API gateway calling my elastic beanstalk environment using HTTPS - amazon-web-services

I'm trying to figure out how I can call my elastic beanstalk environment with HTTPS. Ultimately I want to be able to use API gateway to forward HTTPS requests to it*.
In the elastic beanstalk console I went and configured the load balancer to use my website's SSL cert (mywebsite.com), on port 443 and with an instance port of 80 (whatever that means - I was following https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html).
Before wiring up API gateway, I first tried calling my elastic beanstalk endpoint. Changing http:// to https://, using postman I got
Error: Hostname/IP does not match certificate's altnames: Host:
myService-prod.eba-p3t3saxf.ap-southeast-1.elasticbeanstalk.com. is
not in the cert's altnames: DNS:*.mywebsite.com
No dice. I then thought maybe if the request originated from my website's domain it might work. So I tried configuring API gateway, but I just get back a 500 Internal server error. (note if I change the endpoint URL inside API gateway from https to http all is good).
So what do I need to do? I tried reading this https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html, but got only as far as I described above. I feel like I do need a certificate, but when I tried using Amazon's certificate manager to generate a certificate for myService-prod.eba-p3t3saxf.ap-southeast-1.elasticbeanstalk.com, I can't validate it (fails both email and DNS certification). I think I don't fully understand what I need to do/see the big pictures. Can someone help me out, ideally with specific instructions.
*Actually, that is a question in itself. If my API gateway endpoint is HTTPS, is it safe for API gateway to then call my elastic beanstalk environment with just HTTP, as we're already inside AWS?
Thanks

I tried using Amazon's certificate manager to generate a certificate for myService-prod.eba-p3t3saxf.ap-southeast-1.elasticbeanstalk.com
You can't generated SSL certificate for this domain. This is AWS owned and manged domain. To get proper valid SSL certificate you have to have your own domain which you control.
From your post its not clear if you actually have a domain mywebsite.com or not. If not, and you want to keep yourself within AWS, you can use Route53 to buy a domain which you want. But any domain provider will be fine. Once you have your own custom domain, you can setup hosted zone in R53 for it, and point it to your EB's load balancer.
Having the domain setup, you can use AWS ACM to issue a valid, public free SSL certificate for your domain and deploy it on the load balancer.
In your API gateway you would use your EB domain for HTTP integrations, not AWS EB default domain.

Related

Plumbing for API Gateway to Beanstalk with SSL

I am looking to host an API which I can control customer access to using API Keys, Usage Plans, and Cognito. This is my first time trying to bootstrap DNS+SSL and I can't figure out the basic plumbing to get SSL working when I connect API gateway to my beanstalk environment.
I've got example.com purchased on namecheap. I've got namecheap DNS set up to forward the api subdomain to AWS DNS via an NS record. I've got an API gateway with a custom domain name of api.example.com mapped to an API with a production stage. I've then got route 53 set up to point api.example.com to that API gateway stage. I can curl api.example.com and because I have a cognito user pool authenticator, I see Unauthorized as the response.
What I'm stuck on is how to connect this to my elastic beanstalk environment. My current attempt involves turning the API Gateway into a "HTTP Proxy", and tweaking the endpoint url. Except I'm not sure what to put there, or how to configure what I put there because the Test button in API GW often throws an error.
I'm currently trying to use the domain name of the load balancer in front of beanstalk: https://load-balancer-in-front-of-beanstalk-endpoint.com/{proxy}. I've tried a few configs on that load balancer, but I'm not sure what cert to give it because when I try api.example.com,
it fails with "Host name dualstack.awseb.foo.elb.amazonaws.com does not match the cert provided by peer(api.example.com)".
Some other questions mentioned setting an alias for api.example.com to point to the load balancer's ip... except for me it already points to the API GW, so I think I've gone wrong somewhere. Could use some pointers.

AWS Elastic Beanstalk - SSL Certificate added but still HTTPS Error: SSL_ERROR_BAD_CERT_DOMAIN

