I have an EC2 Instance with a cloudfront certificate issued to its origin. It is in use but I get an error when trying to access it.
CloudFront wasn't able to connect to the origin.
After some research I have realized that my setup was done correctly through ACM but The server is not sending the required intermediate certificate. (I tested it using https://www.digicert.com/help/) After consulting with some friends and reading some other answers on SO I found out that I need to install a intermediate certificate onto my server but cant seem to figure it out using ACM.
Related
I want to add an SSL certificate to my application that is currently deployed on Elastic Beanstalk. I had created the certificate using AWS Certificate Manager using both the validation methods but none of them worked. I neither got an email nor adding the CNAME to godaddy as well as Route 53 got it validated. I had followed the exact steps specified in the documentation. I am the owner of the domain so I should have gotten an email but I didn't. Any idea what might I might be doing wrong?
Also, is there another way to generate the SSL certificate besides AWS CM for my application?
I have an issue I've been working on in aws. I have a website made for a friend and can't seem to get the connection secure. What I used is the certificate manager in aws and have received a certificate for my domain. Here's one of the links I used as an example. https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/ I have followed examples online but they seem to be for load balancer's. What I'm a missing?
I found a useful tutorial and I share it with you how to setup your domain with s3 Bucket and CloudFront from AWS https://www.youtube.com/watch?v=uwgB_sIhIko&t=321s
My Situation
I have a web api hosted in an EC2 instance. I am trying to configure a cloudfront instance "infront" of that EC2 instance.
However, I have not been able to get my cloudfront to forward requests to the EC2 instance. I get hit with an error response like this:
Access to XMLHttpRequest at 'https://api.example.com' from origin 'https://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No access-control-Allow-Origin header is present on the requested resource
However, if I change my DNS to point https://api.example.com to EC2 instance's IP address, it works.
What I have done so far
Configured to use correct SSL certificate (for a different problem earlier)
Configured my CF distribution's behaviors to Whitelist Headers: "Origin"
Configure my CF distribution's behaviors to "All" - (which disables caching)
Invalidated cloudfront cache
What I am trying to do
I came across this AWS doc titled "Configuring CloudFront to Respect CORS Settings".
Link
However, it only says "Custom origins – Forward the Origin header along with any other headers required by your origin."
But... How do I do that? How do I forward origin header along with any other headers required? The docs doesn't specify or link to another docs to do it.
I have spent 4 hours or so now and it's extremely frustrating because Cloudfront takes ~30 minutes to deploy.
I have managed to fix this issue it turned out I had overlooked another error returned by Cloudfront: 502 Bad Gateway. Even though Chrome will show the abovementioned error "Access to XMLHttpRequest...". This was caused by my improper DNS and SSL certificates configuration due to my inexperience.
I will try to answer my own question, seeing after hours of searching, there wasn't a straight answer regarding (Cloudfront, EC2 and HTTPS) in Stackoverflow and there are many unaswered questions.
The goal my group was trying to achieve was enabling HTTPS connectivity for the entire set-up: Users' browsers, Cloudfront distribution and my EC2 instance.
What I did to fix this:
Generated a free SSL certificate (e.g. Let's Encrypt) to use for EC2 instance using a sub-domain (i.e. ec2.example.com or wildcard *.example.com). *Note: ACM does not allow public SSL certificates to be exported that can be used in EC2 instances, so use other free online SSL services. Do not use self-signed certs.
Import this certificate into ACM to be used for Cloudfront later too.
Created a new DNS A record to map the sub-domain to the EC2 instance. (e.g. ec2.example.com to ec2-xx-xxx-xx.ap1-location.amazonaws)
Created a new Cloudfront distribution and set the origin as the sub-domain, ec2.example.com. Also, under "Cache Based on Selected Request Headers", set it to "Whitelist" and to forward "Origin" headers. For SSL cert in Cloudfront, use back the one generated back in step 1)
Created a new DNS A record and map an "api" sub-domain to the Cloudfront. (e.g. api.example.com to abcdxyz.cloudfront.net)
I am now able to use a sub-domain (api.example.com) to communicate with Cloudfront which in turns communicates back to my EC2 and performs caching, using HTTPS all along.
Reference links: link1,
link2
There is probably a better way to set this up and if so, please do correct me so I can improve too! Hopefully this answer will help someone else new like me in the future too.
I'm creating a CloudFront distribution for an S3 bucket. I successfully created it and mapped the DNS. Now I want to use HTTPS for the DNS.
I created a cert via ACM. But the cert is not appearing in the CloudFront Custom SSL pge.
Any ideas why?
I was able to accomplish the task, however, this is not the answer to the question.
I pasted the certificate ARN to the Custom SSL field and updated the CloudFront distribution. By this way, I was able to add SSL to my custom domain. However, my certificate still not appears in the Drop down menu.
Pls verify whether the certificate is created in us-east-1 region. Cloud front can use certificates that are created in that specific region.
I'm familiar with creating a CSR (via openssl) on a webserver and submitting it to a CA to purchase an SSL cert.
A site we're building (using Elastic Beanstalk) has a requirement that certificates are managed via a HSM. I think AWS CloudHSM is the correct tool to use here? I have:
Created the EB environment in a VPC with public and private subnets
Requested and assigned an SSL cert to the environment via AWS Cert
Manager (at this point, I have a working site over https, just no HSM)
Created a HSM cluster in the same VPC, and downloaded its
CSR.
At this point, the docs (http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr) leave me a bit stuck.
It says, "Your CA signs the CSR, which creates a signed certificate. Then you provide the signed certificate and your CA's issuing certificate to initialize the cluster."
Fine. Except if I try to upload this CSR to (ie, Verisign, GlobalSign) I get "Certificates with internal names are no longer permitted". Which makes sense - I'm not requesting a cert for a site's external domain name, the cert is for the HSM: which, I'm guessing, I'll then use to create an openssl cert once its CSR has been signed.
Basically, I'm very confused about how a HSM fits into the otherwise simple SSL-requesting procedure of: generate CSR, submit to CA, install cert on webserver. Especially given my added complications of doing this all with Elastic Beanstalk and AWS ACM rather than just dumping a cert file on the server and updating the Nginx conf.
How does it all work ??
Since posting this question a year ago, AWS have updated their documentation on how to set up SSL offload with a CloudHSM. By following that documentation, I was able to set up a separate EC2 instance - outside of ElasticBeanstalk - for SSL termination. It's still not possible, AFAIK, to use a CloudHSM directly from within ElasticBeanstalk.