I am using a DigiCert Certificate for an AWS ALB that has a domain: www.example.com
For some reason - the underlying AWS ALB was deleted and a new one was created which also maps to www.example.com
There has been no other change to the underlying servers.
I am now seeing a Certificate is invalid error saying its not secure.
Do I need to procure a new certificate or is it some other issue?
Thanks.
I don't know DigiCert, so I guess that your certificate create trust for the IP of the ALB.
ALB are not static at all by design. This is basically a super huge cluster of HAProxy and ressources are allocated dynamically based on customers consumption. There is no way to have a static IP, that's why they give you a CNAME only.
You should seek for DNS validation or use AWS Certificate.
Related
Background: My division of bigcorp.com was sold off and now we are lilcorp.com. We have a fleet of appliances deployed that will be looking for software updates on https://updates.bigcorp.com/, but since we no longer control bigcorp.com, we need to update our appliances to check https://updates.lilcorp.com. bigcorp has given us a cert for updates.bigcorp.com and has a DNS CNAME in place that forwards traffic for updates.bigcorp.com to server.lilcorp.com.
I'm trying to config things like this:
HTTPS HTTPS
Appliance -----------> ELB -----------> CloudFront ----------> S3
Cert for Cert for
updates. updates.
bigcorp. lilcorp.
com com
I've got the following DNS records in place:
updates.bigcorp.com CNAME to server.lilcorp.com
server.lilcorp.com CNAME to ELB
updates.lilcorp.com CNAME to CloudFront.net address
CloudFront is configured to use an S3 bucket as its origin.
Status: Things work if I hit CloudFront directly, but that doesn't help since the appliances are hitting the updates.bigcorp.com address.
Questions:
Can an ELB forward to a CloudFront deployment? I'm not seeing how to make it a "target".
Do I need to put a web server in the middle of this to handle the redirect/forward?
Thanks in advance.
Can an ELB forward to a CloudFront deployment? I'm not seeing how to make it a "target".
No it cannot. The target (for ALB) can be only an private IP address, lambda and instance id.
Do I need to put a web server in the middle of this to handle the redirect/forward?
Yes, you would need some kind of proxy. With ALB, you could use lambda function. So ALB would invoke a lambda function, and the function would query external CloudFront distro and return the results.
even if my dns records not pointing to aws route53,
someone has tried this before?
What records do I need to add in addition to A?
Unfortunately you cannot use the public ACM certificates directly on your instance as Amazon will only allow this to be deployed to Amazon managed resource such as:
Elastic Load Balancer
API Gateway
CloudFront
Without one of these services sitting in front of your EC2 you would need to rely on another solution. One of the following would be applicable:
Free service such as certbot allows you to generate a valid SSL that will need to be regenerated every 90 days.
Buy an SSL and deploy to the hosts.
Use the paid version of Amazon ACM Private CA (This can become quite expensive).
Route 53 is a DNS configuration service so its responsibility it to control DNS resolution i.e. example.com resolves to 1.2.3.4. HTTPS is a Layer 6/7 operation after DNS has been resolved and you're trying to connect to the application.
You need simply create the DNS records for your application (be that an A, Alias or CNAME record). In addition when verifying SSLs the provider would likely ask you to either perform email validation or DNS validation (create a record they provide) to successfully prove ownership.
I am new on terms of every aspect of SSL certificate.
I have a architecture, where Route53 routes traffic to Load balance.
We are moving to production and we have to implement SSL certification to handle https traffic.
Where should i position the certificate in the architecture?
While searching i sow AWS Certificate Manager.
I am wondering how is it different ?
And when i buy a certificate can i use a single certificate with different account?
(Example: can i have same certificate set up for Staging and multiple production environment)
You can use the ACM to generate certifications for you.
It's totally free, if it's a public certificate, and will automatically renew when it expires.
But some security teams will require you to upload a more advanced certificate than ACM generates for you, in this case, you can buy the certificate and upload it in the ACM service. Keep in mind that it won't renew automatically and when it expires you will have to upload a new certificate.
Where should I position the certificate in the architecture?
It depends on your security requirements, but it's totally fine to create an HTTPS commutation between Client and Load Balancer, and an HTTP communication between Load Balancer and Server. In this case, you will only need a public certificate generated by ACM.
If your security requirements need to create a secure communication end-to-end (e.g. HTTPS communication between LoadBalancer and Server), you will need to install the same private certificate in all servers and upload your private certificate in ACM.
While searching I sow AWS Certificate Manager. I am wondering how is it different ?
The only difference is that you don't need no buy a certificate if you only use in Load Balancers / API Gateway, etc but if you want to download the certificate to install in your on-premise Load Balancer or in the servers, you will have to pay $400 for each certificate.
And when I buy a certificate can I use a single certificate with a different account? (Example: can I have the same certificate set up for Staging and multiple production environments)
Yes, you can. But keep in mind that you will need to create a wildcard certificate to support multiple DNS names.
The preferred service to use is AWS ACM.
You can either upload your own certificate (i.e. purchase it then upload) or have AWS generate and manage it for you.
If you let ACM manage and generate it will regenerate ahead of its expiry and handle the rotation on each attached resource.
It is important to note that an ACM certificate can only be bound to the following resources for HTTP traffic:
ELB
CloudFront
API Gateway
Once it is connected to these you can use SSL offloading (the TLS connection is terminated at the resource rather than the instance) to connecting to the backend resources over plain HTTP.
You should be aware that if you want to serve traffic directly from an EC2 you will not be able to use ACM public CA and instead would limited to one of the following:
Buy certificate and deploy to all servers
Use a service like certbot on each server
In addition you can use certificates that are hosted in IAM but this is considered legacy with less features than ACM.
My certificate has expired and I recreated and reassociated with a load balancer.
The certificate has *.example.com and example.com attached (?) to it
and I can see that certificate works by visiting https://example.com.
Then I try to visit https://log.example.com and it errors with NET::ERR_CERT_DATE_INVALID (It must be the old expired certificate which is causing the error)
Question is, how can I let the new certificate to be used for the ec2 machine?
EDIT
log.example.com is not behind loadbalancer, it's directly mapped via IP address
The certificate being served by log.example.com is not using the ACM certificate attached to load balancer for example.com as it is served directly by the IP address.
You are limited to the following options:
If you want to use an ACM certificate you will need to either add a CloudFront distribution or a load balancer in front of your application. The DNS record for log.example.com would need to be changed to the new resource.
If you want to use direct connection to your instance then you are limited to using another certificate authority. You can use certbot to generate a free certificate, or purchase one from another provider. This will then need to be installed and configured on your server to use.
I am facing issue with SSL certificate that I need to bind it to an ELB instance.
Here is the situation:
I have registered a wildcard SSL Certificate in Region A for *.example.com and example.com domain.
There is an ELB instance pointing to admin.example.com in region A which has a 443 listener to that SSL cert for HTTPS access and it's working fine.
Now, in Region B, I have another new ELB instance that I need to point to the SAME domain with different sub domain. store.example.com
To achieve this, I have created a new SSL Cert in the second region and assigned it to that ELB. However,I am keep seeing the "Not Secure" warning by the browser when I try to open store.example.com
This has to do by the way AWS structures their infrastructure.
The only way is to create a new one in the other region.