I am using the prepackaged Istio on GKE, which comes with a pre-configured ingress gateway that takes a single SSL certificate.
Is there a way to add additional certificates to Google's standard configuration which will survive reset by their configuration tool and persist through upgrades?
The Istio docs describe how to specify multiple certificates if installing the ingress gateway yourself. I could do this if I configured a separate ingress gateway, but would like to use the default one if I could. Google's docs do not list certificates as a modifiable property.
I found a post from Medium which explains how to use multiple Certificates for Istio through Cert-Manager, Let's Encrypt for TLS and Certificate Merge.
Could you please take a look at the post and let me know if it's useful?
Related
(I'm an AWS newb)
So I have a running EC2 instance and want to set up the SSL so it can serve HTTPS.
I found a guide from AWS to set up the SSL with external CA, or a brief statement that ACM should be able to work with EC2, but seems not finding any step-by-step guide for this and I expect AWS should have done it with only a few clicks.
Do I need to use the ELB, even though my server is only running in ONE instance?
ACM SSL certs can't be used directly on instances (except enclaves as indicated by Mark in the comments). They can only be used, as in your link, on load balances, CloudFront distro or API gateway. Thus, if you want to use ACM, you have to use either of these three services in-front of your EC2 instance.
But if you don't want to use them, then you need to get your SSL cert from a third party, not from ACM. A popular choice is https://letsencrypt.org/ along with carebot which provide free public SSL certificates. This means that you have to set it up yourself on the instance, usually done through a reverse proxy such as nginx.
I am very new to this and struggling to understand AWS.
I had a single domain foo.mydomain.com. This was registered in Route53. And there was a certificate in AWS Certificate Manager that mapped to it.
Now I have two domains foo.mydomain.com & bar.mydomain.com. I have registered the latter in Route53. And I have requrested and received a new certificate from AWS Certificate Manager. This one maps to both domains (via the "additional names" property).
How can I simply disable the old certificate and enable the new certificate?
I want the values for In use? above to be swapped.
You need to go to the services where you are utilizing these certificates (Load Balancers, CloudFront distributions or API Gateways) and change the certificate they are using there.
AWS Certificate Manager manages the SSL/TLS certificates. In general certificates are configured and consumed on the services like ALB (application load balancer), API Gateway, Virtual Machine, Cloudfront etc. If you would like to update the certificate, modify the configuration on one of the above services as applicable in your case. While changing configuration you have to choose the right certificate from ACM. Once update is successful you will see the status in ACM.
Here is an AWS documentation explains how to install/Update SSL Certificates:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html
In my mesh, I am connecting to 3rd party services over TLS (specifically Strimzi's Kafka which is in the same k8 cluster, but w/o Istio sidecar). Normally I would install the certificate authority needed to the Java service, but with Istio terminating I'm not sure how to do so. If I put the public certificate in a secret, can I have a Secret Discovery Service (SDS) help manage it on the Envoy proxy (something like Secure Ingress SDS but for within the mesh)?
I've read this documentation, but it seems to be about replacing the generated certificates, which I don't want to do (I like the automatic maintenance within the cluster).
https://istio.io/docs/tasks/security/plugin-ca-cert/
I have also added the 3rd party CAs as mounts to /etc as specified in this answer, but they aren't picked up by Envoy as certificates (checked via logs and istioctl tool).
How do you add additional certificate authorities to Istio Citadel so they are delivered to Envoy proxies in the security bundle?
I got yaml file for specifying ssl certificate (provided by aws certificate manager)to load balancer for kubernetes deployment. But, we are running kubernetes cluster in aws china account where certification manager option is not available. Now if I have SSL certificate provided by Godaddy, how can I install it? Is any other alternative ways to install certificate rather than load balancer? Can I install it in my tomcat container itself and build new image with it?
As far as I know, you cannot setup an ELB deployed with a kubernetes Service to use a certificate which is NOT an ACM certificate. In fact, if you take a look at the possibile annotations here you'll see that the only annotation available to select a certificate is service.beta.kubernetes.io/aws-load-balancer-ssl-cert and the documentation for that annotation says the following:
ServiceAnnotationLoadBalancerCertificate is the annotation used on the
service to request a secure listener. Value is a valid certificate ARN.
For more, see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-listener-config.html
CertARN is an IAM or CM certificate ARN, e.g. arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
As you ask, you can for sure terminate your ssl inside your kubernetes Pod and make the ELB a simple TCP proxy.
In order to do so, you need to add the following annotation to your Service manifest:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'tcp'
Also, you will need to forward both your http and https ports in order to handle http to https redirect correctly inside you pod.
If you need more specific help, please post you current manifest.
I am running a Qualys scan on a Windows EC2 instance and it reports some vulnerabilities. One of them is "SSL Certificate - Subject Common Name Does Not Match Server FQDN".
Solution for this, as recommended by Qualys, is to "Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN."
Now the problem is the self-signed certificates which are not verified by a third party.
How do i get a valid certificate for this scenario such that Qualys does not report the error.
I looked into ACM, but i guess it does not provide certificates for EC2.
Can anyone provide an insight on how to go about this?
Where do i get a valid certificate and how to add it to the instance.
I am using Cloudformation template to create the instacne using a Custom AMI created using packer. I mention this because it would be helpful to know if the steps to add certificate need to be added to the AMI creation stage.
Unfortunately You can not use Certificate issued by AWS Certificate Manager directly on EC2 Directly.
You can use it On Load Balancer and Cloudfront and API Gateways , Refer this.
But a Workaround is that if you have single EC2 Put it behind Classic LB And terminate ssl to LB so that when you try to access your content on ec2 it is via HTTPS.
Thanks
The easiest way to pass a scan like this is restrict access to your instance so your only exposing public services (like HTTP or HTTPS), and then "harden" the configuration of each required public service. All none public services/ports should be limited to just your IP address(/es). That will probably fix a number of your issues reported by the scan.
RDP and numerous other services (MSSQL, MSDeploy, POSH Remoting to name a few) are for administrators only and should not be visible to a Qualys scan (or hackers and bots that roam the internet...).
As Kush suggests above, adding a load balancer would allow you to use ACM certificates for web traffic, but it also adds an additional layer of security between the internet and your instance. This means you can further limit access to your instance to just your VPC - as public web traffic would go via the load balencer in your VPC, not directly to your instance anymore.
If your hosting a website over HTTPS without a load balancer you will also need to edit the SChannel settings (component responsible for SSL/TLS in Windows) to pass the scan as well as installing a valid certificate for the website.
You can edit SChannel by hand in the registry here:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
(Reboot required - take a snapshot before you start ;)
WARNING - misconfiguring SChannel can break RPD or limit which web browsers can access your site etc. Test carefully!
FYI I find it easier to use a tool called IIS Crypto to configure SChannel (https://www.nartac.com/Products/IISCrypto) - it has a GUI and a CLI interface for scripting changes to SChannel. (You can still break your server with this tool though!)
If you want to look at using ACM and a loadbalencer with CloudFormation i would suggest registering & approving the certificate via the aws console and make a note of the ARN of the certificate. This ARN can be used when creating a loadbalencer in a CloudFormation template.
NOTE: The above will resolve the issue on your scan, but not actually fix it. It is possible to use your own certificate for RDP (never tried), but not an ACM cert sadly. You could also look at a service like LetsEncrypt to get a free/basic certificate. Another option to avoid this error is you could export the self-signed cert from the instance and import it into your computer ( or domain?)'s certificate store.