I have configured the AWS load balancer to secure my website, i.e. to resolve through "https". But when I use(https://www.schoolnskill.com), it gives
503 Service Temporarily Unavailable.
So I have followed the below steps to configure my environment.
I created a domain name in route53 and have been issued with a SSL/TLS certificate through AWS Certificate manager.
For my load balancer I set up listener for https:443 and attached the above certificate with it.
The security group for my ec2 instances allow http and https requests (although I believe the load balancer ec2 target will communicate using http).
I have attached a screenshot with the summary of the configuration.
Then in the ROUTE 53, I edited the 'A' record of 'www.schoolnskill.com'. Below are the changes I made.
Alias:- yes
Alias target:- chosen the application LB
Routing policy:- simple
Then save the settings.
I can see that whenever I type 'http://www.schoolnskill.com', it is redirected as 'https://www.schoolnskill.com'
Health_CHK
Thank you,
The problem was the availability zones. The AZ of my load balancer was different from that of EC2 instance. I matched the AZ of ALB to my EC2, and it worked.
Thank you,
Related
I have an EC2 Ubuntu Instance running on AWS.
I have created a SSL certificate for my domain using AWS Certificate Manager.
i have created the needed hosted zone with the needed records for my domain.
I have created a Load Balancer with listeners for both protocols HTTP and HTTPS.
Now, I can access the site using the public IP from the AWS Instance and also using my domain name.
The issue is when trying to access the site using https.
There appears an error page: ERR_SSL_PROTOCOL_ERROR
I don't know what is wrong in my approach to get a working site running with a SSL certificate.
I guess it can be due to the Ubuntu Apache2 configuration, but not sure.
I would appreciate a checklist of things I should verify in AWS (Certificate Manager, EC2 Instance, Load Balancer, Route 53, etc.) or in the configuration of the Ubuntu Apache2 server.
EDIT:
This is the security group inbound rules that are in use with the ELB
I would double check security group on the ELB, confirm domain DNS. It's something on the ELB side since you are not connecting there.
I've reviewed the Lightsail load balancer and unlike ACM, you cannot add wildcard SSL's.
For example on ACM, this can done:
example.com
*.example
And then attached to an EC2 Loadbalancer.
But for Lightsail, the wild card is not accepted. When we issue only on the apex domain to the load balancer:
example.com
When we resolve demo.example.com, we get a cert invalid error.
As we don't know ahead of time the sub-domains in use, and the limit of 9 is too few, is there a workaround?
I came up with a solution but I can't say for sure it is the only one.
TL;DR - Use an EC2 Load Balancer and add it's target as your LighSail instance. To this load balancer attach a standard ACM certificate. Don't use the LightSail load balancer at all.
Outline Steps
Launch a load balancer in EC2 and attach your LightSail instance as a target (Remember to use the private IP of your LightSail instance and check your security settings, zone and region prior to set up)
Open ACM and provision your certificate. To protect your entire domain, you will require two entries on this cert i.e. example.com and *.example.com
Validate the certificate (DNS etc) and attach it to the load balancer in EC2.
I have installed wordpress site on just 1 EC2 instance which is running on 1AZ (means 1 public subnet). I have bought a domain as well using Route 53. Currently my site is HTTP only which I want to make it HTTPS. I have got SSL certificate from AWS Certificate Manager as well. Using Route 53, currently I have mapped A record IP V4 mapping with my EC2 instance public IP V4 address.
I'm facing issue here in changing my site to HTTPS from current HTTP. Since my site is deployed on just 1 AZ (public subnet), I cannot add Elastic Load Balancer in front of my EC2 instance as it requires minimum 2 public subnets (this is what my understanding is). If my side was deployed on 2 AZs (2 public subnets) then easily I would have configured Application Load Balancer with these 2 subnets and would have used the SSL certificate which is stored in AWS certificate manager but in my case it is just 1 AZ/1subnet.
Question 1) Is it necessary to have 2 public subnets to configure elastic load balancer? Can't I configure load balancer with just 1 subnet like in my case? If yes then please advise how to do it?
Question 2) Is load balancer really necessary between Route 53 and EC2 instance to make the site HTTPS? Can I configure Route 53 and SSL certificate to listen to EC2 instance directly and make the site HTTPS?
Please assist here to make my site HTTPS. Thanks
1) Yes, an ELB requires two subnets - but you dont have to have a server running in both subnets (but obviously you dont get the benefit/cost of dual servers). Within AWS goto the VPC section and create a new subnet inside the correct VPC - you should then be able to create an ELB (it may complain about the 2nd subnet - but if there are no instances inside that subnet it doesnt really matter).
2) No, but if you want to use the free ACM certificate it must be installed at the Load Balencer or CloudFront distribution level. There's nothing stopping you installing your own certificate on your EC2, configuring apache to use it and then renewing it as required. Take a look at LetsEncrypt for free certificates, or buy a cert online.
