What is the best approach to enable https on ec2 public dns? I just have single instance running so i don't think adding load balancer is good approach and I don't have any domain name to point to my instance. I want to enable https on instance public DNS.
What is the best approach to enable https on ec2 public dns?
You can't do this, as the public DNS provided by AWS does not belong to you. The DNS belongs to AWS and only AWS can have a valid SSL certificate for it.
To have a valid public SSL certificate for HTTPS you need your own domain that you control. Then you have to use a third party service (ACM can't be used on EC2 instances, unless in enclave) to get a SSL cert for your domain. A popular choice is https://letsencrypt.org/ with certbot which provides free SSL certificates. By the way, StackOverlow is using letsencrypt as its SSL cert provider. Having the SSL cert you can setup nginx to server your application using HTTPs, or itegrate SSL certificates directly with your application.
If you don't want to do the above, you have to front your instance with load balancer, CloudFront or API Gateway. Having load balancer allows you to use ACM and easily get and provision SSL certificates You still need your own domain of course. Using load balancer is the easiest to setup. With CloudFront and API Gateway there are more things to consider.
Related
I am using AWS and I created an Instance in EC2 and created a SSL Certificate in Certificate Manager, I have a domain from whois.com which I was able to connect to my instance using Route 53.
I am now trying to install the SSL Certificate to my EC2 instance and have googled a bunch on tutorials on the subject, but they all are super confusing and don't seem to work, must of them say I need to use a Load Balancer, but either I am missing a step or something I am doing is wrong because the SSL certificate is not working, http works like a charm, https is not working at all.
Is someone able to point me in the right direction?
AWS do not allow the certificates to be downloaded for ACM public CA so you are limited with where it can be attached.
You cannot use a public ACM certificate directly in your EC2 instance. The following resources support attachment for HTTPS of your application:
Elastic Load Balancer (ALB, CLB or Network Load Balancer with a TLS target group)
CloudFront Distribution
API Gateway
If you do not want to use one of these resources then the following 3 options are available for you:
Use a free SSL CA to generate the SSL for your EC2 instance such as certbot
Purchase a SSL from another CA and install on your host
Use AWS ACM Private CA (Although this can be expensive)
So far i did below configuration.
I hosted my site on EC2 AWS machine. Public ip and public DNS.
I can access my website by ip as well as public DNS.
I purchased domain name from GoDaddy. www.xxtrasc.com
On AWS I created Hosted Zone then map www.app.xxtrasc.com successfully.
Now i access my website directly www.app.xxtrasc.com
Next want to enable https
On AWS Certificate Manager order certificate with domain name *.xxtrasc.com
Did everything to add CNAME and all. I can see status gree colored Issued on ACM.
Now how i can attached this certificate to my web site so that i can access https://www.app.xxtrasc.com
You cannot use ACM to directly install your ACM Certificate on your AWS based website or application
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-install.html
You must use one of the following services:
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway
AWS CloudFormation
Please read the official doc : https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
So to install the certificate directly under apache2/nginx configuration you need to obtain the certificate from other third parties like Lets Encrypt, GoDaddy etc. you can read about that here - https://in.godaddy.com/help/manually-install-an-ssl-certificate-on-my-apache-server-centos-5238
On AWS I recommend using an ELB an placing your EC2 instances behind this ELB. This will allow you to select your ACM certificate from ELB itslef. Please read following doc to use classic load balancer with HTTPS https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html
If you want to enable SSL on your site, you need to purchase SSL certificate. You can purchase it with Godaddy and then setup it on AWS server. Without SSL certificate, your https site won't work.
I have an ec2 instance behind Application ELB in AWS. I want to apply SSL to both ec2 instance as well as loadbalancer. For ec2 instance i have purchased ssl and installed it and it is working fine. For load balancer i will be using the free AWS ACM certificate and installing it on load balancer. Will this have any issues? i.e. installing SSL on both places ec2 and elb.
It will not have any issues but it does come with a caveat. The traffic in to the Application Load Balancer (ALB) will be encrypted and the ACM cert will be validated by the client. The traffic to the host from the ALB will also be encrypted but the certificate on the host will not be validated.
It looks like ALB Backend Authentication is on AWS's roadmap per the reference below. The reason given for it not being a priority is summarized in this quote from the AWS Engineer who wrote the first reference:
The role that server certificates play in TLS is to authenticate the server, so that it can’t be impersonated or MITM. ALBs run exclusively on our Amazon VPC network, a Software Defined Network where we encapsulate and authenticate traffic at the packet level.
The upside of this is you can use self-signed certs on your hosts to save money when using an ALB or ELB in front of them.
If you need to ensure the certificate on the host is valid you can use a Classic Elastic Load Balancer (ELB). See the reference for more details.
References
AWS ALB Validation TLS Reply
AWS ELB Configure Backend Authentication
If you use SSl/TSL at ELB, it will handle the encryption/decryption of the HTTPS connections (freeing your EC2 instance's CPU to do other work).
If you use an HTTPS/SSL connection for your back end, you can enable authentication on the back-end instance. This authentication can be used to ensure that back-end instances accept only encrypted communication, and to ensure that the back-end instance has the correct certificates.
Using SSL/TLS on both ELB and Backend can create problems since ELB HTTPS listener does not support Client-Side SSL certificates.
I have considered that you are using a 2-way SSL (Mutual or Client Authentication)
I set up EC2 Ubuntu instance, assigned an elastic IP, got example.com (domain) to the ec2 instance via Route53. Added an SSL certificate using ACM (certificate manager) which says 'issued'.
However, https://example.com raises ERR_SSL_PROTOCL_ERROR. http://example.com is working.
The security group has HTTPS port open.
What's wrong here? Why this is not working? Any clues? curl https://localhost -k shows local port 443 refused.
You can't deploy a public ACM certificate directly to an instance. The "issued" state, just means it's ready to be applied somewhere. It needs to be applied to a service that supports ACM like an ELB, API Gateway, or a CloudFront distribution, which can be used to offload SSL processing. See the faqs for an overview of how they can be used.
For a certificate directly on the instance, you can use letsencrypt to issue free, trusted certs.
Also, this assumes that you've configured the web server to listen on 443.
ACM can only be used with AWS resources such as Elastic Load Balancer, Amazon CloudFront distributions and APIs on Amazon API Gateway.
Make sure that you are using one the above services to serve your website content.
ACM cannot be directly used with EC2 instance, you either need Elastic Load Balancer or CloudFront distribution to used it.
I have an Application Load balancer and 1 EC2 instance currently behind it. Before, I was using another CA for receiving SSL certificates for my domain which was running on the EC2 with nginx. Now, I use SSL from Amazon's Certificate Manager for the load balancer's listener.
Should the domain's certificate be purchased individually on each EC2 instance for https connection to my application after moving it behind the ELB?
Is there any other way to establish https connection without using the separate certificates on the EC2 instances and with just the ACM on the load balancer?
You can use the same certificate on EC2.
But whenever you need to update the certificate you have to change in EC2.
If you have the EC2 in a private subnet (Not accessible to the internet)
you can use the self-signed certificate (self signed certificate nginx).
I encountered this problem and solved it by using the self-signed certificate.
You can use self-signed certificates on the EC2 instances to enable the load balancer to talk to your EC2 instances via https - the load balancer will not to certificate validation, so you do not need commercial certs.