I have an EC2, hosting a simple http server.
I want to make use of the HTTPS so to have my traffic hidden, but I made the mistake of buying a domain via AWS and to generate a certificate for it via AWS.
Mistake because it seems I cannot simply import that certificate in my EC2 (maybe because, if AWS gave me that cert as file, I could use it in any number of application of mine).
So, what I have to do in order to use it?
Move my web application to an elastic load balancer? Use a cointainer to host it?
What is the less expensive?
Related
I have a VueJS front-end application running on S3 being served as a static website.
I have a NodeJS (behind an nginx reverse proxy, plus a few other services) backend application running on an EC2 instance that the VueJS app talks to (over http currently).
I have a domain successfully pointed at the VueJS app (S3 bucket) with the configured SSL certificates using Route53 / CloudFront / ACM.
However, now the VueJS app will not communicate with the EC2 instance backend as it is still using HTTP which is now not allowed.
So what is the best way to configure this? I can't run certbot on the ec2 instance and generate an SSL certificate for my domain as there are certificates already being used for the S3 bucket.
Should I just create a self-signed certificate?
Can I create another certificate for a subdomain perhaps (api.example.com say) and set up DNS record for that to point to my EC2 instance IP address?
How is this usually done, what is best practice?
So a self-sign cert wont work, it wont pass validation as there is no known CA behind it ( Certificate authority) I mean you can install it but the browser is going to complain..
Im not sure I understand why you cant use certbot.. s3 / ec2 are two seperate services so I'm a bit confused here?
You can use letencrypt to generate a cert for the server and have it installed as well but if you have clusters you may be better served by installing it on the actual ALB, however this does not ensure end-to-end if the cert is not installed on all backend systems, (that would require installing the cert on all systems in the cluster) You requirements will dictate this really.
If you are unable to generate a cert with letsencrypt you can get an SSL from ssls.com and just installed the PEM or CRT on the server / load balancer too though.
Usually you create some subdomain like you said for your api and create a certificate for that subdomain. On AWS in particular, you can use an elastic load balancer and use ACM /Route53 with that for ease of certificate management, but that does carry costs of the load balancer.
Alternative is to just put an API gateway in front of your EC2 instance as a reverse proxy, which will carry some costs, but maybe not as much depending on traffic volume.
We have AWS EC2 instance where we have hosting of our website and we have domain and SSL from godaddy with cloudflare for cache policy.
Now we want to integrate ssl with our website but we are clueless regarding how to do this process with cloudflare as there are three different service providers like AWS, Godaddy and Cloudflare so it would be great if someone could help us how to deal with that.
The question is too generic (you don't mention what web server, or OS are using), let alone mentioning there are tons of documentation already on how to set up SSL in the most popular web servers: Apache and Nginx. One thing that I suggest, is that, if you are using Elastic Load Balancing, then you can use ACM service to deploy an SSL certificate, and attach it to your load balancer. It's the easiest, and cheapest way to do it.
Here on how to deploy a free SSL certificate managed by AWS, and here on how to attach it to the load balancer.
if you are not using load balancing, or need to implement fully end-to-end encryption, or simply don't want to do it this way, you will probably need to look into how to set up SSL on the web server you are using. An example can be found in https://www.digicert.com/csr-ssl-installation/apache-openssl.htm, but since you didn't specify what OS or webserver you are using, we can't really say much.
I have a node.js server I would like to deploy to AWS. My main site is example.com while the node server is on api.example.com
I am only using one EC2 instance (no load balancing) because I am only building an MVP and don't want to make things complicated.
I used Amazon Certificate Manager to register my domain name and I need to register api.example.com to also use https.
I right now have to put a CloudFront in front of my EC2 instance just so that I can use the ACM. This seems a little overkill since I don't need any of the caching benefits.
Is there any other way to do this?
You have 3 options:
Use CloudFront with SSL certificate from Amazon which doesn't bring any benefits for API that won't benefit from caching
Use Elastic Load Balancer with SSL certificate from Amazon. Load balancer will mantain HTTPS connection with client and communicate via HTTP with your EC2 server. You can follow this tutorial https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22
Or you can set up your certificate at EC2 instance directly. Here is how to do this with Nginx for example https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm
EDIT: I have just realized that you could probably also use AWS API Gateway to point to your EC2 server API GateWay to server in ec2
my team is creating an app that involves sharing bank details. For a feature that involves instant verification of bank accounts, we have used a third party vendor, Dwolla, who provide a secure interface for entering the bank account details.