Few things to bare in mind:
"Best Practise" for TLS/HTTPS is constantly changing. AWS take the headache out of this by providing policies so updating to the latest standard is very simple and requires no changes to your ec2 (as its talking to the ELB via port 80)
If you decide to manage your own certificate, take a look at the SSL Labs certificate tester (https://www.ssllabs.com/ssltest/) to help you ensure your configuration is correct.
Let me answer the questions inline.
Question 1) Is it necessary to have 2 public subnets to configure
elastic load balancer? Can't I configure load balancer with just 1
subnet like in my case? If yes then please advise how to do it?
Yes. You must specify subnets from at least two Availability Zones to increase the availability of your load balancer. This is why you need at least two subnets (Minimum one subnet in each Availability Zone). When you run the EC2 instances, it is also recommended to run them in both Availability Zones (Given to the Load Balancer) with Auto Scaling for high availability and fault tolerance.
Question 2) Is load balancer really necessary between Route 53 and EC2
instance to make the site HTTPS? Can I configure Route 53 and SSL
certificate to listen to EC2 instance directly and make the site
HTTPS?
It is necessory if you are using Amazon Certificate Manager (ACM) Issued SSL certificates. Otherwise, if you use an externally purchased SSL certificate, you can configure the SSL certificate at your EC2 instance web server level.
Note: An alternative approach is to use AWS CloudFront as a proxy (Also for SSL termination using ACM certificate) and proxy the requests to the EC2 instance (If you don't want to pay for the Load Balancer where CloudFront costs are based on the number of requests unlike an hourly charge for Load Balancer).
I have an AWS EC2 instance, a Route53 registered domain, an AWS Load Balancer and an AWS Certificate.
What I want to achieve is to access the domain as "https://...", as of today I haven't been able to.
What I've done so far is:
1.- Set the EC2 (Amazon Linux AMI) with apache and it's listening to de ports :80 :443
When I browse to the puclic IP of the EC2 I see index.html no problem.
2.- I have registered a new domain using Route53. I added a Record Set for the Hosted Zone Type IPv4 address with the value of the IP of the EC2 instance.
When I browse to the domain.com I see index.html no problem.
3.- I got an AWS Certificate for *.domain.com and domain.com. For validation I added a Type CNAME Record Set provided to the Hosted Zone of the domain. For both the validation status is OK.
4.- I created a Load Balancer that listens to HTTP:80 and HTTPS:443 and I added a Record Set in the Hosted Zone of the domain with [type:IPv4, Alias:Yes, Alias Target: name of the Load Balancer]. I didn't type the name of the Load Balancer, I selected it from the select dropdown.
However the Load Balancer has the fields Port Configuration and Instance Count blank as you can see in the screenshot.
5.- When I check the file /etc/httpd/logs/ssl_error_log I see a message that I can'f figure out what it means, nothing good I imagine. The text of the message is AH01906: ... as you can see in the next screenshot.
When I browse to https:// domain I get the message that is not safe.
I'm very new to all this and I'm sure I'm doing something wrong but I can't figure out what.
I would appreciate any help or pointer you could give to me.
Thanks very much, this community is awesome anyway.
AWS Certificate Manager does not offer free SSL for website. It does offer free SSL certificate for some of their services endpoint (not the same as using directly on your EC2 instance).
For certificates that you want to install directly on EC2, you have to pay for a private Certificate Authority. (note: its expensive)
Q: With which AWS services can I use ACM certificates?
You can use public and private ACM certificates with the following AWS services:
• Elastic Load Balancing – Refer to the Elastic Load Balancing documentation
• Amazon CloudFront – Refer to the CloudFront documentation
• Amazon API Gateway – Refer to the API Gateway documentation
• AWS Elastic Beanstalk – Refer to the AWS Elastic Beanstalk documentation
• AWS CloudFormation – Support is currently limited to public certificates that use email validation. Refer to the AWS CloudFormation documentation
In addition, you can use private certificates issued with ACM Private CA with EC2 instances, containers, IoT devices, and on your own servers.
Alternatively, you can use Let's Encrypt, a service provided by EFF, for free. They have a tool called CertBot to automatically renew the certificates for you.
I'm trying to setup my website (on AWS). I have a t2.micro instance running on the us-east-1 region, and a Load Balancer (availability zones are us-east-1d and us-east-1c). I bought my domain using route 53, and also used the certificate manager to generate my SSL certificate (which I have attached to the load balancer).
My problem is that the load balancer seems to always send me to the root domain and it completely ignores the 2 subdomains I have setup on the EC2 instance. They were working perfectly until I created the ELB. So how can I get the subdomains working with the ELB? Or is this not the proper way of doing it? Can anyone point me to the right direction?
Thanks
You need to look at the application load balancer's rules. You can direct traffic based on the requested host name, or path. For example you can send app.example.com to one target group or blog.example.com to another group. Or you can route paths to individual target groups; for example example.com goes to your site, but example.com/cart goes to a microservice running your shopping cart.