(I'm an AWS newb)
So I have a running EC2 instance and want to set up the SSL so it can serve HTTPS.
I found a guide from AWS to set up the SSL with external CA, or a brief statement that ACM should be able to work with EC2, but seems not finding any step-by-step guide for this and I expect AWS should have done it with only a few clicks.
Do I need to use the ELB, even though my server is only running in ONE instance?
ACM SSL certs can't be used directly on instances (except enclaves as indicated by Mark in the comments). They can only be used, as in your link, on load balances, CloudFront distro or API gateway. Thus, if you want to use ACM, you have to use either of these three services in-front of your EC2 instance.
But if you don't want to use them, then you need to get your SSL cert from a third party, not from ACM. A popular choice is https://letsencrypt.org/ along with carebot which provide free public SSL certificates. This means that you have to set it up yourself on the instance, usually done through a reverse proxy such as nginx.
Related
I am using EC2 and working with NGINX (by PuTTY); I chose AWS Public Certificate therefore I understood that to use HTTPS I need to configure the NGINX too.
I found some tutorial about it, but everywhere they add ssl_certificate and ssl_certificate_key that I haven’t seen in AWS certification.
How I can find AWS SSL certificates and ssl_certificate_key?
Or is there another solution for this?
You can only use ACM SSL certificates with AWS Load Balancers, CloudFront and API Gateway. it is not possible obtain the certificate from ACM and install it directly on a server.
You can attach certificates issued with ACM to the AWS Load balancer and hide your instance behind the load balancer, more on this here
If you want to manage ssl directly on your Nginx you will need to issue certificate with another tool i.e letsencrypt.
Using Free Let’s Encrypt SSL/TLS Certificates with NGINX
it is now possible by using:
AWS Certificate Manager for Nitro Enclaves
https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html
https://aws.amazon.com/about-aws/whats-new/2020/10/announcing-aws-certificate-manager-for-nitro-enclaves/
It is now possible with Nitro Enclaves, but is rarely a good solution for a single-instance NGINX host. At the moment, an ec2 nitro enclave demands a full 2 vcpus for itself. Unless the instance is large enough to trivially spare 2 vcpus, this method likely involves a bump in ec2 instance size, which eliminates any cost or simplicity advantage over using a load balancer.
I have an ELB instance installed on my AWS account (http://editoradbosco.us-east-2.elasticbeanstalk.com), and it is working normally. My domain is installed on Hostgator (https://centrodombosco.org), and on this, I have a CNAME that points to my AWS endpoint (http://editora.centrodombosco.org).
However, I need to use an HTTPS (SSL) protocol. How can I proceed? I have an SSL contracted on Hostgator for this subdomain, but Hostgator has informed me that I need to make adjustments to AWS so that it works, but I do not know how to proceed.
How can I make this work?
I tried to create an SSL by Certificate Manager on AWS, appointing the CNAMES on my DNS Panel on Hostgator. But it fails. I guess its not possible to use AWS Certificates outside AWS Domains.
There are two ways you can do this.
Since you already have an SSL from Host Gator, you can import that certificate to AWS Certificate Manager (instructions here). Once you import a certificate it is immediately considered validated and you can immediately proceed to configure your EB environments Load Balancer to terminate HTTPS as described here.
Alternatively, if you’d like to use Amazon Certificate Manager but for some reason the DNS validation isn’t working, or its not possible for you to validate ownership of the domain using the DNS method, Amazon Certificate Manager also offers you the option to use email to validate your ownership of the domain, as described here. Once your ownership of the domain is validated you can then proceed to configure your EB environments Load Balancer to terminate HTTPS as described here.
As a side note, you may wish to consider using Route53 to handle DNS for your domain. Route53 is tightly integrated with AWS services such as ACM and, as is the case with ACM, services requiring custom DNS entries will often offer to make the correct DNS entries directly in to your Route53 hosted zone on your behalf.
I know that you can add your own certificate to the domain and point that domain to the AWS Elastic Load Balancer. In my case I don't have domain, but would like still use secure HTTPS/SSL connection when talking client <-> backend. Is it possible to enable HTTPS connection directly to ELB, i.e instead of using http://some-random-url-here.eu-west-1.elb.amazonaws.com I would like to use https://some-random-url-here.eu-west-1.elb.amazonaws.com
That would mean, that AWS would need to provide the cert for the *.elb.amazonaws.com domain. I remember at least long time ago this was possible, but maybe my memory does not serve me right?
