My certificate has expired and I recreated and reassociated with a load balancer.
The certificate has *.example.com and example.com attached (?) to it
and I can see that certificate works by visiting https://example.com.
Then I try to visit https://log.example.com and it errors with NET::ERR_CERT_DATE_INVALID (It must be the old expired certificate which is causing the error)
Question is, how can I let the new certificate to be used for the ec2 machine?
EDIT
log.example.com is not behind loadbalancer, it's directly mapped via IP address
The certificate being served by log.example.com is not using the ACM certificate attached to load balancer for example.com as it is served directly by the IP address.
You are limited to the following options:
If you want to use an ACM certificate you will need to either add a CloudFront distribution or a load balancer in front of your application. The DNS record for log.example.com would need to be changed to the new resource.
If you want to use direct connection to your instance then you are limited to using another certificate authority. You can use certbot to generate a free certificate, or purchase one from another provider. This will then need to be installed and configured on your server to use.
Related
First I'm not talking about emitting my own certs to the dev environment, I need a CA cert for the prod environment. I have a Node app running into an EC2 instance using PM2. That being said my doubt is when I buy a cert I have to put a domain, but freaking ec2 is just an IP, should I put the IP as the domain for the SSL?
To get proper HTTPS for your instance you must have your own domain. IP can't be used. Ssl cert for the instance can be obtained for free if you have domain. Popular choice is LetsEncrypt which is also used by Stackoverflow for its own Ssl certificate.
Best and easiest solution is to use AWS certificate manager and tie that cert to an Elastic load balancer, with the EC2 instance behind it.
If you prefer to use a 3rd party cert, then you will need a domain in Route 53, an alias the IP number to the domain.
I already have a domain, like exmaple.com and I have a simple app running on an ec2 instance.
I've allocated an elastic IP for this instance, and created a zone on route 53, created A record, and also an alias record.
I have updated the nameservers from route53 NS records in GoDaddy domain settings(and I should mention that I've waited 48 hours for ns to be propagated, and that part is fine).
When I ping example.com on my own computer, the DNS Name resolve to the correct IP address.
When I check the elastic IP, it's working and shows my website, but when I check example.com it does not show my app and shows This site can’t be reached:
this is a screenshot of what it shows
I cannot see where's the problem!
Based on the comments.
The issue was due to using https, rather then http. The http connection works. To setup https the following general procedure needs to be undertaken:
Get a public SSL certificate. Since you are using instance, you can't use AWS ACM for that. In this case a popular choice is https://letsencrypt.org/ where you can register free SSL certificate for your domain and its subdomains.
Setup ssl connectivity on your instance. Often this is done by using nginx as a revers proxy. The nginx will provide HTTPS for your instance using the SSL certificates from step 1.
Open port 443 (HTTPS) in your security group.
The alternative is to front your instance with an application load balancer (ALB). Using it, you can easily get free AWS ACM free certificate and deploy it on the ALB. No actions required on your instance in this case.
I have created an microservice API application and hosted it on AWS ECS cluster and attached this cluster to AWS Application Load Balancer (ALB). Added a certificate from AWS Certificate Manager to the ALB. When I try to call using the link provided by AWS ALB, from my frontend app, it returns an error:
net::ERR_CERT_COMMON_NAME_INVALID
The link from ALB is sonething like this:
xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com
I attached a SSL certificate to the listener. The SSL is issued using AWS Certificate Manager for my-site.xyz and *.my-site.xyz
The frontend application is react application hosted on different-site.ai using AWS Amplify
Edit
The OP wanted this to resolve for their root/apex domain example.com, as they use Namecheap (which support an Alias record) a value was added for the root domain following these instructions.
Alias records are also supported in Route 53.
It needed to be an alias record as a root domain traditionally can only resolve to an IP address which would be an A record, whereas Alias will map the IP of the CNAME record to the value instead.
Original
The error thrown is because the SSL certificate that is attached is not applicable for the domain you're trying to access.
For example the cert is for example.com but you're trying to access xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com.
To access this you must access on a valid domain name, to do this add a DNS record so that example.com resolves to xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com. Then when accessing example.com the SSL will be valid.
In my case, when I was requesting a certificate, I failed to list the domain names correctly.
For example, if your website was www.somewhere.com, you would need to add
www.somewhere.com
and also add
somewhere.com
I am facing issue with SSL certificate that I need to bind it to an ELB instance.
Here is the situation:
I have registered a wildcard SSL Certificate in Region A for *.example.com and example.com domain.
There is an ELB instance pointing to admin.example.com in region A which has a 443 listener to that SSL cert for HTTPS access and it's working fine.
Now, in Region B, I have another new ELB instance that I need to point to the SAME domain with different sub domain. store.example.com
To achieve this, I have created a new SSL Cert in the second region and assigned it to that ELB. However,I am keep seeing the "Not Secure" warning by the browser when I try to open store.example.com
This has to do by the way AWS structures their infrastructure.
The only way is to create a new one in the other region.
I created an SSL certificate last night for use with an API (Tomcat, Spring Boot) on AWS Elastic Beanstalk using instructions provided by Amazon Certificate Manager.
When creating the cert, I entered the URL of my static site that calls the API, which is hosted by GoDaddy. ACM sent an email to my URL which I opened and approve and I now see the cert as issued, by Amazon, in my certs. I am also able to select it when I configure HTTPS for my EB load balancer. I am not able to export this cert though as it isn't private.
My question is, how is domain name used? I think I'm a little confused about how to use SSL on both my API and my static site AS WELL as the small bit of static content I'll host out of Tomcat.
Thanks.
ACM certs can only be used with AWS services - Cloudfront (if the cert is issued in us-east-1) and regionally on the classic load balancer and application load balancer.
You cannot export the cert for use in other products, so if you wanted to have Tomcat handle SSL you would need to get either a commercial cert or use something like Let's Encrypt.
If you have multiple host names you want to protect, you have different options.
You can get one cert per hostname if they are running on completely separate infrastructure; you can also have multiple host names in a single cert - even if there are multiple domains; and finally you can get a wildcard cert.