We have developed web api using .net core 3.0 along with swagger. And, for testing purpose we have deployed this api on aws on EC2 instance using EBS. However, while deploying we have noticed that by default it takes only http, but we to expose the api using https.
So, for the same we have created self signed certificate on aws virtual machine and tried to configure to the hosted API and added bindings to Https by selecting the certificate. Our aws vm using IIS 10.
However, after doing this out api is stopped working and it gives lot of errors. We have tried to add the certificate in Certificate manager and after that modifying the load balancer also. But it doesn't seems to be working at all.
So, can anyone what exactly we are missing here? What are correct steps needs to be taken to configure self signed certificate to AWS deployment.
Thanks for the help !
What I've typically done is put the SSL certificate on the load balancer, so the path essentially becomes:
https traffic -> Load Balancer (HTTPS Port, does handshake) -> Application (HTTP Port)
So essentially the user send an https request that is encrypted up to the load balancer, but the load balancer does the handshake for us and passes the packet off via HTTP inside our VPC.
Related
I have spring app A running in beanstalk.
A is internally calling app B using http. It’s working fine.
Now I added a listener in load balancer in app B and enabled https.
Now A is not able to call B using https and having certificate exception.
Please let me know if I need to make any change in app A for disabling certificate validation or if there is any other way.
App A is calling app B using web client. Both apps are running in beanstalk.
You need to have your own domain (e.g. myapp.org). You can't use HTTPS with a default EB domain provided to you by AWS. Once you have your own domain you can get an SSL certificate using AWS ACM. The full procedure for setting up HTTPS on EB is described in AWS docs.
So, I'm working on a hackathon project right now, and for the demo, I've spun up a NodeJS Express server on an EC2 via Elastic Beanstalk. When testing the server's API with our front-end locally, it worked perfectly fine.
Now we've deployed our front-end to AWS Amplify, setup a domain name in Route53, and hooked everything up. When we go to the domain, our front-end looks great, but when we try using the functionality that would connect to our server's API, we get a net::ERR_SSL_PROTOCOL_ERROR.
Doing some research, it looks like(?) that we have to setup a certificate on the Classic Load Balancer that's in front of the EC2. So I requested a certificate, and created a listener on the Load Balancer as follows:
Load Balancer Protocol
Load Balancer Port
Instance Protocol
Instance Port
HTTPS
443
HTTPS
3000
But now I realize that if setup this way, I still have no idea how to point the React Frontend's API calls to the Load Balancer instead of the EC2, or whether the listener is setup correctly. Would anyone have an idea of what steps we should take here?
For the details of the app, the backend is a pretty straightforward Express App with CORS enabled, and the frontend is a fairly standard React project, nothing special about either of them.
Instance Protocol should be HTTP. So your setup uses HTTPS only between client and CLB:
Client--- (HTTPS) ---> CLB --- (HTTP) ---> EC2
Also for properly setup HTTPS, you need to use your own domain. You can't use default domain provided by EB for your application.
We have an internal facing application load balancer in AWS VPC. This is being accessed by a web app running in a public subnet. The web app is behind a custom domain url and it uses SSL certificate for security.Since, the API load balancer is not applied with SSL, communication from web app to API LB is failing.
Is it possible to get a SSL certificate for an internal facing load balancer in AWS?
Yes this is entirely possible using the AWS ACM service, there are two options, you can use Amazon's public service to generate certs but I assume that is not what you want to do here. So you can alternatively create a Private CA through this service and distribute your certificates from there which can then be placed on Loadbalancers etc. You will most likely want to look at these pages:
https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
https://aws.amazon.com/certificate-manager/
Have a read first before diving right in but it's a pretty nifty feature for this sort of thing, once the CA is setup then creating certs is so fast and instantly attachable to resources.
What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"
Greeting
I have created the Certificate through Certificate Manager in AWS, the free one. And successfully verified as well as put it in the Elastic Load Balancer (ELB). The status of the certificate shows it's issued and Is Used? shows Yes in the Certificate Manager.
Overall, I have completed these two steps without any problem, but the SSL does not work with my domain name. When I type "mydomain.com" with or without prefix http://, it works, but when I type "mydomain.com" with https:// prefix, it does not work
I have researched to find the solution and a way to install SSL into Microsoft Windows IIS on AWS, but no document describes about that.
Can anyone share this experience? I really appreciate
Looking forward for the reply and thanks
You do not need to setup SSL on your web server when you use a load balancer. Assign the SSL certificate to the load balancer (as you did). Then in your HTTPS listener in the load balancer listen on HTTPS, but connect to your web server over HTTP.
In the Amazon Console for your load balancer under the "Listeners" tab, the "Load Balancer Protocol" will be HTTPS and the "Instance Protocol" will be HTTP.
This has the benefit of offloading SSL to the load balancer which decreases CPU load on your web server.
If you do want to setup SSL on your web server, then you cannot use the Amazon SSL certificate. You will need to use the standard methods and purchase a certificate from someone else.