I'm new to AWS and hoping someone can answer my question here. I've created a web server on an EC2 instance and installed Craft CMS on it. I've requested a public certificate from Certificate Manager, and put the CNAME in the route53 hosted zone for the domain name. The certificate is attached to the Load balancer I attached to my EC2 instance. If I set up cloudfront with all this my website is still showing up as insecure (meaning I'm not doing something right). How should I go about connecting cloudfront to my EC2 instance? With or without the load balancer. I only have one instance running so I don't really need the load balancer either. Thanks!
Just to clarify what you are trying to accomplish: 1) You have one or more EC2 instances, presumably in an auto-scaling group; 2) Those EC2 instances are set as targets for your ELB; 3) You have a certificate that is valid for your ELB hostname, let's call it elb.mydomain.com.
And now you are trying to setup CloudFront with the ELB as the origin?
Starting with the CloudFront certificate: Is the certificate also valid for your CloudFront hostname (let's call it www.mydomain.com)? If not, you will need to create and validate another cert for www.mydomain.com.
Second, the CloudFront distribution must be configured to use a certificate that is valid for the hostname you want to use. You must also include the hostname as an alternate domain name in the CloudFront distribution. Then make sure your route53 CNAME entry points from your desired hostname to the CloudFront distribution, which will be something like d18sdfijsilj.cloudfront.net.
Related
I've an app running on AWS.
Currently, my frontend is hosted on S3/cloudfront which communicates with my EC2 instance through a Elastic Load Balancing (ELB).
ELB handles the SSL certificate.
I just have one EC2 instance. So, I don't really need the ELB. My free tier period is over... ELB representer 40% of my bill !
How can I get rid of ELB without losing the SSL configuration ?
Thanks in advance !
The best approach to keep an AWS ACM SSL whilst removing your load balancer would be to instead use CloudFront for your EC2 host.
If this is a different domain to your existing CloudFront distribution, you would need to create a new one which will serve your app traffic. This would have a custom origin that would resolve to the public CNAME of the EC2 host (this will require the EC2 host to be publicly resolvable).
IF it shares the same domain, your CloudFront distribution would need to be updated to include a secondary behaviour that maps to your EC2 hosts public hostname.
Please note for this option your instance must be public, this means that it is possibly to bypass CloudFront to perform this option. If you do not have a valid SSL on this EC2 host you will need to configure the CloudFront distribution to speak to the origin using HTTP.
An alternative (or combined option) would be to use a service such as certbot that can generate a valid SSL for your domain. This will ensure any public ingress to the instance can be encrypted securely over HTTPS.
I have a simple AWS setup of 2 VMs hosting a WebApp. An Application Load Balancer is in-front of these machines. I can access the DNS name of the Load Balancer and can reach to the WebApp.
Now, I want to connect to my app with a domain name hosted on Godaddy. I tried to simply create CNAME (as no Elastic IP on Application LB) with the LB's DNS name, but it didn't work.
What am I missing ? I tried with godaddy support but already wasted 7 days with not solution.
I want to put SSL certificate also on ALB. Should I be aware of anything specific in this setup?
The problem was, I was trying to CNAME for root level domain. Now, I created an alias in Route 53 and used AWS's nameservers on Godaddy to forward request there.
This is the situation:
I have a subdomain (i.e sub.domain.com) which has a cPanel and the domain namerserver must not be changed at all.
I have a classic load balancer in AWS with ec2 instances inside it that is already set up with Amazon Certificate Manager for its SSL Cert (cert DNS validated and in use).
Currently I added an A record in the subdomain that refer to IP address of one of the EC2 Instance, the problem is the EC2 does not come with the SSL Cert therefore could not access the site with https:// and I could not find anywhere on how to refer this subdomain to my load balancer with the cert so that the site can be opened with https://
Have tried various combinations in the subdomain record, A record also only allow IPv4 address while the ELB DNS is not.
Does anyone know how to connect my subdomain to my ELB? Thanks a lot in advance
Your certificate (AWS Certificate Manager) is probably set to ONLY for the primary domain (domain.com), to fix this your certificate needs to slow down the subdomains as well, so I recommend creating a certificate for * .domain.com
After creating the certificate you will still have to bind it to Elastic Load Balancing.
More information: https://docs.aws.amazon.com/en/acm/latest/userguide/acm-certificate.html
I have an AWS EC2 instance, a Route53 registered domain, an AWS Load Balancer and an AWS Certificate.
What I want to achieve is to access the domain as "https://...", as of today I haven't been able to.
What I've done so far is:
1.- Set the EC2 (Amazon Linux AMI) with apache and it's listening to de ports :80 :443
When I browse to the puclic IP of the EC2 I see index.html no problem.
2.- I have registered a new domain using Route53. I added a Record Set for the Hosted Zone Type IPv4 address with the value of the IP of the EC2 instance.
When I browse to the domain.com I see index.html no problem.
3.- I got an AWS Certificate for *.domain.com and domain.com. For validation I added a Type CNAME Record Set provided to the Hosted Zone of the domain. For both the validation status is OK.
