I am using EC2 and working with NGINX (by PuTTY); I chose AWS Public Certificate therefore I understood that to use HTTPS I need to configure the NGINX too.
I found some tutorial about it, but everywhere they add ssl_certificate and ssl_certificate_key that I haven’t seen in AWS certification.
How I can find AWS SSL certificates and ssl_certificate_key?
Or is there another solution for this?
You can only use ACM SSL certificates with AWS Load Balancers, CloudFront and API Gateway. it is not possible obtain the certificate from ACM and install it directly on a server.
You can attach certificates issued with ACM to the AWS Load balancer and hide your instance behind the load balancer, more on this here
If you want to manage ssl directly on your Nginx you will need to issue certificate with another tool i.e letsencrypt.
Using Free Let’s Encrypt SSL/TLS Certificates with NGINX
it is now possible by using:
AWS Certificate Manager for Nitro Enclaves
https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html
https://aws.amazon.com/about-aws/whats-new/2020/10/announcing-aws-certificate-manager-for-nitro-enclaves/
It is now possible with Nitro Enclaves, but is rarely a good solution for a single-instance NGINX host. At the moment, an ec2 nitro enclave demands a full 2 vcpus for itself. Unless the instance is large enough to trivially spare 2 vcpus, this method likely involves a bump in ec2 instance size, which eliminates any cost or simplicity advantage over using a load balancer.
Related
I have a VueJS front-end application running on S3 being served as a static website.
I have a NodeJS (behind an nginx reverse proxy, plus a few other services) backend application running on an EC2 instance that the VueJS app talks to (over http currently).
I have a domain successfully pointed at the VueJS app (S3 bucket) with the configured SSL certificates using Route53 / CloudFront / ACM.
However, now the VueJS app will not communicate with the EC2 instance backend as it is still using HTTP which is now not allowed.
So what is the best way to configure this? I can't run certbot on the ec2 instance and generate an SSL certificate for my domain as there are certificates already being used for the S3 bucket.
Should I just create a self-signed certificate?
Can I create another certificate for a subdomain perhaps (api.example.com say) and set up DNS record for that to point to my EC2 instance IP address?
How is this usually done, what is best practice?
So a self-sign cert wont work, it wont pass validation as there is no known CA behind it ( Certificate authority) I mean you can install it but the browser is going to complain..
Im not sure I understand why you cant use certbot.. s3 / ec2 are two seperate services so I'm a bit confused here?
You can use letencrypt to generate a cert for the server and have it installed as well but if you have clusters you may be better served by installing it on the actual ALB, however this does not ensure end-to-end if the cert is not installed on all backend systems, (that would require installing the cert on all systems in the cluster) You requirements will dictate this really.
If you are unable to generate a cert with letsencrypt you can get an SSL from ssls.com and just installed the PEM or CRT on the server / load balancer too though.
Usually you create some subdomain like you said for your api and create a certificate for that subdomain. On AWS in particular, you can use an elastic load balancer and use ACM /Route53 with that for ease of certificate management, but that does carry costs of the load balancer.
Alternative is to just put an API gateway in front of your EC2 instance as a reverse proxy, which will carry some costs, but maybe not as much depending on traffic volume.
(I'm an AWS newb)
So I have a running EC2 instance and want to set up the SSL so it can serve HTTPS.
I found a guide from AWS to set up the SSL with external CA, or a brief statement that ACM should be able to work with EC2, but seems not finding any step-by-step guide for this and I expect AWS should have done it with only a few clicks.
Do I need to use the ELB, even though my server is only running in ONE instance?
ACM SSL certs can't be used directly on instances (except enclaves as indicated by Mark in the comments). They can only be used, as in your link, on load balances, CloudFront distro or API gateway. Thus, if you want to use ACM, you have to use either of these three services in-front of your EC2 instance.
But if you don't want to use them, then you need to get your SSL cert from a third party, not from ACM. A popular choice is https://letsencrypt.org/ along with carebot which provide free public SSL certificates. This means that you have to set it up yourself on the instance, usually done through a reverse proxy such as nginx.
I have purchased SSL Certificate from COMODO SSL Store.
I have AWS EC2 Instance with Ubuntu AMI.
