I can use Elastic beanstalk with HTTPS, I already created a self-signed certifier and added a listener in the land balancer. .
but when I try to enter the URL I get the following error
Any idea what may be causing this error?
Since you are using ALB, you should get free public SSL certificate from AWS ACM. Then you can easily associate the certificate with your ALB.
This way you don't need to do anything on your instance(s), including no need for self-signed certificates.
Related
I think I misunderstand the concept of adding ssl protection to my aws ec2 instance with a load balancer!
I have an Ionic app web, ios and android. I want to switch all http requests to https.
What I did:
Purchasing a url with route53
getting certificate with acm
setting up a load balancer like this...
https:443 -> ec2 instance (Here a applied the certificate)
http:80 -> https:443
http:8080 -> https:443
In Hosted Zones I added an A type record that points from my url to the Load balancer.
In my Ionic code I changed the endpoint addresses to https://my-backend-api-url.com/ (Yes I changed the my-backend-url.com in the real url :)
in the web deployment this set up lets me call the backend. But in the ios and android deployments it doesnt work and returns a 0 unknown error.
In the load balancer i can see that the requests from mobile deployments produce client tls negotiation errors.
My Attempt to fix this:
If I understand it right ( and there is a big if) I need a ssl/tls certificate that is in my app build in a certificate folder and i need the same certificate on my load balancer. Since aws ACm certificates only work for other aws services I think I can not use the certificate I created and applied via ACM.
So I think I need an ssl certificate from an ca and tried to get one with:
sudo certbot certonly --apache
When i enter my url it says:
"Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80"
Maybe also helpful to know is that I can access my backend api with the browser but it shows me that its unsecure and certificate is not valid:
Am I on the right track with my approach or did I completely misunderstand something? If my approch is correct what do I have to do that certbot can access port 80.
Any hint, link to a good tutorial, or help in any way is highly appreciated.
I think there is no need to get an ssl certificate from an external provider. You are accessing without ssl your load balancer. Your load balancer is doing the decryption for you. So, just check that your load balancer is in a security group with an open 443-port.
I have AWS EC2 instance that sends the response using HTTP. The URL link is as below:
http://ec2-18-233-225-132.compute-1.amazonaws.com:3030/api/status
This works fine with the. S3 bucket after the deployment, but, the Cloudfront blocks request that are not comes using HTTPS. How do I make sure that HTTPS also work with this URL:
https://ec2-18-233-225-132.compute-1.amazonaws.com:3030/api/status
Thanks.
ec2-18-233-225-132.compute-1.amazonaws.com domain belongs to AWS, not you. This means that you can't have valid SSL certificate for it. You must have your own domain if you want to enforce https between CF and EC2.
Once you get your domain, you can use https://letsencrypt.org/ to get valid free SSL cert for it. Alternatively, you can front your instance with a load balancer, and get free SSL cert for your domain using AWS ACM. Then you associate the SSL cert with the LB.
For cloudfront https handling:
Create certificate in ACM. Update cloudfront distribution to use that certificate and set ssl/TLS.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html#cnames-and-https-updating-cloudfront
for EC2 https handling: You need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the Security Groups link on the left, then create a new security group with also HTTPS available. Then, just update the security group of the instance.
After these steps, if it's still not working it is an application problem.
You have to configure the Security Group of that Instance...
At left side ,down below the EC2 dashboard ; you can see Network and Security-- then click on Security Group.Click on it ...Then edit inbound Rules...Add https ,port 443
I am trying to add HTTPS connection to the server API I have in elastic beanstalk, using CloudFlare as DNS. Steps I have followed:
Go to AWS certificate manager and create a certificate for *.nameofmydomain.com
Verified the certificate
Created a listener in elastic beanstalk loader section, port 443 and the previously created certificate
Created a CNAME record in cloudflare that points api.nameofmydomain.com to the elastic beanstalk (xxxxx.yyyyy.eu-west-1.elasticbeanstalk.com)
When I open the https://xxxxx.yyyyy.eu-west-1.elasticbeanstalk.com I get the following error
And when I open the api.nameofmydomain.com I get this
I found the issue, turns out that wildcard ACM certificates in AWS only work for one level, and I was trying to create a domain in that was xxx.yyy.nameofmydomain.com changing it to just one level made it work
I'm trying to figure out how I can call my elastic beanstalk environment with HTTPS. Ultimately I want to be able to use API gateway to forward HTTPS requests to it*.
In the elastic beanstalk console I went and configured the load balancer to use my website's SSL cert (mywebsite.com), on port 443 and with an instance port of 80 (whatever that means - I was following https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html).
Before wiring up API gateway, I first tried calling my elastic beanstalk endpoint. Changing http:// to https://, using postman I got
Error: Hostname/IP does not match certificate's altnames: Host:
myService-prod.eba-p3t3saxf.ap-southeast-1.elasticbeanstalk.com. is
not in the cert's altnames: DNS:*.mywebsite.com
No dice. I then thought maybe if the request originated from my website's domain it might work. So I tried configuring API gateway, but I just get back a 500 Internal server error. (note if I change the endpoint URL inside API gateway from https to http all is good).
So what do I need to do? I tried reading this https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html, but got only as far as I described above. I feel like I do need a certificate, but when I tried using Amazon's certificate manager to generate a certificate for myService-prod.eba-p3t3saxf.ap-southeast-1.elasticbeanstalk.com, I can't validate it (fails both email and DNS certification). I think I don't fully understand what I need to do/see the big pictures. Can someone help me out, ideally with specific instructions.
*Actually, that is a question in itself. If my API gateway endpoint is HTTPS, is it safe for API gateway to then call my elastic beanstalk environment with just HTTP, as we're already inside AWS?
Thanks
I tried using Amazon's certificate manager to generate a certificate for myService-prod.eba-p3t3saxf.ap-southeast-1.elasticbeanstalk.com
You can't generated SSL certificate for this domain. This is AWS owned and manged domain. To get proper valid SSL certificate you have to have your own domain which you control.
From your post its not clear if you actually have a domain mywebsite.com or not. If not, and you want to keep yourself within AWS, you can use Route53 to buy a domain which you want. But any domain provider will be fine. Once you have your own custom domain, you can setup hosted zone in R53 for it, and point it to your EB's load balancer.
Having the domain setup, you can use AWS ACM to issue a valid, public free SSL certificate for your domain and deploy it on the load balancer.
In your API gateway you would use your EB domain for HTTP integrations, not AWS EB default domain.
My certificate has expired and I recreated and reassociated with a load balancer.
The certificate has *.example.com and example.com attached (?) to it
and I can see that certificate works by visiting https://example.com.
Then I try to visit https://log.example.com and it errors with NET::ERR_CERT_DATE_INVALID (It must be the old expired certificate which is causing the error)
Question is, how can I let the new certificate to be used for the ec2 machine?
EDIT
log.example.com is not behind loadbalancer, it's directly mapped via IP address
The certificate being served by log.example.com is not using the ACM certificate attached to load balancer for example.com as it is served directly by the IP address.
You are limited to the following options:
If you want to use an ACM certificate you will need to either add a CloudFront distribution or a load balancer in front of your application. The DNS record for log.example.com would need to be changed to the new resource.
If you want to use direct connection to your instance then you are limited to using another certificate authority. You can use certbot to generate a free certificate, or purchase one from another provider. This will then need to be installed and configured on your server to use.