load Balancer
Elastic Beanstalk
This is exactly how I configured my Load Balancer, Then added my DNS Name to Route53.
I didn't know what details should I provide so please do ask for the information.
Check the web service if it is working correctly locally in you ec2 and listen on port 8o, then apply ssl offloading with application load balancer: please check the following example: https://infra.engineer/aws/36-aws-ssl-offloading-with-an-application-load-balancer
I am using AWS and I'm trying to get an SSL Certificate up and running, I have done the following:
Created an instance via EC2 and installed Ubuntu on that instance, all my code is on there and is working with http
Added an A record for my domain via Route 53. All is working there, I am able to goto my domain and see the website that is on Ubuntu.
Created a public SSL Certificate via Amazon Certificate Manager. I added the CNAME to where my domain was hosted, but the status never changed to Success so I added the CNAME via Route 53 where my A record is and I now have a status of Success.
I really don't know what to do next, I tried following the steps here:
https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22
But that did not work, can anyone point me in the right direction on what I am suppose to do next? When I try to goto my website with https I get error saying the site cant be reached.
You need to add load balancer listener and target group.Need to create two PATH 80 -> 443 redirection and 443 -> actual target group. 443 listener can have the certificate. (If its validated in ACM). See the attached image.Add Route53 -> Load Balancer. When you load the website it will pic the certificate from load balancer.
Thanks
Ashish