I want to install this SSL certificate on AWS but couldn't make it work. I just want to use this certificate with my website 'somewebsite.com' and nothing else like load balancer or something else.
I found this but it has load balancer which I dont want
https://cheapsslsecurity.com/blog/install-ssl-certificate-on-amazon-web-services-aws/
I tried this but I guess this is not the right way. This tutorial probably not for AWS, just for localhosts on local systems maybe.
https://www.ssldragon.com/blog/how-to-install-an-ssl-certificate-for-localhost-xampp/
Finally I contacted COMODO and they gave me this tutorial
https://www.thesslstore.com/knowledgebase/ssl-install/amazon-web-services-ssl-installation/
Then I came to know about AWS Certificate Manager but I couldn't make sure if this will attract any charges. I am already paying COMODO and I dont want to pay extra to Amazon for certificate.
I kind of find tutorials with 4-5 different ways to install third party SSL on AWS EC2 Instance but cant make it work, cant figure out the right way and cant make sure if that way will cost me extra or not.
Even pointing me in the right direction will be appreciated.
Please Help.
In regards to ACM issued certificates, you cannot use it with an instance without a load balancer.
You can use public and private ACM certificates with the following AWS
services: • Elastic Load Balancing – Refer to the Elastic Load
Balancing documentation • Amazon CloudFront – Refer to the CloudFront
documentation • Amazon API Gateway – Refer to the API Gateway
documentation • AWS Elastic Beanstalk – Refer to the AWS Elastic
Beanstalk documentation
Reference:
https://aws.amazon.com/certificate-manager/faqs/
None of the links you shared explains how to configure ssl for an instance without load balancer, except https://www.ssldragon.com/blog/how-to-install-an-ssl-certificate-for-localhost-xampp/. you have to use your real certificate instead of the one showed in the tutorial.
Hope this helps.
You can use Amazon Certificate Manager by uploading your COMODO cert. However, ACM certs can only be used by Elastic Load Balancers, Cloudfront, and a few other AWS services (and NOT EC2).
You will want to look into the instructions for just installing the certificate on Ubuntu.
If you're using the apache2 package, you can copy the certificate to /etc/ssl/certs and copy the key to /etc/ssl/private, then edit /etc/apache2/sites-available/default-ssl.conf search for "SSLCertificate" and change the following lines (modify them to match the name and path of the comodo cert and key you uploaded):
SSLCertificateFile /etc/ssl/certs/comodo-cert.pem
SSLCertificateKeyFile /etc/ssl/private/comodo-key.pem
Enable the SSL configuration, and restart the webserver.
ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/
apachectl configtest
apachectl graceful
If you're using nginx, I'm not qualified to provide instructions. But a quick search for installing SSL cert on Nginx on Ubuntu ought to set you straight.
I have a node.js server I would like to deploy to AWS. My main site is example.com while the node server is on api.example.com
I am only using one EC2 instance (no load balancing) because I am only building an MVP and don't want to make things complicated.
I used Amazon Certificate Manager to register my domain name and I need to register api.example.com to also use https.
I right now have to put a CloudFront in front of my EC2 instance just so that I can use the ACM. This seems a little overkill since I don't need any of the caching benefits.
Is there any other way to do this?
You have 3 options:
Use CloudFront with SSL certificate from Amazon which doesn't bring any benefits for API that won't benefit from caching
Use Elastic Load Balancer with SSL certificate from Amazon. Load balancer will mantain HTTPS connection with client and communicate via HTTP with your EC2 server. You can follow this tutorial https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22
Or you can set up your certificate at EC2 instance directly. Here is how to do this with Nginx for example https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm
EDIT: I have just realized that you could probably also use AWS API Gateway to point to your EC2 server API GateWay to server in ec2
I have an EC2, hosting a simple http server.
I want to make use of the HTTPS so to have my traffic hidden, but I made the mistake of buying a domain via AWS and to generate a certificate for it via AWS.
Mistake because it seems I cannot simply import that certificate in my EC2 (maybe because, if AWS gave me that cert as file, I could use it in any number of application of mine).
So, what I have to do in order to use it?
Move my web application to an elastic load balancer? Use a cointainer to host it?
What is the less expensive?