Im following this tutorial to add HTTPS to my EC2 Elastic Beanstalk website:
https://medium.com/#jameshamann/configuring-your-elastic-beanstalk-app-for-ssl-9065ca091f49
I have modified my instance to run on a load balancer and created the certificate with DNS validation in AWS Certificate Manager. I entered my domain name, added the CNAME record to google domains as follows:
From AWS:
Name: _XXXXXc0c9db9a6c9300e65f9XXXXXXXX.www.mydomainame.com.
Type: CNAME
Value: _XXXXX83f612f59e5b0568896XXXXXXXX.jfrzXXXXXX.acm-validations.aws.
In Google Domains I created a CNAME record as follows:
Name: _1084c0c9db9a6c9300e65f9ceXXXXXXX
Type: CNAME
Value: _XXXXXXXXX12f59e5b0568896XXXXXXX.jfrzfXXXXXX.acm-validations.aws.
The certificate never gets validated, I have waited for days and it even expired. Does anyone know how to achieve this?
Thanks!
What domain is your cert registered for?
It looks like you are saying AWS said the record should be _XXXXXc0c9db9a6c9300e65f9XXXXXXXX.www.mydomainame.com which means _XXXXXc0c9db9a6c9300e65f9XXXXXXXX needs to be added as a record under the subdomain of www.mydomainame.com
You may be adding the record under mydomainname.com and not under the www subdomain which is may be why it's not working.
I would suggest recreate the ACM create and creating a wildcard cert under the top level domain (e.g. *.mydomainame.com).
Related
I've deployed an app to Elastic Beanstalk and now in order to have htpps I need to add port 443 in ELB and mention the SSL certificate. Now as I don't have one I'm trying to create. I got the domain after deploying frontend to Firebase. I found that after requesting the certificate I need to create a CNAME record and use values provided in AWS requested certificate in order to validate it I just can't seem to find the way to create it in Firebase. Am I doing something wrong? Any help is appreciated
I tried to create the cname in AWS Route 53 hosted zones and expected the ssl to be validated but I think I need to create the record in Firebase I don't know how to do it.
You would need to identify where your DNS records are being managed. Once you get the records added at the right place your certificate will be validated successfully.
I have a website that I have created using this AWS article on Fargate.
https://aws.amazon.com/blogs/containers/running-wordpress-amazon-ecs-fargate-ecs/
It generated an address like http://wof-load-balancer-XXXXXXX.ca-central-1.elb.amazonaws.com/
Then I created a hosted zone using the step 1 and 2 of this guide
https://www.entechlog.com/blog/aws/connect-google-domain-to-aws-route-53/
instead of step three, I created an A record as an alias for the load balancer.
Then in Google Domains, I created custom name servers.
Now mysampledomain.com opens http://wof-load-balancer-XXXXXXX.ca-central-1.elb.amazonaws.com/
which is nice
But I don't know how to enable ssl certificate.
With ACM, I requested a certificate and I want to do DNS validation.
It is giving me something like this
CNAME name: _bcc41981034XXX49cd2fc6eb7f18efab.mysampledomain.ca. note the trailing dot
and
CNAME value: _c9f7995ac30d874bd2XXXXX09cc020.hqkbcmchgw.acm-validations.aws. note the trailing dot
Now I go to the Google Domains
I add a custom record
What should be HostName and Data
is this the right approach?
Note that if I add some-host to the HostName, the actual host (mysampledomain.com) gets attached by default
so I cannot leave the field empty
HostName is the name provided by ACM, i.e., _bcc41981034XXX49cd2fc6eb7f18efab.mysampledomain.ca.. Can be only _bcc41981034XXX49cd2fc6eb7f18efab if google will automatically add the rest.
Value is what ACM gave you: _c9f7995ac30d874bd2XXXXX09cc020.hqkbcmchgw.acm-validations.aws..
I followed the following tutorial to setup an SSL Certificate with a parent domain hosted at another provider than aws to create a secure connection to my REST Api.
https://medium.com/#sonalishah_63223/how-to-host-subdomain-in-aws-route-53-for-an-existing-parent-domain-with-different-service-9b4dde061b85
Setup:
Hosted Zone -> Record pointing to - Elastic Load Balancer - Beanstalk -> EC2 (Spring Application)
Setup Description:
I created a hosted zone (sub.mydomain.at).
