I have a web server hosted in AWS ECS using fargate with load balancer.
I added an https listener to the load balancer with a certificate I issued using AWS ACM.
The certificate is issued to a domain I own, the certificate got validated and I'm able to send https requests to the web server via the load balancer using postman.
But, when I open in the browser the url of the load balancer I'm getting the following error
NET::ERR_CERT_COMMON_NAME_INVALID
what am I doing wrong?
Thanks in advance
what am I doing wrong?
Your SSL cert is issued for your own domain, not for "the url of the load balancer". So it does not match and you get the error.
You have to use your own domain now to access your api/website. Browsers are very strict in ensuring that SSL cert and domain match. In terms of postman, you may have disabled these checks, or postman may not be as strict.
You can check postman's ssl checks as shown below:
Related
I have deployed an Angular application on Firebase that uses Node.js APIs that is hosted on AWS Windows EC2 instance. When I try to run the Firebase app on the browser and try to log in, I get the following error:
The page at 'https://website.web.app/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://IP-address/API'. This request has been blocked; the content must be served over HTTPS.
Is there a way I can load an SSL certificate onto the AWS EC2 instance to allow the APIs to be sent over an HTTPS url?
Is there a way I can load an SSL certificate onto the AWS EC2 instance to allow the APIs to be sent over an HTTPS url?
Yes, there are many ways of doing this. The easiest (don't confused with the cheapest) is to front your instance with an Application Load Balancer. Also you need your own domain. Once you have bought the domain, you can get free ssl from AWS ACM. After that you can easly add the ssl certificate to the ALB to have full support for HTTPS.
I have a EC2 server that serves the backend using HTTP to the S3 bucket Frontend and that works fine when I use the S3 address to run the app. However, after I deploy to the Cloudfront, I get the following error:
Mixed Content: The page at 'https://d3qxpzawaycmw5.cloudfront.net/#/employees' was loaded over HTTPS, but requested an
insecure resource 'http://ec2-3-86-60-146.compute-1.amazonaws.com:3030/api/Employees?'. This request has been blocked;
the content must be served over HTTPS.
This informs that the BE must be served using the HTTPS. If I can't change anything for the BE, is there any solution to use the Cloudfront?
Thanks.
You don't need to change anything in the instance if you don't want. The easiest way to get HTTPS for your instance, is to front it with Load Balancer as explained in:
How can I associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer?
But for this, and any other method, you need your own domain, as you need a valid public SSL certificate for it. If you use load balancer, you can easily get free SSL cert from AWS ACM.
But if ALB is to much for you, then you need to deploy SSL on the instance. This still requires your own domain, but you can't use ACM. Instead you can get free SSL certificate from https://letsencrypt.org/.
Put http:// at the front of cloudfront domain name
This happens when you try to open the application with https but trying to connect the backend with http.
Installing/configuring SSL certificate for backend solves this problem.
If you want to use without SSL in cloudfront use HTTP and HTTPS like this
I bought a domain named studileih.de, then I deployed my Angular frontend on firebase: https://studileih-ceb70.web.app/ and redirected from my domain studileih.de to the firebase URL.
Then I deployed my Spring Boot backend to AWS Elastic Beanstalk on: http://studileih1.eu-central-1.elasticbeanstalk.com/
-> Problem: Since the frontend on firebase used https and the backend on AWS used http I got a Mixed content error. The frontend wasn't able to load any of the backend data.
So I tried to solve this by creating a SSL certificate for my backend in the AWS Certificate Manager (ACM) and adding this to my Elasting Beanstalk Load Balancer. This worked and I could now at least make a connection from my frontend to my backend.
But now I get this error whenever a request to my backend gets sent:
When I click on "Accept the Risk and Continue" once, it works fine and all my backend data gets loaded. But I can't ask my users to do that.
(You can try this out by following: https://studileih1.eu-central-1.elasticbeanstalk.com/products and clicking "Advanced" -> "Accept the Risk and Continue" (if you dare ^^)
after you've done that, click on studileih.de and it will now load with the backend data.)
I know the problem exists because when creating the SSL certificate, I entered studileih.de as the domain that the certificate is for. I think I have to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com instead.
