I made a frontend in aws amplify and created a custom domain over amplify with route 53.
Then I created a subdomain, for example api.domain.com for my spring boot backend rest api.
The subdomain only uses http. For using it with https I need to specify:
server.ssl.key-store, server.ssl.key-store-password and server.ssl.keyAlias
In the documentation I found the following hint but I can't get access to the certificate on Amazon Certificate Manager (ACM):
AWS Amplify Console generates a free HTTPS certificate on all pages and automatically activates it on all Route53 managed domains. The SSL certificate is generated by Amazon Certificate Manager and supports wildcard domains. ACM handles the complexity of creating and managing public SSL/TLS certificates for your AWS-based Web sites and applications. With the wildcard option, the main domain and all subdomains are covered by a single certificate.
So the question is, how to get access to the information I need to specify in spring boot?
Based on the comments.
The ACM certs can only be used on a load balancer, API gateway and CloudFront distribution. They can't be used on an EC2 instance.
There are two options to rectify the issue:
Add load balancer in front of your EC2 instance, a CloudFront distribution or proxy your API through API gateway. On these AWS services you can just install your ACM cert.
Setup SSL certificate on the instance itself. To do this you have to get a third party certificate. A popular choice is https://letsencrypt.org/ which provides free public certificates.
Related
We have to deploy Restful Webservice(API services) and static pages in the AWS environment.
Currently, our Webservice is hosted in EC2 instance with one ELB and Route53. Also, the static pages are deployed in the S3 bucket. The Webservice and Website, both should be in the same domain.
When the user calls "www.domain.com/" it should be routed to the S3 server. However the API calls (www.domain.com/api/**) should be routed to EC2 through ELB. Is there any way to
route API calls to ELB and website access calls to S3 using Route53?
or What is the best approach to resolve this?
Yes, you can deploy both using the same domain name. APIs should be deployed using api.domain.com and websites can deploy using domain.com. For that, you need to purchase an SSL certificate with a domain name and subdomain (eg: https://example.com and https://api.example.com) support and do the following.
Configure certificate in AWS ACM
Deploy your website in the S3 bucket with CloudFront
Deploy APIs in EC2 with the support of a Load balancer (ELB)
Configure Route53 and define two routes. Ie, create Records with 'A record type' in Route53 with ELB address and CloudFront address.
See sample deployment architecture
So far i did below configuration.
I hosted my site on EC2 AWS machine. Public ip and public DNS.
I can access my website by ip as well as public DNS.
I purchased domain name from GoDaddy. www.xxtrasc.com
On AWS I created Hosted Zone then map www.app.xxtrasc.com successfully.
Now i access my website directly www.app.xxtrasc.com
Next want to enable https
On AWS Certificate Manager order certificate with domain name *.xxtrasc.com
Did everything to add CNAME and all. I can see status gree colored Issued on ACM.
Now how i can attached this certificate to my web site so that i can access https://www.app.xxtrasc.com
You cannot use ACM to directly install your ACM Certificate on your AWS based website or application
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-install.html
You must use one of the following services:
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway
AWS CloudFormation
Please read the official doc : https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
So to install the certificate directly under apache2/nginx configuration you need to obtain the certificate from other third parties like Lets Encrypt, GoDaddy etc. you can read about that here - https://in.godaddy.com/help/manually-install-an-ssl-certificate-on-my-apache-server-centos-5238
On AWS I recommend using an ELB an placing your EC2 instances behind this ELB. This will allow you to select your ACM certificate from ELB itslef. Please read following doc to use classic load balancer with HTTPS https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html
If you want to enable SSL on your site, you need to purchase SSL certificate. You can purchase it with Godaddy and then setup it on AWS server. Without SSL certificate, your https site won't work.
I was imported SSL certificate using AWS Certificate manager and it will display In Use status as No and my Subdomain didn't work with https.
Below image displayed the status as I described. What was the reason for that?
Edit: I used Amazon EC2 with ubuntu box.
The AWS Certificate Manager provides SSL certificates for use in a limted set of AWS services:
From What Is AWS Certificate Manager?
You cannot install an ACM Certificate directly on your website or
application. You must install your certificate by using one of the
services integrated with ACM. For more information about these
services, see Services Integrated with AWS Certificate Manager.
These integrated services are:
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway
It appears you have not configured your ACM SSL to be used in one of these services.
A common misconception is that you can use ACM SSL in any HTTP server on an instance - you cannot. You need to use an ELB infront of any webserver in order to properly configure HTTPS.
You need to go to CloudFront and modify your distribution to point to the new ACM Certificate that you just got. CloudFront will then pick up the new cert and deploy it to your distribution for you. ACM will then mark the certificate as "in use". As long as it's then "in-use", ACM will renew it for you and continue to update CloudFront.
I have dobut in AWS SSL.
I have launched instance in AWS.
Then I got Public IP of launched instance, which pointed to BLUEHOST (only for domain ) DNS record ( Type A).
when I tried subdomain.example.com is working in browser.
Then for SSL, I imported certificate key and crt in certificate manager.And
certificate status is ISSUED.
When I tried HTTPS in browser ( https://subdomain.example.com ) is not working
Any one guide me.
You cannot use the certificate provided by Amazon Certificate Manager(ACM) on EC2 instance. That can only be used with certain AWS services such as Elastic Load Balancer, CloudFront, API Gateway and Elastic Beanstalk.
If you want to use ACM, you can setup a ELB in front of your EC2 instance and have your certificate applied to ELB. When you are requesting for a certificate via ACM make sure to add *.example.com domain to protect your subdomain as well.
If you want to setup SSL on your EC2 instance itself, you can request for SSL certificates from a ssl certificate provider. There are many certificate providers, such as letsencrypt, sslforfree etc..
Here is a guide on how to install SSL certificates obtained from a certificate provider on your EC2 instance.
For some reason I cannot find a yes or no if this is even possible but I am assuming that it would be. I have a domain through AWS that was purchased through AWS Route53. I also created an SSL Cert through AWS Certificate Manager. Now I'm just trying to add that certificate to the domain. I would think that since it is all interconnected that it would just been applied after I approved it and it finished the setup but alas, it has not. So my question is how/where do I connect my SSL Cert to my Route53 hosted domain?
SSL certificates are not connected to a domain's DNS record (via Route 53).
Instead, they are connected to one or more specific infrastructure components.
SSL certificates that you create from ACM can be used with:
AWS Elastic Load Balancer
AWS CloudFront
Create your infrastructure including one or more of those components and then attach your ACM SSL certificate to that.
See the ACM FAQ: https://aws.amazon.com/certificate-manager/faqs/