In that hosted zone I created a record (api.sub.mydomain.at) pointing to the Elastic Load Balancer.
Everything works fine, API is callable.
Afterwards I created a certificate through ACM.
(*.mydomain.at) which has been successfully issued.
I attached it to my load balancer and it seems to work, when calling the API via https://.
But Postman throws the following error.
SSL Error: Hostname/IP does not match certificate's altnames
I could turn off "Enable SSL certificate verification" and it would work, but this does not seem to be the right solution.
So I created another Certificate for the domain api.sub.mydomain.at which is not verifying. According to nslookup the server can't find the domain even if the CNAME is setup. (I assume it is not possible to create a CNAME with multiple 'sub-domains')
_12312<long-_number>.api.sub.mydomain.at
So how can I resolve the Issue "Hostname/IP does not match certificates alt names"?
I think in your case, you are forwarding the requests (cname record api.sub.mydomain.at from alb public dns to your custom domain)
So you need to add ALB public dns name on hearder like this:
request({host: 'ALB public DNS'... headers: req.headers
I am trying to configure a custom domain from namecheap to serve my cloudfront distribution. I did all steps i am aware of but the https is not working.
What i did:
created cname record for my domain in namecheap: www -> d12312***.cloudfront.net
created and validated amazon certificate from acm (it shows "issued" for www.mysite.info)
Edited my cloudfront distribution, included the domain www.mysite.info to the alternate domains section, selected "custom ssl" and selected the certificate i created from step 2.
Now my domain www.mysite.info/test.jpg does show the image hosted from my cloudfront, but the https is not working, showing "not secure", what's wrong ?
Please, I don't want to use route 53.
Nevermind, it worked after a while.
Though i struggled with the certificate manager dns verfication.
Amazon asks you to put a cname record like:
Name: _220a646ed9c024bb4e8a234d7224ae.www.mysite.com.
Type: CNAME
Value: _d5983967e8as12f80ae85685bb5ce7.hsdfuiqjoua.acm-validations.aws.
If you put/update the cname records as shown, it won't work, instead, remove the domain name from the name:
_220a646ed9c024bb4e8a234d7224ae.www
and keep the value as it is.
wait 10mins
Hit "continue" in amazon certifcate manager. voila! it shows certificate issued.
I'm in the process of moving from another cloud provider. Currently I'm just testing in the default environment that has a url looking like this:
http://example-env-1.us-east-1.elasticbeanstalk.com
I'm trying to get SSL/HTTPS working for this address. I then plan using a CNAME to redirect to this address and eventually move the nameservers over completely.
However, after setting everything else up successfully I get to the point of adding the certificates and it just says "failed":
And even though I have my actual "example.com" ssl certificate successfully issued nothing shows up in the load balancer certificate selection dropdown (and yes I have refreshed):
How do I enable SSL using the Certificate Manager?
That's because you are trying to request a cert for the elasticbeanstalk.com domain. You will not be able to get a cert for that domain as you are not the owner of it :). Nor can you setup https for the default elastic beanstalk domains they give you.
You should use ACM to get a certificate for your custom domain, the one you plan on making a CNAME record for.
Example:
If you were to own say the domain amyneville.com. You could create a cert through ACM for that domain.
If you use your custom domain, you do NOT need a to get a cert for the elasticbeanstalk.com domain.
A couple more things:
You cannot create a CNAME record on a TLD (amyneville.com). You can create the CNAME record for www.amyneville.com. So if you want to use the CNAME approach you will have to create a non-www redirect to www..
But better then a CNAME would be to use an A record and point it to the elastic beanstalk resource that was setup. So the load balancer that was created for you, use it's A record.
Last but not least, you cannot apply the ACM cert through the elastic beanstalk console. Instead you will have to use the AWS CLI tools. Here's a link on how to do it: https://stackoverflow.com/a/35173500/1445460
I was looking for this myself and found this useful blog post from one of the Amazon team ...
https://medium.com/#arcdigital/enabling-ssl-via-aws-certificate-manager-on-elastic-beanstalk-b953571ef4f8#.frcj0rj4t
Whilst you can't use the console to select the certificate as stated in your question you can use the Elastic Beanstalk CLI to set the certificate to one you have created in Certificate Manager.