I created an AMI of my server on AWS, and spun up a new instance.
When I point my elastic IP address to my new instance and type in my domain name I get a timeout error when going to my website.
I have done backups before and just re-pointed my elastic IP but this time it does not seem to be working, any ideas?
Steps I take on AWS:
I click on my elastic IP and pick actions-> Associate Address
Resource type = Instance
Instance: I select the new instance I just made by copying my old instance
Reassociation: I click the checkbox to allow Allow Elastic IP to be reassociated if already attached
I click associate
When I go to my webpage I get this error in edge:
Error Code: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_CN_INVALID
When I click proceed I get this instead of my website (Chrome would not allow me to proceed):
Looks like some sort of certificate issue...
The error I get in chrome is:
NET::ERR_CERT_AUTHORITY_INVALID
Can you please check server of which type (EC2-VPC or Classic).
You can't associate an Elastic IP address that you allocated for use with a VPC with an instance in EC2-Classic, and vice-versa.
If this is the case you can migrate Elastic IP from classic to EC2-VPC.
The SSL certificate is invalid, or not installed correctly. It is not related to the EIP at all.
This site is not secure” is a security alert that prevents users from accessing various websites. In the technical language, this error is known under the name of DLG_FLAGS_SEC_CERT_CN_INVALID. The
ou will need to provide more information about the cert, how it was issued, etc. to do any further troubleshooting.
See https://tecoreviews.com/how-to/fix-site-not-secure-pop-error-code-dlg_flags_sec_cert_cn_invalid/
The error message NET::ERR_CERT_AUTHORITY_INVALID is also related to the certificate.
Given these messages, I suspect the certificate has a common name mismatch, a root CA certificate is missing, or it's a self signed certificate.
Check the certificate details carefully as presented in the browser. The browser itself is rejecting the cert. Check globalsign.com/en/blog/how-to-view-ssl-certificate-details and review. It should be clear why the cert is being rejected. When you see the specific error, you can figure out the cause and then fix it.
The domain name is key. When the SSL cert was created you provided a Common Name (i.e. domain name). Some SSL certificates cover subdomains (wildcard certificates issued for e.g '*.example.com') some don't (ie. www.example.com only). If you have the latter kind you need to use the exact same domain to address the new box.
I did not update my security groups correctly so web traffic wasn't allowed.
Related
I am trying to create a load balancer using a app engine backend. I followed the official guide . I followed this (pretty good) tutorial too. I can't get the domain status to switch to ACTIVE. It remains stuck as FAILED_NOT_VISIBLE, which indicates there may be a problem with setting the domain names.
I don't know what's missing. I have a relatively simple LB setting. The frontend is defined with the HTTPS protocol and an ephemeral address (#frontend_ip).
In the Cloud DNS, I created a zone with the following record sets :
/ A record type / IPv4 = #frontend_ip
www / CNAME record type / IPv4 = #frontend_ip
The SSL certificate has the 2 same domain names defined as above (with and without www). I selected the Google managed certificate type.
The following command gcloud compute target-https-proxies list shows my target-proxy is associated with my SSL certificate.
I tried a different way by creating an External IP address first, as explained in the above linked guide. Then, by selecting this External IP address in my Frontend configuration, instead of an ephemeral address. Then by selecting this External IP address as the IPv4 address of my domain names definitions. That doesn't seem to work either.
Any help would be greatly appreciated, as I don't know what's missing. I've tried to delete it all and re create the LB and DNS settings.
You state that you created a zone. Is that zone pointed to by your domain registrar? Your problem is most likely incorrect DNS setup. Start at your Domain Registrar and make sure everything is set up correctly. Since you created a new zone, you probably have a Name Server problem
I have created a subdomain demo.mysite.com which is hosted over godaddy.com. I have successfully mapped the subdomain demo.mysite.com to my AWS elastic IP in the go daddy console
On my AWS EC2 instance my website is secured runing over HTTPS and I have deployed the certificates corresponding to demo.mysite.com on my AWS EC2 instance. Now the problem I am facing is
1 - When I access my subdomain it points to my EC2 instance and the URL in my web browser changes to my Elastic IP ie www.demo.mysite.com --->> https://201.12.34.58:8443/myApp , which must not happen and it must remain as https://demo.mysite.com
2 - And since my URL changes so I start getting the certificate error saying
The certificate is only valid for demo.mysite.com.
