We are using Cloudflare, which points to an AWS load balancer in front of an EC2 instance. The goal here is to have end-to-end encryption but I am trying to understand which parts of this setup actually require a certificate from a Certificate Authority, and whether or not we can use a complete set of free certificates between Cloudflare and AWS.
Cloudflare - We can use their free Universal SSL certificate to secure the traffic from Cloudflare to the load balancer.
AWS Load Balancer - We can use a free AWS certificate which is attached to the load balancer. This same certificate cannot be installed on the EC2 instance.
EC2 Instance - Can we use a self-signed certificate here, or do we need to continue purchasing certificates from a recognised authority? My understanding here is that, yes, we can just use a self-signed certificate and everything will be secure without raising any warnings about the self-signed nature of the certificate, as long as the load balancer has a valid CA certificate from Amazon or other authority.
Cloudflare is set to Full SSL mode which does not validate the origin certificate and will allow it to be self-signed, but I assume this only applies to the load balancer in our case.
You can use whichever SSL you want on the instance, self signed or from a certificate authority.
By doing this the data will be encrypted in transit between your load balancer and the EC2 instance.
It is only the AWS services that require either an ACM cert or an uploaded cert from a valid certificate authority.
Ensure that your servers are kept private if you're using self signed certificates.
Related
What is the best approach to enable https on ec2 public dns? I just have single instance running so i don't think adding load balancer is good approach and I don't have any domain name to point to my instance. I want to enable https on instance public DNS.
What is the best approach to enable https on ec2 public dns?
You can't do this, as the public DNS provided by AWS does not belong to you. The DNS belongs to AWS and only AWS can have a valid SSL certificate for it.
To have a valid public SSL certificate for HTTPS you need your own domain that you control. Then you have to use a third party service (ACM can't be used on EC2 instances, unless in enclave) to get a SSL cert for your domain. A popular choice is https://letsencrypt.org/ with certbot which provides free SSL certificates. By the way, StackOverlow is using letsencrypt as its SSL cert provider. Having the SSL cert you can setup nginx to server your application using HTTPs, or itegrate SSL certificates directly with your application.
If you don't want to do the above, you have to front your instance with load balancer, CloudFront or API Gateway. Having load balancer allows you to use ACM and easily get and provision SSL certificates You still need your own domain of course. Using load balancer is the easiest to setup. With CloudFront and API Gateway there are more things to consider.
I am using AWS and I created an Instance in EC2 and created a SSL Certificate in Certificate Manager, I have a domain from whois.com which I was able to connect to my instance using Route 53.
I am now trying to install the SSL Certificate to my EC2 instance and have googled a bunch on tutorials on the subject, but they all are super confusing and don't seem to work, must of them say I need to use a Load Balancer, but either I am missing a step or something I am doing is wrong because the SSL certificate is not working, http works like a charm, https is not working at all.
Is someone able to point me in the right direction?
AWS do not allow the certificates to be downloaded for ACM public CA so you are limited with where it can be attached.
You cannot use a public ACM certificate directly in your EC2 instance. The following resources support attachment for HTTPS of your application:
Elastic Load Balancer (ALB, CLB or Network Load Balancer with a TLS target group)
CloudFront Distribution
API Gateway
If you do not want to use one of these resources then the following 3 options are available for you:
Use a free SSL CA to generate the SSL for your EC2 instance such as certbot
Purchase a SSL from another CA and install on your host
Use AWS ACM Private CA (Although this can be expensive)
I have an Application Load balancer and 1 EC2 instance currently behind it. Before, I was using another CA for receiving SSL certificates for my domain which was running on the EC2 with nginx. Now, I use SSL from Amazon's Certificate Manager for the load balancer's listener.
Should the domain's certificate be purchased individually on each EC2 instance for https connection to my application after moving it behind the ELB?
Is there any other way to establish https connection without using the separate certificates on the EC2 instances and with just the ACM on the load balancer?
You can use the same certificate on EC2.
But whenever you need to update the certificate you have to change in EC2.
If you have the EC2 in a private subnet (Not accessible to the internet)
you can use the self-signed certificate (self signed certificate nginx).
I encountered this problem and solved it by using the self-signed certificate.
You can use self-signed certificates on the EC2 instances to enable the load balancer to talk to your EC2 instances via https - the load balancer will not to certificate validation, so you do not need commercial certs.
I have dobut in AWS SSL.
I have launched instance in AWS.
Then I got Public IP of launched instance, which pointed to BLUEHOST (only for domain ) DNS record ( Type A).
when I tried subdomain.example.com is working in browser.
Then for SSL, I imported certificate key and crt in certificate manager.And
certificate status is ISSUED.
When I tried HTTPS in browser ( https://subdomain.example.com ) is not working
Any one guide me.
You cannot use the certificate provided by Amazon Certificate Manager(ACM) on EC2 instance. That can only be used with certain AWS services such as Elastic Load Balancer, CloudFront, API Gateway and Elastic Beanstalk.
If you want to use ACM, you can setup a ELB in front of your EC2 instance and have your certificate applied to ELB. When you are requesting for a certificate via ACM make sure to add *.example.com domain to protect your subdomain as well.
If you want to setup SSL on your EC2 instance itself, you can request for SSL certificates from a ssl certificate provider. There are many certificate providers, such as letsencrypt, sslforfree etc..
Here is a guide on how to install SSL certificates obtained from a certificate provider on your EC2 instance.
For some reason I cannot find a yes or no if this is even possible but I am assuming that it would be. I have a domain through AWS that was purchased through AWS Route53. I also created an SSL Cert through AWS Certificate Manager. Now I'm just trying to add that certificate to the domain. I would think that since it is all interconnected that it would just been applied after I approved it and it finished the setup but alas, it has not. So my question is how/where do I connect my SSL Cert to my Route53 hosted domain?
SSL certificates are not connected to a domain's DNS record (via Route 53).
Instead, they are connected to one or more specific infrastructure components.
SSL certificates that you create from ACM can be used with:
AWS Elastic Load Balancer
AWS CloudFront
Create your infrastructure including one or more of those components and then attach your ACM SSL certificate to that.
See the ACM FAQ: https://aws.amazon.com/certificate-manager/faqs/