This is from Dwolla:
https://developers.dwolla.com/resources/dwolla-js/instant-account-verification.html
Our app is hosted on AWS Server, EC2 instance on iis, S3 storage.
First, do I need to install SSL on AWS server?
If yes, how should I do it?
I have been looking for answers everywhere, but I can't find an exact resolution.
Please help.
To install the SSL certificate, it will depends on some specifics of your environment:
If you use a single instance with IIS you must adquire a SSL certificate from a external CA. It will cost you some money and they will guide you how to request and emit the certificate. With the certificate emitted you'll need to upload it to your os and configure the IIS to use it;
If you use a pool of instances behind a load balancer provided by AWS you can request a certificate from AWS for free and configure the load balancer to use the emitted certificate (https://aws.amazon.com/certificate-manager/?nc1=h_ls).
If you do not use a AWS load balancer, you can create a AWS CloudFront Distribution (https://aws.amazon.com/cloudfront/), use your IIS as origin and configure your free AWS Certificate in the distribution.
We started using PKISharp win-acme to get free LetsEncrypt SSL certificates for our IIS in EC2 and it works like a charm, auto-renew every 2-3 months without issue, very easy to setup from "dos" prompt (run as administrator)...
To help pkisharp do its job, keep your 80 and 443 binding on the same site, you can configure a "url rewrite" rule to redirect all 80 requests to 443.
The tool will add a task in the windows scheduler to handle the auto-renew.
We've been using certify (https://certifytheweb.com) with no issues on IIS. Free for less than 3 domains, cheap for up to 100 domains. Use this on all our servers. Turnkey solution with great debugging tools.
I am running a Qualys scan on a Windows EC2 instance and it reports some vulnerabilities. One of them is "SSL Certificate - Subject Common Name Does Not Match Server FQDN".
Solution for this, as recommended by Qualys, is to "Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN."
Now the problem is the self-signed certificates which are not verified by a third party.
How do i get a valid certificate for this scenario such that Qualys does not report the error.
I looked into ACM, but i guess it does not provide certificates for EC2.
Can anyone provide an insight on how to go about this?
Where do i get a valid certificate and how to add it to the instance.
I am using Cloudformation template to create the instacne using a Custom AMI created using packer. I mention this because it would be helpful to know if the steps to add certificate need to be added to the AMI creation stage.
Unfortunately You can not use Certificate issued by AWS Certificate Manager directly on EC2 Directly.
You can use it On Load Balancer and Cloudfront and API Gateways , Refer this.
But a Workaround is that if you have single EC2 Put it behind Classic LB And terminate ssl to LB so that when you try to access your content on ec2 it is via HTTPS.
Thanks
The easiest way to pass a scan like this is restrict access to your instance so your only exposing public services (like HTTP or HTTPS), and then "harden" the configuration of each required public service. All none public services/ports should be limited to just your IP address(/es). That will probably fix a number of your issues reported by the scan.
RDP and numerous other services (MSSQL, MSDeploy, POSH Remoting to name a few) are for administrators only and should not be visible to a Qualys scan (or hackers and bots that roam the internet...).
As Kush suggests above, adding a load balancer would allow you to use ACM certificates for web traffic, but it also adds an additional layer of security between the internet and your instance. This means you can further limit access to your instance to just your VPC - as public web traffic would go via the load balencer in your VPC, not directly to your instance anymore.
If your hosting a website over HTTPS without a load balancer you will also need to edit the SChannel settings (component responsible for SSL/TLS in Windows) to pass the scan as well as installing a valid certificate for the website.
You can edit SChannel by hand in the registry here:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
(Reboot required - take a snapshot before you start ;)
WARNING - misconfiguring SChannel can break RPD or limit which web browsers can access your site etc. Test carefully!
FYI I find it easier to use a tool called IIS Crypto to configure SChannel (https://www.nartac.com/Products/IISCrypto) - it has a GUI and a CLI interface for scripting changes to SChannel. (You can still break your server with this tool though!)
If you want to look at using ACM and a loadbalencer with CloudFormation i would suggest registering & approving the certificate via the aws console and make a note of the ARN of the certificate. This ARN can be used when creating a loadbalencer in a CloudFormation template.
NOTE: The above will resolve the issue on your scan, but not actually fix it. It is possible to use your own certificate for RDP (never tried), but not an ACM cert sadly. You could also look at a service like LetsEncrypt to get a free/basic certificate. Another option to avoid this error is you could export the self-signed cert from the instance and import it into your computer ( or domain?)'s certificate store.