I´ve created a EC2 instance, installed a service and I was able to routed it to my address with Route 53. So I can go to example.com/myservice and see it on the browser.
However, in the browser, I get a small info card in the address bar that says
"Not secure" and information about not entering sensitive information.
What does this message mean? How can I avoid this message? What do I need to change in my existing setup?
All info is welcome, as this is fairly new for me.
This means that you are connecting to your website using HTTP protocol, not HTTPS. HTTP is not secure as all data is in plain text, while in HTTPS your data is encrypted.
To rectify the issue you can install an SSL certificate directly on your instance or leverage Load Balancer or CloudFront in front of the instance.
Some useful links from AWS documentation:
Tutorial: Configure SSL/TLS on Amazon Linux 2 for direct installation of the certificate
Add an HTTPS Listener for Application Load Balancer
Using Alternate Domain Names and HTTPS for CloudFront
Related
Dear Stackoverflow community. This question has been asked before, but my question is little bit different.
So I am using Elasticbeanstalk to deploy my Django Backend and RDS for database (PostgreSQL).
EB generated a link for my backend --> http://XXXXX.region.elasticbeans.com. The issue is that when I send a request from the frontend side (HTTPS), it gives a "Blocked loading mixed active content" error, which comes from HTTPS to HTTP request. As far as I am concerned I have to change configuration of the Load Balancer of my EC2 instance and add redirection. In order to successfully do that I am required to have a SSL certificate. However, when I use ACM (Certificate Manager) in order to generate one using the exact same link for the backend, it automatically rejects my request.
So my question is that what is the exact process of obtaining the SSL cert. for the default EB link, or maybe there are easier ways to redirect HTTP to HTTPS from the AWS console?
Regards.
So my question is that what is the exact process of obtaining the SSL cert. for the default EB link,
There is no process as this is not possible. You need to have your own domain (e.g. myapp.com). Only then you can setup SSL using ACM. Once you have your own domain, the full process of setting up https on EB is in AWS docs.
I bought a domain named studileih.de, then I deployed my Angular frontend on firebase: https://studileih-ceb70.web.app/ and redirected from my domain studileih.de to the firebase URL.
Then I deployed my Spring Boot backend to AWS Elastic Beanstalk on: http://studileih1.eu-central-1.elasticbeanstalk.com/
-> Problem: Since the frontend on firebase used https and the backend on AWS used http I got a Mixed content error. The frontend wasn't able to load any of the backend data.
So I tried to solve this by creating a SSL certificate for my backend in the AWS Certificate Manager (ACM) and adding this to my Elasting Beanstalk Load Balancer. This worked and I could now at least make a connection from my frontend to my backend.
But now I get this error whenever a request to my backend gets sent:
When I click on "Accept the Risk and Continue" once, it works fine and all my backend data gets loaded. But I can't ask my users to do that.
(You can try this out by following: https://studileih1.eu-central-1.elasticbeanstalk.com/products and clicking "Advanced" -> "Accept the Risk and Continue" (if you dare ^^)
after you've done that, click on studileih.de and it will now load with the backend data.)
I know the problem exists because when creating the SSL certificate, I entered studileih.de as the domain that the certificate is for. I think I have to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com instead.
But when I try to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com:
I get this error from ACM:
How do I create a SSL Certificate for the Elastic Beanstalk URL?
p.s. I also tried to issue a certificate for my firebase URL https://studileih-ceb70.web.app/ but this one already uses Https by default. Also I couldnt find out how to DNS/Email validate the ACM request in the firebase console. But I think I need a certificate for the Elastic Beanstalk backend at studileih1.eu-central-1.elasticbeanstalk.com, not for the firebase frontend, right?
p.p.s. I don't really need to use https, so a solution would be to make firebase use http instead of https, but I couldn't find anything on how to do that.
UPDATE:
I added a subdomain called api.studileih.de (the immediate access is blocked by spring security, as you're not logged in to my site, but you can test it with api.studileih.de/products, because this API is accessibly without login). Then I redirected that subdomain to my AWS Load Balancer as suggested by Mark B by adding a CNAME to the subdomain:
(it's not possible to change to english there, sorry)
this is my Load Balancer:
I tried to put the DNS-Name as A-Record into my subdomain, but it was only possible to enter a IP4 adress there, so I entered it as CNAME instead. I also tried to find out the IP Adress of the Load Balancer, but Load Balancer don't have a static IP Adress.
This approach with the subdomain and the CNAME unfortunately didn't work, so I'm still looking for a solution...
(Here's the menu for setting a A-Record. You can only enter IP Adresses there:)
I know the problem exists because when creating the SSL certificate, I
entered studileih.de as the domain that the certificate is for. I
think I have to create a SSL certificate for
studileih1.eu-central-1.elasticbeanstalk.com instead.
You can only create an SSL certificate for a domain you own. You need to point a subdoomain of studileih.de, like api.studileih.de, at the Elastic Beanstalk load balancer, and then attach an SSL certificate to that load balancer that matches that subdomain.
I have a web page i would like to work with ssl (https)
for now it is working but with the private certification which alerts the user of "connection is not secure".
I issued a aws certification by following the link :
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html#dns-add-cname
And set my tomcat server to work with certificate by as shown in this link
http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/
but i can not seem to get ride of the "connection is not secure" issue
The blog post is too old around 11 years. not sure it working or not.
But you can generate a new free certificate using AWS Certificate Manager Link and add it to load balancer for terminate SSL connection.Your servers will be behind of that load balancers.
On AWS ACM you will need to have a load balancer in front of your web server, you can then terminate the SSL at the load balancer and forward HTTP connections to your tomcat webserver:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
Alternatively if you don't want to have a load balancer (cost etc), then you can look at using a free CA, such as letsencrypt. I've never used letsencrpt with tomcat before but a quick google came up with a few sensible solutions e.g. https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416
Once up and running with SSL I suggest you check how strong your SSL config is using https://www.ssllabs.com/
What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"
Greeting
I have created the Certificate through Certificate Manager in AWS, the free one. And successfully verified as well as put it in the Elastic Load Balancer (ELB). The status of the certificate shows it's issued and Is Used? shows Yes in the Certificate Manager.
Overall, I have completed these two steps without any problem, but the SSL does not work with my domain name. When I type "mydomain.com" with or without prefix http://, it works, but when I type "mydomain.com" with https:// prefix, it does not work
I have researched to find the solution and a way to install SSL into Microsoft Windows IIS on AWS, but no document describes about that.
Can anyone share this experience? I really appreciate
Looking forward for the reply and thanks
You do not need to setup SSL on your web server when you use a load balancer. Assign the SSL certificate to the load balancer (as you did). Then in your HTTPS listener in the load balancer listen on HTTPS, but connect to your web server over HTTP.
In the Amazon Console for your load balancer under the "Listeners" tab, the "Load Balancer Protocol" will be HTTPS and the "Instance Protocol" will be HTTP.
This has the benefit of offloading SSL to the load balancer which decreases CPU load on your web server.
If you do want to setup SSL on your web server, then you cannot use the Amazon SSL certificate. You will need to use the standard methods and purchase a certificate from someone else.