Getting Error 522 or 521, when accessing 80 or 443 port from ALB link its working (for 443 browser shows warning i.e because ALB and SSL domain is different)
AWS Config.
Created Custom VPC with 1 public subnet and 1 private subnet
Created AutoScaling Group
Created Load Balancer (two listener for http and https forwording to traget group ) and target group (two targets pointing to Ec2 Instance on port 80 and 443 for heathcheck) -> health check is passing.
Launched Ec2 instance in private subnet (no public ip), instance can only be access by application load balancer security group.
Ec2 and Apache2 Config.
Enabled SSL in apache2
Open port 443 in instance, Security Group of ALB and access port 80 (http) and 443 (https)
For SSL followed article https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-18-04
Generated SSL Certificate from CloudFlare
SSL/TLS -> Origin Server -> Generated RSA certificate
Imported SSL certificate to AWS ACM
Attached ACM SSL certificate to Loadbalancer HTTPS Listener
Also create AWS ACM SSL certificate and validated with DNS for testing tried both ssl certificate - didn't worked
Subdomain and ALB link
Created DNS CNAME entry in CloudFlare
Added subdomain which pointing to ALB link. (tried with proxy and DNS only)
Your SSL/TLS encryption mode is Full
Always Use HTTPS: ON
When hitting subdomain in normal window (browser) its getting 522 and in incognito mode for the first time it is working but after that not.
When making curl request to https://subdomain.domain.com always working
Created extact duplicate instance in Public subnet and linked with another subdomain (created in cloudflare) just for testing -> working properly.
Also tried by adding separate target group for port 443 (HTTPS) -> in this traget group health check is getting failed whereas same working in other target group which for port 80 (http)
I'm not getting how to resolve this issue, please help!
Thank you.
Please Help!
Issue was because of internet facing loadbalancer was available in public and private subnet, and because of private subnet cloudflare was not able to connect to ec2 instance which was in private subnet.
Loadbalancer subnet section was showing You are creating an internet-facing Load Balancer, but there is no Internet Gateway attached to these subnets you have selected warning.
Solution: https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/
Related
Currently getting the net::ERR_CERT_COMMON_NAME_INVALID when trying to access my application through the ALB.
This is my current setup:
SSL Certificate created that covers example.com & *.example.com using AWS Certificate Manager.
2 server ec2 instances behind a load balancer and 2 client instances behind another load balancer.
An alias record in my Route 53 hosted zone pointing to the client ALB.
Both ALBs have the SSL certificate for example.com attached to them.
Both ALBs have a single HTTPS: 443 listener forwarding https traffic to ec2 instances on port 80.
The server ALB security group allows inbound traffic from the client ALB Security Group and outbound to the server instances security group.
The applications in the client ec2 instances are React Apps pointing to the server ALB at https://xxxxxxxxxx.elb.amazonaws.com/api
Accessing the application via https://example.com causes net::ERR_CERT_COMMON_NAME_INVALID in the console with the browser saying:
Error: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “xxxxxxxxxx.elb.amazonaws.com” which could put your confidential information at risk.
I'd be happy to provide more details if it helps.
If you have your own domain example.com with correct SSL certificate then you can't use https://xxxxxxxxxx.elb.amazonaws.com/api which is AWS domain. The reason is that SSL cert is for example.com, not for https://xxxxxxxxxx.elb.amazonaws.com/api.
You have to modify your application code to only use example.com.
I created application load balancer and assigned a target group which contains two EC2 instances, i am using only https traffic to flow through ALB as i am using SSL certificate from ACM but my target group health check fails. So far i done the following
index.html is in root dir /var/www/html
apache is running as i can hit the server ip to view the web page
http works perfectly fine using ALB
443 instance shows unhealthy
Same ssl certificate when i used in classic load balance worked fine to
route SSL traffic, so the certificate is fine
Something going wrong in application load balancer only
security group allows 443 traffice for both instances and ALB.
Same instance if i put in http target group becomes healthy
Both ec2 if i remove from http target group and assign to ssl target group becomes unhealthy
Thanks
The SSL certificate is on the load balancer. The connection between the load balancer and the EC2 instance cannot be HTTPS because the SSL certificate is not on the EC2 server. You cannot use a target group configured for HTTPS via port 443 with your SSL configuration. You will need to continue using a target group configured for HTTP.
I have an application running on an AWS EC2 instance with the domain's nameservers on AWS as well. I have an A record with the public IP.
I've create a secure certificate with ACM and also created an ELB Load Balancer. My domain still doesn't show the HTTPS in front of it.
Can anyone provide some help? Many thanks
Have you tried this ?
First, you need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the Security Groups link on the left, then create a new security group with also HTTPS available. Then, just update the security group of a running instance or create a new instance using that group.
After these steps, your EC2 work is finished, and it's all an application problem.