I bought a domain named studileih.de, then I deployed my Angular frontend on firebase: https://studileih-ceb70.web.app/ and redirected from my domain studileih.de to the firebase URL.
Then I deployed my Spring Boot backend to AWS Elastic Beanstalk on: http://studileih1.eu-central-1.elasticbeanstalk.com/
-> Problem: Since the frontend on firebase used https and the backend on AWS used http I got a Mixed content error. The frontend wasn't able to load any of the backend data.
So I tried to solve this by creating a SSL certificate for my backend in the AWS Certificate Manager (ACM) and adding this to my Elasting Beanstalk Load Balancer. This worked and I could now at least make a connection from my frontend to my backend.
But now I get this error whenever a request to my backend gets sent:
When I click on "Accept the Risk and Continue" once, it works fine and all my backend data gets loaded. But I can't ask my users to do that.
(You can try this out by following: https://studileih1.eu-central-1.elasticbeanstalk.com/products and clicking "Advanced" -> "Accept the Risk and Continue" (if you dare ^^)
after you've done that, click on studileih.de and it will now load with the backend data.)
I know the problem exists because when creating the SSL certificate, I entered studileih.de as the domain that the certificate is for. I think I have to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com instead.
But when I try to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com:
I get this error from ACM:
How do I create a SSL Certificate for the Elastic Beanstalk URL?
p.s. I also tried to issue a certificate for my firebase URL https://studileih-ceb70.web.app/ but this one already uses Https by default. Also I couldnt find out how to DNS/Email validate the ACM request in the firebase console. But I think I need a certificate for the Elastic Beanstalk backend at studileih1.eu-central-1.elasticbeanstalk.com, not for the firebase frontend, right?
p.p.s. I don't really need to use https, so a solution would be to make firebase use http instead of https, but I couldn't find anything on how to do that.
UPDATE:
I added a subdomain called api.studileih.de (the immediate access is blocked by spring security, as you're not logged in to my site, but you can test it with api.studileih.de/products, because this API is accessibly without login). Then I redirected that subdomain to my AWS Load Balancer as suggested by Mark B by adding a CNAME to the subdomain:
(it's not possible to change to english there, sorry)
this is my Load Balancer:
I tried to put the DNS-Name as A-Record into my subdomain, but it was only possible to enter a IP4 adress there, so I entered it as CNAME instead. I also tried to find out the IP Adress of the Load Balancer, but Load Balancer don't have a static IP Adress.
This approach with the subdomain and the CNAME unfortunately didn't work, so I'm still looking for a solution...
(Here's the menu for setting a A-Record. You can only enter IP Adresses there:)
I know the problem exists because when creating the SSL certificate, I
entered studileih.de as the domain that the certificate is for. I
think I have to create a SSL certificate for
studileih1.eu-central-1.elasticbeanstalk.com instead.
You can only create an SSL certificate for a domain you own. You need to point a subdoomain of studileih.de, like api.studileih.de, at the Elastic Beanstalk load balancer, and then attach an SSL certificate to that load balancer that matches that subdomain.

How to enable HTTPS for Elastic Beanstalk url

I have enabled HTTPS for my custom domain name (haydenclay.page), but I also need the Beanstalk url (app-name.elasticbeanstalk.com) to run through HTTPS as well.
HTTPS does not work currently, because the cert name matches my custom domain name, yielding: ERR_CERT_COMMON_NAME_INVALID
I need HTTPS because I make API requests, and going from HTTPS to HTTP throws a mixed content error. How can I enabled HTTPS on the beanstalk url?
I have already tried making an alias
Sadly you can't enable https directly for app-name.elasticbeanstalk.com domain. This is because this domain is controlled by AWS. You can only register SSL certificates for domains that you control.
If you want to server your content from EB over ssl, you have generally three options.
Front your instance with load balancer. This is the easiest* way as you can associated ACM SSL certificate with the balancer for your domain.
Front your EB instance with CloudFront (CF). You can setup alternative name for your cloudfront domain with your CF distro and your SSL cert. You can also use ACM for that. Also easy setup, but it should be noted that traffic between CF and your EB instance will be http only, unless you also setup your own SSL cert (not from ACM) on the instances (point 3).
Install your own SSL certificate (not from ACM) directly on the EB instance, using nginx. This requires manual setup and a valid public certificate. Popular choice is LetsEncrypt, to get the SSL cert from.
If you use CloudFlare, go to DNS -> Records
Type: CNAME
name: api
Content: "YOUR_URL.eu-west-1.elasticbeanstalk.com"
Proxy status: Proxied
And call your new url: api.your_domain.com

Hosting React page on S3 and making REST api calls to server on Elastic Beanstalk

Background
I am trying to deploy a dummy application with React frontend and Django backend interacting via REST api. I have done the following:
Use a S3 bucket to host static website and deploy my react code to it
Put Cloudfront for S3 bucket - set up certificate and changed my domain name (from GoDaddy) to link to this address
Kicked off Elastic Beanstalk environment following the python environment tutorial of AWS
Set up Postgres RDS and linked the Django server with it
So now I can do the following
Access my frontend using https via my domain name (https://www.example.com)
Access django admin site using the path of elastic beanstalk and update items
i.e. each component is up and running
Problem
I am having trouble with:
Making a secure REST API call from the static page to Elastic Beanstalk environment. Before I set up certificates I could easily make REST API calls.
The guides I can find usually involve putting a domain name for Elastic Beanstalk, which I imagine does not apply to my case (or does it?)
I tried to follow this faq and updated configuration in load balancer that accepts 443 https and redirects to 80 http. But I am using same certificate as from CloudFront, which does not sound right to me.
Would appreciate help with
how to solve the above ssl connection issue
or is there a better architecture for what I'm trying to achieve here?
According to Request a certificate in ACM for Elastic Beanstalk backend, it sounds like I have to use a subdomain and request a certificate for that subdomain, and use Cloud 53 to direct requests to that subdomain to Elastic Beanstalk environment. Would that be the case?
Thank you in advance!
By default EB url will HTTP only. To use HTTPS you need to deploy SSL certificate on your ALB.
In order to do that you need a custom domain, because you can only associated an SSL certificates with domains that you control. Thus, normally you would get a domain (you seem to already have one from godaday). So in this case you can setup a subdomain (e.g. api.my-domian.com) on godady. Then you can use AWS ACM to register a free public SSL certificate for api.my-domian.com.
Once the certificate is verified, using either DNS (easier) or email technique, you deploy it on your ALB using HTTPs listener. Obviously you will need to point api.my-domian.com to the EB's https url. You can also redirect on your ALB http traffic from port 80 to 443 to always use https.
Then in your front-end application you only use https://api.my-domian.com, not the original EB url.
There can be also CORS issues alongside this, so have to be vary of them as well.

How do I know if I am using AWS Certificate Manager correctly?

What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"