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Can someone help in solving these two issues, I feel that if first issues gets solved the second issue will automatically get solved. I am not sure though
Guys I need your help
I suggest to manage your domain DNS with CloudFlare. Add a CNAME record for your subdomain demo which points to that IP. On CloudFlare Console go to Crypto > Origin Certificates. Create a new one with RSA, then import it to AWS Certificate Manager at us-east-1. For the certificate chain use this. Be sure that Always use HTTPS in Crypto tab is on. After some minutes you should be using your domain pointing to AWS with HTTPS working fine.
That's what I did to make a subdomain to work with an AWS API endpoint with SSL.
I created a CSR on the AWS Linux server and used this to create a self signed CA certificate which I then installed but get common name and host name mismatch errors.
Can somebody tell me what I have to do to correct the problem as the common name IP is internal to Amazon and the host IP is public so how do I create a workable certificate?
I am not a programmer but this is the last step of my site development. SSL is fine But I need to get the certificate working. Thanks
I did use my domain.net as the common name but I think he answer lies in my changing the hostname on the AWS /etc/sysconfig/network file. This was set as HOSTNAME=localhost.local when I created the original CSR.pem file and certificate.
I changed localhost.local to mydomain.net, created another csr.pem file and certificate and SSL is working. I should add I previously created an elastic IP and attached this to the server and in Route 53 allocated the domain name to the instance. There was no information to change the instance HOSTNAME in the network file.
When you find the answer its obvious, finding the answer was the problem.
Many thanks
I have just created my aws instance on windows server 2012 R2 for running my website. Problem is, i want to resolve my public IP address to my domain name.For example, my aws public IP address is 1.2.3.4 and i want it to show as my own company domain
This answer may seem strange because of the way it works, but it is from an official source and it does accomplish what you want -- setting a reverse DNS record on an elastic IP address. The address will remain associated with your account and can't be inadvertently released unless you subsequently undo this configuration.
You can now provide us with a configurable Reverse DNS record for any of your Elastic IP addresses. Once you’ve supplied us with the record, reverse DNS lookups (from IP address to domain name) will work as expected: the Elastic IP address in question will resolve to the domain that you specified in the record.
https://aws.amazon.com/blogs/aws/reverse-dns-for-ec2s-elastic-ip-addresses
You'll be sending a request to AWS support to configure this mapping.
The unexpected part of the solution, however, is the reason stated on the form that you use to send the request to AWS support...
https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request
...it's actually the request form to remove the outbound SMTP port 25 restriction on your Elastic IPs... but part of the process is to assign reverse DNS entries to EIPs that you specify.
I've setup an Amazon Elastic Load Balancer instance to provide SSL termination to the EC2 instances it balances.
The certificate is a wildcard domain variant provided by 123-reg. Verifying the SSL installation using the associated root authority (GlobalSign) using their validation tooling shows 2 issues:
Server configuration does not include all intermediate certificates
Hostname in certificate and DNS name do not match
I have been unable to get the ELB instance to accept the certificate chain, and as this is optional have left this out for now. Googling around this issue all I can find is that for browser based consumers of the load balanced resources this is not infact optional and will lead to issues. However, I have been unable to find any information about what issues this will cause. Specifically - is the lack of a certificate chain the reason I am getting the hostname mismatch warning?
If the lack of a certificate chain is not the reason for the second validation error, does anyone have any idea of what else could be the issue. Some key points are:
I have setup the friendly DNS for the load balancer as a CNAME pointing to the DNS shown in the AWS console for the ELB (though it says its actually an A record ...)
The instances behind the load balancer are Windows boxes, with the domain names they server added to their respective hosts.ini
I have verified the certificate CN is correct and is *.OURDOMAIN.com as required for a wildcard certificate.
UPDATE - The domains I am trying to host are actually multi-level subdomains which appears to be the problem.
NOTE I am not especially looking for advise on how to upload the certificate chain as this is pretty well covered elsewhere on StackOverflow (although I can't get it to work all the same!). Rather, is the lack of certificate chain the root cause for the hostname/DNS name mismatch, which is what I have been unable to fathom.