Credit to : https://stackoverflow.com/a/6253484/8131036
The solution is pretty simple.
First of all, edit the listeners on your ELB and do the following:
443 (HTTPS) => 80 (HTTP) - and apply ACM certificate.
What this essentially is doing is tells the ELB to listen on port 443 (HTTPS) and terminate the certificate and then forward traffic internally over port 80 (HTTP) - the port the instance is listening on.
You can also add port 80 (HTTP) and forward to port 80 (HTTP) (recommended and then set up your application to redirect all users to HTTPS). You can read more about ELB and setting up listeners here Create a Classic Load Balancer with an HTTPS Listener
Second thing you need to do is update Route 53 to point to ELB.
ascisolutions.com. A ALIAS s3-website-us-west-2.amazonaws.com. You can read more about it here Routing Traffic to an ELB Load Balancer
Let me know if you have more questions in the comments section and I'll do my best to reply.
You cannot install an ACM certificate on an ec2 instance directly, but you can install it on your load balancer and have the load balancer terminate SSL.
Create a target group and register your ec2 instances using port 80.
In your ELB, setup listeners for both port 80 and 443. You'll need to add your ACM cert to your https listener (port 443). Note that the certificate needs to be issued in the same region as your ELB.
The ELB does not handle redirecting insecure traffic to HTTPS, if needed, you will need to update your application to redirect http to https.
Recently i finished setting up my website using WordPress Bitnami Image, i configured the DNS servers as requested into my domain, pointing it to Amazon's NS servers, and also inserting the EC2's IP into the A type.
Everything is perfect, i can access my website through my domain's name, instead of using EC2's IP address.
But i came across with a request from my client, to implement HTTPS/SSL connection into the website.
So i created a Certificate through Amazon Certificates, validated it using my email address.
Here comes the part that is driving me crazy, i setup a Load Balancer to my EC2 instance, with the security group in use, and also selecting the Certificate created earlier with Amazon, so when i went to Route 53 and change the A type to point to my Load Balancer, the website becomes inaccessible:
This site can’t be reached
www.mydomain.com refused to connect.
Search Google for cegroup br restrito
ERR_CONNECTION_REFUSED
But it does work if i insert EC2 instance IP into A again, but i would not have a secure connection.
Please i need some help.
Ceers
EDIT:
I don't see this option to check as healthy. About the security group, is the one that WordPress Bitnami provides during the EC2 instance setup. Security Group configuration:
INBOUD
HTTP - TCP - 80 - 0.0.0.0/0
SSH - TCP - 22 - 0.0.0.0/0
HTTPS - TCP - 443 - 0.0.0.0/0
OUTBOUND
All Traffic - All - All - 0.0.0.0/0
And the ELB Listeners:
HTTPS:443
Security Policy: ELBSecurityPolicy-2016-08
SSL Certificate: Default (The one i choose when i created the certificate at the ACM) Rules: Default forwarding to target group
Your target group is pointing to port 443 on the EC2 instance. But the EC2 instance doesn't have an SSL certificate on it (the SSL certificate is on the load balancer), so it is most likely listening on port 80. Try changing your target group configuration to point to port 80 on the EC2 server.
I can browse to the web site with http but cannot with https, I get ERR_CONNECTION_REFUSED in Chrome.
My environment is an expressJS server on nodejs (64bit Amazon Linux 2015.09 v2.0) running on Elastic Beanstalk. I can telnet to the EC2 elastic public IP on port 80 but I cannot telnet on port 443, connection refused.
Steps taken to set up HTTPS
I created an SSL cert via the AWS Certificate Manager and added the cert to the Load Balancer Listeners.
Port Configuration:
80 (HTTP) forwarding to 80 (HTTP)
Stickiness: Disabled(Edit)
443 (HTTPS, ACM Certificate: 1E21...) forwarding to 80 (HTTP)
Stickiness: Disabled
In the Load Balancer Security Group, I added inbound and outbound https traffic on port 443 Source 0.0.0.0/0.
In my EC2 Elastic I.P, I selected my ExpressJS server instance and then added inbound and outbound https traffic on port 443 Source 0.0.0.0/0.
In addition, I also added the Load Balancer Security Group to my ExpressJS server security because I read in another post that you had to associate the load balancer group with the server instance (not sure that this is required).
Any suggestions?
btw, does HTTPS traffic terminate at the Load Balancer and then unencrypted and handled internally on port 80 to the server?
Solved it, turned out the mistake I made was that I added a record on my monster DNS for my AWS site and pointed it to the AWS Public Elastic IP as a A record, instead, I should have added the CNAME of my Load Balancer to the Monster DNS, once I did that, HTTPS was working.
I also ditched the Public Elastic IP as it was not required anymore, also, having the public I.P prevented me from taking advantage of the load balancer. Hope this helps other people.