4.- I created a Load Balancer that listens to HTTP:80 and HTTPS:443 and I added a Record Set in the Hosted Zone of the domain with [type:IPv4, Alias:Yes, Alias Target: name of the Load Balancer]. I didn't type the name of the Load Balancer, I selected it from the select dropdown.
However the Load Balancer has the fields Port Configuration and Instance Count blank as you can see in the screenshot.
5.- When I check the file /etc/httpd/logs/ssl_error_log I see a message that I can'f figure out what it means, nothing good I imagine. The text of the message is AH01906: ... as you can see in the next screenshot.
When I browse to https:// domain I get the message that is not safe.
I'm very new to all this and I'm sure I'm doing something wrong but I can't figure out what.
I would appreciate any help or pointer you could give to me.
Thanks very much, this community is awesome anyway.
AWS Certificate Manager does not offer free SSL for website. It does offer free SSL certificate for some of their services endpoint (not the same as using directly on your EC2 instance).
For certificates that you want to install directly on EC2, you have to pay for a private Certificate Authority. (note: its expensive)
Q: With which AWS services can I use ACM certificates?
You can use public and private ACM certificates with the following AWS services:
• Elastic Load Balancing – Refer to the Elastic Load Balancing documentation
• Amazon CloudFront – Refer to the CloudFront documentation
• Amazon API Gateway – Refer to the API Gateway documentation
• AWS Elastic Beanstalk – Refer to the AWS Elastic Beanstalk documentation
• AWS CloudFormation – Support is currently limited to public certificates that use email validation. Refer to the AWS CloudFormation documentation
In addition, you can use private certificates issued with ACM Private CA with EC2 instances, containers, IoT devices, and on your own servers.
Alternatively, you can use Let's Encrypt, a service provided by EFF, for free. They have a tool called CertBot to automatically renew the certificates for you.
I've set up my application on AWS Elastic Beanstalk. I added a load balancer and pointed a CNAME for 'www' to it. But now I need to get root pointed there too. I can't use Route53 and use AWS nameservers because the client wants to use theirs. How can I get root to my app? Can I redirect the traffic? The tech lead I'm working with suggested setting up a server to do the redirect?
Since AWS ELB's only offer DNS Record (Instead of IPs) you need to use a CNAME mapping. However with DNS, CNAMEs do not allow root domain to point to it. To overcome this AWS has provided Alias Records (Custom implementation to AWS) to point root domain to ELBs.
If your client want to use their nameservers still you can use, AWS Route53 in between to solve this with following steps.
First create a Public Hosted Zone in Route53 for your domain.
Then create a record set inside the Hosted Zone for the root domain to point to the ELB with Type = A - IPv4 Address, Alias = Yes with ELB CNAME as for the Alias value.
In the external domain management service, create a NS record to point the root domain to Route53 nameservers.
Then when the DNS resolution happens, the root DNS query will first go to external nameservers(Managed outside of Route53) and then it will be forwarded to route53 where it will resolve the ELBs IP address and sent back.
You can set up a machine with a single static IP address that does nothing but redirect requests to the www host. Then you can put an A record on the bare domain at the apex of the DNS zone pointing to that machine.
There is at least one service, http://wwwizer.com/naked-domain-redirect, that will do this for you. (I'm not affiliated with this service, but it appears to do what it claims and will serve your purpose. There are probably others like it.)
Ideally, though, you'd persuade your client to change the authoritative nameservers to point to a Route 53 hosted zone that you create for them. They are still the registrant and "owner" of their domain, and can take control back from you by simply changing the nameservers to something else.
I generally persuade clients with the explanation that our load balancer infrastructure is integrated with the DNS servers so that if a balancer node fails, or we need to add or scale up capacity, or experience a traffic surge or DDoS event, the load balancer system will automatically update the DNS records for their domain to try to mitigate the issue and keep the site up. To do otherwise is to do things in such a way that removes those layers of redundancy.
Ideally, you can set up a apache server with a static IP, and install a free SSL certificate on that web server at first.
Second you need to redirect your root domain name request to AWS ELB.
Then go to your DNS management and set up your apex point to the server you created.
It is now possible to setup a Network Load Balancer and allocate one or more Elastic IP Addresses to it (one per Availability Zone). The Network Load Balancer can have an Application Load Balancer as a target. The Application Load Balancer would target the Elastic Beanstalk. An A record can then be created in the external DNS for each Elastic IP Address of the Network Load Balancer.
If you don't need the functionality that the Application Load Balancer provides, you may be able to target Elastic Beanstalk or whatever application directly from the Network Load Balancer.
Since AWS ELB's only offer DNS Record (Instead of IPs) you need to use a CNAME mapping. However with DNS, CNAMEs do not allow root domain to point to it. To overcome this AWS has provided Alias Records (Custom implementation to AWS) to point root domain to ELBs.
If your client want to use their nameservers still you can use, AWS Route53 in between to solve this with following steps.
First create a Public Hosted Zone in Route53 for your domain.
Then create a record set inside the Hosted Zone for the root domain to point to the ELB with Type = A - IPv4 Address, Alias = Yes with ELB CNAME as for the Alias value.