I am trying to access my AWS Application Load Balancer(ALB) but I am getting a net::ERR_CERT_COMMON_NAME_INVALID instead.
Current Scenario:
ALB has an HTTPS:443 listener (only one listener is present) with an SSL Certificate provided for my domain example.com & *.example.com.
I would be more than happy to provide any further details required to support my query.
Thanks in advance.
This comes down to one of the following scenarios:
The SSL certificate attached to the load balancer does not include the domain you're expecting it to. For wildcards remember that *.example.com will only cover a single level subdomain such as www.example.com not secondary levels such as beta.www.example.com.
The domain you're accessing with the browser is not supported on the SSL, you need to ensure the SSL is valid for that domain only (if it redirects to another domain or you're trying to access via the load balancer domain name it will not be valid).
You should be able to get some more information about the error by running the below.
curl -i -v https://example.com
Related
I have set up a CDN by following this document: https://cloud.google.com/cdn/docs/setting-up-cdn-with-bucket
http (with port 80)
https (with port 443) with a google-managed certificate
example.com is pointing to the load balancer's ip adress (google domains)
the certificate says example.com is active
simple index.html is in the backend bucket
I can load http://example.com fine but it is insecure. When I load https://example.com on chrome I get the following:
This site can’t provide a secure connection
mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Can somebody help me set up Cloud CDN with https using GCP storage?
EDIT: trying adding AAAA following How do you serve a static website using Google Cloud CDN, Google Cloud Storage, and a custom domain?
Requestor Pays was already off
The permission was to allUsers with Storage Object Viewer
EDIT2: adding AAAA didn't work for me
EDIT3: Got rid of AAAA. It is working now... I guess it takes quite long
Yes, depending on your domain provider. Normally, the longest takes up to 78 hours.
You need to enable the http-https redirect. You need to configure the http frontend, and there you have the option to enable the http-https redirect.
I would assume that you did not add the external IP of the Load Balancer as one of the domains accepted by your SSL certificate (and you shouldn't have to), so it will not really load the page via https://(LoadBalancer-IPAddress)
I want to have a subdomain (api.mysite.com) which makes calls to an EC2 classic load balancer (load-balancer-123456789.us-east-2.elb.amazonaws.com). Everything is hosted on AWS, to (theoretically) make it as straightforward as possible.
I created a domain and subdomain in AWS Route 53, as per the instructions here, and created an "A" record in the subdomain that links to my load balancer as an alias. That works fine, I can make calls to the load balancer through api.mysite.com, as long as I use HTTP.
But when I try to use HTTPS, I get ERR_SSL_PROTOCOL_ERROR. If I try to open the API in a browser, the security icon says that it's "not secure". I think the problem might be that the certificate is connected to the main domain (mysite.com) instead of the subdomain (api.mysite.com), but I can't figure out how to get it to resolve properly.
This SSL checking site shows the EC2 server itself (the one that the load balancer points to) and reports "Certificate not valid for domain name". It's an Ubuntu server, though I'm not sure if that should matter.
The SSL certificate needs to specify the subdomain as well as the main domain. The easiest way to do this is through AWS's Certificate Manager, by requesting a new certificate.
Make sure to specify each relevant domain and subdomain in the certificate (in this case, both mysite.com and api.mysite.com.)
After creating the certificate, go to the Load Balancer, open up the Listeners tab, and select the HTTPS port. Then, change the SSL certificate for that port to the certificate that includes the relevant subdomain. If you use AWS Certificate Manager, it can be selected from the dropdown menu.
We have our website hosted up on AWS EC2 instance behind the Application Load Balancer. Our Route 53 is targetting the Application Load Balancer.
Assuming we have a domain name - company.com
we have SSL registered for this domain *.company.com. We have this certificate enabled on the Application load balancer at 443 port.
We want our website hosted at subdomain - sub.company.com
Current Scenario:
When we access the website with http://www.sub.company.com or http://sub.company.com or https://sub.company.com.
With the rewrite rule for the first two, we are able to redirect to the third endpoint mentioned.
Problem arises in this particular case where we are trying to access the website with https://www.sub.example.com, It gives us a Non Secure Warning. How can we redirect this to https://sub.example.com ?
Things I have tried:
I have tried adding Rewrite rules on the webserver of EC2 Instance.
Added routing rules at Application Load balancer to redirect it at https://sub.example.com
Both of these solutions are not able to resolve the problem, It's maybe because SSL validation is happening at the first step of connection establishment before it reaches to load balancer layer.
How can we resolve this?
When you request a wildcard certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level.
For example, *.example.com can protect login.example.com and test.example.com, but it cannot protect test.login.example.com. then you have to request a separate certificate for *.login.example.com
I have created an microservice API application and hosted it on AWS ECS cluster and attached this cluster to AWS Application Load Balancer (ALB). Added a certificate from AWS Certificate Manager to the ALB. When I try to call using the link provided by AWS ALB, from my frontend app, it returns an error:
net::ERR_CERT_COMMON_NAME_INVALID
The link from ALB is sonething like this:
xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com
I attached a SSL certificate to the listener. The SSL is issued using AWS Certificate Manager for my-site.xyz and *.my-site.xyz
The frontend application is react application hosted on different-site.ai using AWS Amplify
Edit
The OP wanted this to resolve for their root/apex domain example.com, as they use Namecheap (which support an Alias record) a value was added for the root domain following these instructions.
Alias records are also supported in Route 53.
It needed to be an alias record as a root domain traditionally can only resolve to an IP address which would be an A record, whereas Alias will map the IP of the CNAME record to the value instead.
Original
The error thrown is because the SSL certificate that is attached is not applicable for the domain you're trying to access.
For example the cert is for example.com but you're trying to access xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com.
To access this you must access on a valid domain name, to do this add a DNS record so that example.com resolves to xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com. Then when accessing example.com the SSL will be valid.
In my case, when I was requesting a certificate, I failed to list the domain names correctly.
For example, if your website was www.somewhere.com, you would need to add
www.somewhere.com
and also add
somewhere.com
I want to add my ec2 load balancer to my domain, under mysite.com/api/etc. On route53 it only lets me add a subdomain. In theory I could do api.mysite.com but I want to see if mysite.com/api is possible first. Currently in my route53 record sets, I just have one for mysite.com and www.mysite.com, (www.mysite.com points to my cloudfront which points to my s3 bucket which redirects to the mysite.com bucket). The reason for all of this is that I want to be able to make https api calls to my ec2 server, but it appears I get a several errors with my current configuration. When I access it via browser, I receive an ERR_CONNECION_TIMED_OUT, and when I use python.requests, I get a
SSL.ERROR: HTTPSConnectionPool...(Casused by SSLError(CertificatError
("hostname 'my-ec2-env-us-east-1.elasticbeanstalk.com'
doesn't match either of 'mysite.com, www.mysite.com)
I assume this certificate error is causing my browser timed out error (I'm fairly certain my other configurations are correct, I added my HTTPS port 443 to security groups with inbound settings to allow 0.0.0.0/0 and ::/0, and I selected the 2016-8 SSL Policy. To resolve this certificate error, I assume I need to purchase another domain/add it onto my existing domain, add a certificate to it, and have the endpoint be my EC2 load balancer.