I have an EC2 Ubuntu Instance running on AWS.
I have created a SSL certificate for my domain using AWS Certificate Manager.
i have created the needed hosted zone with the needed records for my domain.
I have created a Load Balancer with listeners for both protocols HTTP and HTTPS.
Now, I can access the site using the public IP from the AWS Instance and also using my domain name.
The issue is when trying to access the site using https.
There appears an error page: ERR_SSL_PROTOCOL_ERROR
I don't know what is wrong in my approach to get a working site running with a SSL certificate.
I guess it can be due to the Ubuntu Apache2 configuration, but not sure.
I would appreciate a checklist of things I should verify in AWS (Certificate Manager, EC2 Instance, Load Balancer, Route 53, etc.) or in the configuration of the Ubuntu Apache2 server.
EDIT:
This is the security group inbound rules that are in use with the ELB
I would double check security group on the ELB, confirm domain DNS. It's something on the ELB side since you are not connecting there.
Related
I am trying to make my elb backend route protected by https. I have a lot of images below showing where I'm at. As far as AWS instruction, I have everthing from the CNAME done to security groups. However, when I call the route I get 'Error: SSL peer certificate or SSH remote key was not OK'. I'm working with an apache proxy server. What am I missing thanks!
Below image is the listeners on ELB.
Here are the listeners from EC2.
Here is my certificate.
Here is my security group.
Here are my inbound rules
I have configured the AWS load balancer to secure my website, i.e. to resolve through "https". But when I use(https://www.schoolnskill.com), it gives
503 Service Temporarily Unavailable.
So I have followed the below steps to configure my environment.
I created a domain name in route53 and have been issued with a SSL/TLS certificate through AWS Certificate manager.
For my load balancer I set up listener for https:443 and attached the above certificate with it.
The security group for my ec2 instances allow http and https requests (although I believe the load balancer ec2 target will communicate using http).
I have attached a screenshot with the summary of the configuration.
Then in the ROUTE 53, I edited the 'A' record of 'www.schoolnskill.com'. Below are the changes I made.
Alias:- yes
Alias target:- chosen the application LB
Routing policy:- simple
Then save the settings.
I can see that whenever I type 'http://www.schoolnskill.com', it is redirected as 'https://www.schoolnskill.com'
Health_CHK
Thank you,
The problem was the availability zones. The AZ of my load balancer was different from that of EC2 instance. I matched the AZ of ALB to my EC2, and it worked.
Thank you,
I am running a Spring Boot Application (as a RESTful Webservice) dockerized in an EC2 Instance. If I start the container, everything is working fine, but only with HTTP. e.g. http://ec2-54-93-55.eu-central...com
I already tried setting up the Security Groups of my EC2 Instance, where I enabled HTTPS, but it still does not work.
Now I want to add a SSL Certificate to my Instance with the AWS Certificate Manager. The problem is now, that I need a hosted domain for this and I can not use the Domain of my EC2 Instance.
I tried setting it up as api.mydomain.com and it is verified now. How can I now connect my EC2 Instance with this domain?
I tried creating an Alias in Route 53 by routing api.mydomain.com to the EC2 public DNS. But this did not work too.
You will not be able to attach an ACM public certificate to your EC2 instance as they are required to be attached to either one of these resources:
CloudFront
Elastic Load Balancer.
Once these are configured you will need to update the DNS record on your hosting provider to target the CNAME of whichever of these resources they use.
If you were using Route 53 as your hosting provider you would add your record to the public hosted zone for that domain, however this process is slightly different for each DNS provider.
I set up EC2 Ubuntu instance, assigned an elastic IP, got example.com (domain) to the ec2 instance via Route53. Added an SSL certificate using ACM (certificate manager) which says 'issued'.
However, https://example.com raises ERR_SSL_PROTOCL_ERROR. http://example.com is working.
The security group has HTTPS port open.
What's wrong here? Why this is not working? Any clues? curl https://localhost -k shows local port 443 refused.
You can't deploy a public ACM certificate directly to an instance. The "issued" state, just means it's ready to be applied somewhere. It needs to be applied to a service that supports ACM like an ELB, API Gateway, or a CloudFront distribution, which can be used to offload SSL processing. See the faqs for an overview of how they can be used.
For a certificate directly on the instance, you can use letsencrypt to issue free, trusted certs.
Also, this assumes that you've configured the web server to listen on 443.
ACM can only be used with AWS resources such as Elastic Load Balancer, Amazon CloudFront distributions and APIs on Amazon API Gateway.
Make sure that you are using one the above services to serve your website content.
ACM cannot be directly used with EC2 instance, you either need Elastic Load Balancer or CloudFront distribution to used it.
I have an AWS EC2 instance, a Route53 registered domain, an AWS Load Balancer and an AWS Certificate.
What I want to achieve is to access the domain as "https://...", as of today I haven't been able to.
What I've done so far is:
1.- Set the EC2 (Amazon Linux AMI) with apache and it's listening to de ports :80 :443
When I browse to the puclic IP of the EC2 I see index.html no problem.
2.- I have registered a new domain using Route53. I added a Record Set for the Hosted Zone Type IPv4 address with the value of the IP of the EC2 instance.
When I browse to the domain.com I see index.html no problem.
3.- I got an AWS Certificate for *.domain.com and domain.com. For validation I added a Type CNAME Record Set provided to the Hosted Zone of the domain. For both the validation status is OK.
4.- I created a Load Balancer that listens to HTTP:80 and HTTPS:443 and I added a Record Set in the Hosted Zone of the domain with [type:IPv4, Alias:Yes, Alias Target: name of the Load Balancer]. I didn't type the name of the Load Balancer, I selected it from the select dropdown.
However the Load Balancer has the fields Port Configuration and Instance Count blank as you can see in the screenshot.
5.- When I check the file /etc/httpd/logs/ssl_error_log I see a message that I can'f figure out what it means, nothing good I imagine. The text of the message is AH01906: ... as you can see in the next screenshot.
When I browse to https:// domain I get the message that is not safe.
I'm very new to all this and I'm sure I'm doing something wrong but I can't figure out what.
I would appreciate any help or pointer you could give to me.
Thanks very much, this community is awesome anyway.
AWS Certificate Manager does not offer free SSL for website. It does offer free SSL certificate for some of their services endpoint (not the same as using directly on your EC2 instance).
For certificates that you want to install directly on EC2, you have to pay for a private Certificate Authority. (note: its expensive)
Q: With which AWS services can I use ACM certificates?
You can use public and private ACM certificates with the following AWS services:
• Elastic Load Balancing – Refer to the Elastic Load Balancing documentation
• Amazon CloudFront – Refer to the CloudFront documentation
• Amazon API Gateway – Refer to the API Gateway documentation
• AWS Elastic Beanstalk – Refer to the AWS Elastic Beanstalk documentation
• AWS CloudFormation – Support is currently limited to public certificates that use email validation. Refer to the AWS CloudFormation documentation
In addition, you can use private certificates issued with ACM Private CA with EC2 instances, containers, IoT devices, and on your own servers.
Alternatively, you can use Let's Encrypt, a service provided by EFF, for free. They have a tool called CertBot to automatically renew the certificates for you.