I have one ELB with www.example.com
and another with dev.example.com
I have created separate certificates for both including wildcards and www in Certificate Manager.
Both certificates are verified and issued.
But SSL on www.dev.example.com is not working.
When I check the certificate in Mozilla/Chrome it shows the alt DNS to be example.com, www.example.com, and *.example.com but that's a different certificate which I have not assigned to the listener of ELB of dev.example.com
Any help to make it work?
Wildcards only work at one level. You would need to add *.dev.example.com to the certificate in order for it to work with www.dev.example.com.
Related
SSL Certificate is already enabled on my main domain but now I want to enable SSL on my subdomain too, So how can I enable on my subdomain, I am using AWS services.
If you're wanting to generate an SSL for your subdomain you will need to go through the ACM process again in the region(s) you're operating in.
When you specify the domain for the certificate you can either specify an absolute subdomain (foo.example.com) or specify a wildcard domain (*.example.com).
Once you have specified this you will need to go through the standard validation approach to have the certificate approved.
As an additional point going forward, AWS supports adding multiple domains to a single certificate so you could add the root domain (example.com) and the wildcard subdomain (*.example.com) to the same certificate which would allow you to use the same certificate.
No, it is not possible to edit an existing certificate to add more domains or a sub-domain of an already existing domain on an ACM certificate.
In case you wish to obtain a certificate for a new domain or sub-domain you can either have two separate certificates for the domain and sub-domain or delete the older certificate and request a new certificate with both the domain and sub-domain on the certificate.
A single certificate can hold domain.com & *.domain.com. Also the same certificate can also have domain1.com & *.domain1.com
Source https://forums.aws.amazon.com/thread.jspa?messageID=931119
Right now I have a domain (example.com) that I have hosted on Google Domains, but uses Amazon's Route 53 DNS servers, and I've created a hosted zone & registered an SSL certificate for free with ACM. So I got it to take requests for example.com and forwards them to a target group (EC2 instance).
I'd like to expand this into:
staging.example.com
prod.example.com
where each has its own target group it points to.
Is this possible with an ALB? How would I encode this into the load balancer's routing rules?
(Also: would I have to re-verify the SSL cert for the subdomains?)
You route each subdomain to different target group using Listener Rules
When you add a Listener Rule, set a condition for Host header and select the subdomain you want to use e.g. staging.example.com and select Forward to as your target group.
Regarding SSL, you won't need to create a new certificate as long as you have the certificate for *.example.com attached to the listener (see View/Edit certificates)
Yes, it is possible. Just create another recordset in your hosted zone (presumably the same way you did it for example.com) for staging and for prod. As for the certificate issue, you will need a wildcard certificate if you want to use the same certificate for all 3 hosts (example.com, staging.example.com and prod.example.com).
I try to assign SSL certificate for my domain. I have created a www.domain.com certificate and assigned it to my elastic beanstalk; and it works really fine as I can see a little green lock next to my domain if I access with https://www.domain.com or www.domain.com. The problem is that when I try to access by domain.com, the lock is gone. Can anyone suggest what I should do in this case?
You have to get a new certificate for both www and non-www domain when you request the certificate there is option check below screenshot. And then you force the https on the application. And your site will serve through SSL certificate for both domains www and non www.
I created a SSL certificate for my site using Amazon Certificate Manager. The certificate is for *.example.com. I have then attached this certificate to my ELB and have left the instance protocol as http. So SSL chain is only between the client and ELB.
I have two A records in Route53. One for example.com one for www.example.com. Both of these are aliased to ELB. When I do https://www.example.com it works perfect. But when I do https://example.com I get the following error in FireFox:
"example.com uses an invalid security certificate. The certificate is only valid for *.example.com Error code: SSL_ERROR_BAD_CERT_DOMAIN"
Shouldn't the certificate *.example.com work for the address example.com? Am I missing something?
EDIT May 31, 2016
Thank you to Steffen Ullrich for setting me on the right track. The problem is when using the AWS Certificate Manager (ACM) in the console (web browser) there is no option to add the alternative names. For those having the same problem you need to use CLI (command line interface). A quick web search for "Install AWS CLI" will give you all the information you need to complete the installation. Once CLI is installed then you can run the ACM commands. Here is a link to the documentation:
http://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html
The command I used was:
aws acm request-certificate --domain-name www.example.com --subject-alternative-names example.com
Once the request was approved I was able to see the SSL certificate in the ACM web interface. I installed it and everything working like a charm now!
A certificate for *.example.com matches whatever.example.com but not example.com only. This is because the * must match a label and example.com has no label in place of the *. If you want to match both whatever.example.com and example.com you need to create a certificate which has as subject alternative names both *.example.com and example.com.
When requesting a new certificate via the console, you can now add both *.domain.com and www.domain.com, before hitting next, in the next box, make sure you request to add another domain to the certificate.
If i use Cloudfront to sit in front of a webserver, which itself is behind an ELB, would the following apply?
I use Route53 to create a domain name record for the CF domain and apply an SSL certificate to that domain to secure the distribution
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
When CF forwards the request through the ELB the SSL is terminated
Is that right ? Will one FQDN cert suffice or better to use a wildcard? Is it better to use the origin server domain name instead?
As i can now use the new AWS certificate manager tool (ACM) to add these certs, does anyone know if CF still require the cost for use of custom SSL cert if using ACM (which makes CF an expensive AWS service)?
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
The SSL connection is not "forwarded". A new SSL connection is established between CloudFront and the ELB.
The SSL connection between the user and CloudFront is a completely different connection than the one between CloudFront and the ELB. Therefore, there is not requirements on matching the domain names used on the ELB and CloudFront.
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
The only restriction is that the SSL certificate on the ELB must match the domain name used on the ELB. It can be a different SSL cert and domain name than those used on CloudFront.
If you want to use the "Custom SSL" feature and support "All Clients", not just those that support SNI, then yes, you must still pay the extra charges, even is you are using ACM.
Example 1
You can create Route 53 records for www.domain.com and origin.domain.com and an SSL cert for *.domain.com. From these, you would assign www.domain.com to the CloudFront distribution, origin.domain.com to your ELB, and use the wildcard cert on both.
Example 2
You can create Route 53 records for www.domain.com and origin.domain.com and separate SSL certs for www.domain.com and origin.domain.com. From these, you would assign www.domain.com to the CloudFront distribution using the www.domain.com cert, and origin.domain.com to your ELB using the origin.domain.com cert.
Example 3
You can create Route 53 records for www.domain1.com and origin.domain2.com and separate SSL certs for www.domain2.com and origin.domain2.com. From these, you would assign www.domain2.com to the CloudFront distribution using the www.domain2.com cert, and origin.domain2.com to your ELB using the origin.domain2.com cert.