Memory does not serve you right. This is not possible now and would not have been possible in the past. ELBs don't have, and it is not possible to obtain, a certificate like this (including from Amazon Certificate Manager).
In fact, 3rd party providers like Let's Encrypt also have protections to prevent you from obtaining certificates like this, since amazonaws.com is not your domain.
You will need a domain that you control.
I am running a Qualys scan on a Windows EC2 instance and it reports some vulnerabilities. One of them is "SSL Certificate - Subject Common Name Does Not Match Server FQDN".
Solution for this, as recommended by Qualys, is to "Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN."
Now the problem is the self-signed certificates which are not verified by a third party.
How do i get a valid certificate for this scenario such that Qualys does not report the error.
I looked into ACM, but i guess it does not provide certificates for EC2.
Can anyone provide an insight on how to go about this?
Where do i get a valid certificate and how to add it to the instance.
I am using Cloudformation template to create the instacne using a Custom AMI created using packer. I mention this because it would be helpful to know if the steps to add certificate need to be added to the AMI creation stage.
Unfortunately You can not use Certificate issued by AWS Certificate Manager directly on EC2 Directly.
You can use it On Load Balancer and Cloudfront and API Gateways , Refer this.
But a Workaround is that if you have single EC2 Put it behind Classic LB And terminate ssl to LB so that when you try to access your content on ec2 it is via HTTPS.
Thanks
The easiest way to pass a scan like this is restrict access to your instance so your only exposing public services (like HTTP or HTTPS), and then "harden" the configuration of each required public service. All none public services/ports should be limited to just your IP address(/es). That will probably fix a number of your issues reported by the scan.
RDP and numerous other services (MSSQL, MSDeploy, POSH Remoting to name a few) are for administrators only and should not be visible to a Qualys scan (or hackers and bots that roam the internet...).
As Kush suggests above, adding a load balancer would allow you to use ACM certificates for web traffic, but it also adds an additional layer of security between the internet and your instance. This means you can further limit access to your instance to just your VPC - as public web traffic would go via the load balencer in your VPC, not directly to your instance anymore.
If your hosting a website over HTTPS without a load balancer you will also need to edit the SChannel settings (component responsible for SSL/TLS in Windows) to pass the scan as well as installing a valid certificate for the website.
You can edit SChannel by hand in the registry here:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
(Reboot required - take a snapshot before you start ;)
WARNING - misconfiguring SChannel can break RPD or limit which web browsers can access your site etc. Test carefully!
FYI I find it easier to use a tool called IIS Crypto to configure SChannel (https://www.nartac.com/Products/IISCrypto) - it has a GUI and a CLI interface for scripting changes to SChannel. (You can still break your server with this tool though!)
If you want to look at using ACM and a loadbalencer with CloudFormation i would suggest registering & approving the certificate via the aws console and make a note of the ARN of the certificate. This ARN can be used when creating a loadbalencer in a CloudFormation template.
NOTE: The above will resolve the issue on your scan, but not actually fix it. It is possible to use your own certificate for RDP (never tried), but not an ACM cert sadly. You could also look at a service like LetsEncrypt to get a free/basic certificate. Another option to avoid this error is you could export the self-signed cert from the instance and import it into your computer ( or domain?)'s certificate store.
I have an EC2 instance which runs a website I want to add an SSL certificate for. From Amazon's documentation and other sources the only way they have stated an SSL certificate can be added is through:
Cloudfront
Elastic Load Balancing
I am not already using these for my website due to the added cost of these services. Is there another method of adding an SSL certificate without using Cloudfront or ELB? Thanks.
If you want to use SSL on a EC2 instance directly, you must obtain and install a certificate through the application running on your instance, (e.g. Apache, Nginx). There is nothing special required because your instance is running on AWS.
You will not be able to use the free certificates provided by Amazon Certificate Manager, they can not be exported for use with services other than ELB and CloudFront.
I would take a look at using Let's Encrypt. It's free and you can automate the renewal process.
https://letsencrypt.org
If you are running Bitnami (a common occurrance), there is an article here that describes WHERE the files are. This cost me HOURS, until I found the link.
Basically, if you can't find Apache or Nginx, look in /opt/bitnami/.
Then, you can install the cert, bundle and key files in /opt/bitnami/apache2/conf, and set up the vhost in /opt/bitnami/apache2/conf/bitnami/bitnami.conf.
There is NOTHING in the AWS docs that mentions any of this.