But when I try to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com:
I get this error from ACM:
How do I create a SSL Certificate for the Elastic Beanstalk URL?
p.s. I also tried to issue a certificate for my firebase URL https://studileih-ceb70.web.app/ but this one already uses Https by default. Also I couldnt find out how to DNS/Email validate the ACM request in the firebase console. But I think I need a certificate for the Elastic Beanstalk backend at studileih1.eu-central-1.elasticbeanstalk.com, not for the firebase frontend, right?
p.p.s. I don't really need to use https, so a solution would be to make firebase use http instead of https, but I couldn't find anything on how to do that.
UPDATE:
I added a subdomain called api.studileih.de (the immediate access is blocked by spring security, as you're not logged in to my site, but you can test it with api.studileih.de/products, because this API is accessibly without login). Then I redirected that subdomain to my AWS Load Balancer as suggested by Mark B by adding a CNAME to the subdomain:
(it's not possible to change to english there, sorry)
this is my Load Balancer:
I tried to put the DNS-Name as A-Record into my subdomain, but it was only possible to enter a IP4 adress there, so I entered it as CNAME instead. I also tried to find out the IP Adress of the Load Balancer, but Load Balancer don't have a static IP Adress.
This approach with the subdomain and the CNAME unfortunately didn't work, so I'm still looking for a solution...
(Here's the menu for setting a A-Record. You can only enter IP Adresses there:)
I know the problem exists because when creating the SSL certificate, I
entered studileih.de as the domain that the certificate is for. I
think I have to create a SSL certificate for
studileih1.eu-central-1.elasticbeanstalk.com instead.
You can only create an SSL certificate for a domain you own. You need to point a subdoomain of studileih.de, like api.studileih.de, at the Elastic Beanstalk load balancer, and then attach an SSL certificate to that load balancer that matches that subdomain.
I have a backend service i'm running in Fargate. I need this service to have an SSL cert on its load balancer so that it can talk to other HTTPS services. I've created the load balancer and it gives me an AWS domain (my-cool-app.us-east-1.elb.amazonaws.com).
Now, when I try to request a certificate through acm, it fails and says "Additional verification required". So i'm not sure if it's possible to add an SSL cert to this load balancer without registering a custom domain?
Also, this is a Django app and I haven't done anything other than keep it as runserver which I know isn't good for production but I just need to start by making it work as a dev environment. Do I need to change the way Django runs in order for SSL to work? Or is the load balancer sufficient?
To use an SSL for a domain you need to have control over that domain. For the AWS managed certificate service (ACM) you can verify through either DNS validation or email validation both of which you must essentially have domain control to validate.
As you're trying to use ACM for a AWS owned domain, someone from AWS would need to approve the SSL (which they won't).
Regarding your second point what you're describing is SSL offloading, in which the load balancer will serve HTTPS and then terminate encryption in transit. It will then forward the request to the Fargate container using the protocol and port defined in the target group.
The only thing you want to consider is how you display to the user, for example ensure that all CSS, JS ans links on your site are HTTPS. You can detect whether the incoming request used HTTPS at the load balancer by inspecting the X-Forwarded-Proto header in your application.
I have a client application hosted on S3 with a custom domain on godaddy. Cloudfront is serving all of the http(s) requests - all of that is well and good. I have an SSL certificate through ACM. There is an input dialog on the UI that when submitted, makes a POST request to a flask application running on ELB, but this request is failing because ELB is not configured for HTTPS (i.e. chrome is blocking an HTTP request because of mixed-content). Requests to the HTTP version of the endpoint work fine, but HTTPS requests time out. How do I configure the ELB load balancer to accept HTTPS requests? I've modified the configuration of the load balancer like so: https://imgur.com/3zWpS7f but requests are still failing. Any tips? Much appreciated!!
EDIT: I've configured the load balancer with a security group that allows ingress on 443 with HTTPS but now i'm getting a "Not secure" message with Chrome. is this because the certificate is registered with a domain associated with the site and not this api? do i need a separate certificate? The error code from chrome is: err_cert_common_name_invalid