I know that you can add your own certificate to the domain and point that domain to the AWS Elastic Load Balancer. In my case I don't have domain, but would like still use secure HTTPS/SSL connection when talking client <-> backend. Is it possible to enable HTTPS connection directly to ELB, i.e instead of using http://some-random-url-here.eu-west-1.elb.amazonaws.com I would like to use https://some-random-url-here.eu-west-1.elb.amazonaws.com
That would mean, that AWS would need to provide the cert for the *.elb.amazonaws.com domain. I remember at least long time ago this was possible, but maybe my memory does not serve me right?
Memory does not serve you right. This is not possible now and would not have been possible in the past. ELBs don't have, and it is not possible to obtain, a certificate like this (including from Amazon Certificate Manager).
In fact, 3rd party providers like Let's Encrypt also have protections to prevent you from obtaining certificates like this, since amazonaws.com is not your domain.
You will need a domain that you control.
Related
(I'm an AWS newb)
So I have a running EC2 instance and want to set up the SSL so it can serve HTTPS.
I found a guide from AWS to set up the SSL with external CA, or a brief statement that ACM should be able to work with EC2, but seems not finding any step-by-step guide for this and I expect AWS should have done it with only a few clicks.
Do I need to use the ELB, even though my server is only running in ONE instance?
ACM SSL certs can't be used directly on instances (except enclaves as indicated by Mark in the comments). They can only be used, as in your link, on load balances, CloudFront distro or API gateway. Thus, if you want to use ACM, you have to use either of these three services in-front of your EC2 instance.
But if you don't want to use them, then you need to get your SSL cert from a third party, not from ACM. A popular choice is https://letsencrypt.org/ along with carebot which provide free public SSL certificates. This means that you have to set it up yourself on the instance, usually done through a reverse proxy such as nginx.
I'm following the serverless-stack guide and have a website hosted in an Amazon S3 bucket. I purchased a domain using GoDaddy and I have set up cloudfront to work with this bucket, then have used AWS certificate manager to generate SSL certificates for my domain (both www.my_domain.com and my_domain.com).
In GoDaddy I then configured DNS forwarding to point to my cloudfront resource.
This all works nicely, and if I go to my_domain.com in a browser then I see my website.
However, I can't get SSL working. If I go to the https:// version of my website then I see a not secure error in the chrome address bar which shows a certificate pointing to shortener.secureserver.net rather than my own website.
Could someone point me at a way around this? Looking through S.E. and using google it seems that Amazon's route53 might be able to help, but I can't figure out how to do this.
Thanks!
(edit) To make things more clear, this is what I see in Chrome if I connect to https://my_website.com or to https://www.my_website.com
The warning message:
The certificate details:
What I do not understand is why, after configuring an AWS certificate for my domain, I see a certificate for shortner.secureserver.com rather than a certificate for my_website.com.
Go daddy has problems and does not redirect to https, There are two ways, the first is to change domain registrar and the second is the easiest, which is: Create a hosted zone on AWS router 53 with your domain name
Create 2 type A records, one for the root (of your domain) and one for www that point to your cloudfront. Router 53 allows you to create a type A record without having an IP, because it directly points to a cloudfront instance that you indicate, that's the best
Then in go daddy it gives you the option to change name servers and puts the ones assigned by aws in hosted zone with the record that says NS and you put those 4 in Godaddy, replacing the ones that had
Note: SAVE THE NAME SERVERS THAT YOU HAVE IN GO DADDY BEFORE REPLACING THEM, IN CASE YOU HAVE ANY PROBLEM, YOU CAN REPLACE THEM AGAIN
You have to wait at least a few hours until all the name servers are updated, you can use the who.is page to see if the DNS have already been updated with those of aws.
It turns out that this is not possible with GoDaddy. If anyone else reading this has a similar problem, only current solution is to cancel your domain registration and register with someone else.
(edit) As #aavrug mentions in their comment, Amazon now have a guide for this.
When you defined your CloudFront you can defined whether you want to use, and you can choose HTTPS only. In this case HTTP requests will be automatically redirected to HTTPS. Have in mind CloudFront changes may take a while to be replicated and your browser cache it as well, so the best way is to make a change, wait for the deployment and then check it in a new cognito browser.
It goes without saying that your certificate must be valid and verified as well.
It might be something wrong with your certificate or with your domain.
If you serving your content over HTTPS you must provide a SSL Certificate in Cloudfront. Have you done that?
Have you added your domain on Alternative Domain Names (CNAMEs)?
Please have a look on the image below:
-> AWS provides Free SSL Certificates to be used with Cloudfront, so you might want to use it (easier than you import your SSL from go daddy).
You can create a free SSL certificate on AWS and easily attach it to your cloudfront distribution.
-> You can also transfer your domains to AWS Route53. It is easy to integrate with any AWS Service and easy to use/maintain :)
I wrote a complete guide on my blog telling how you can add Custom SSL and attach custom domain to Cloudfront distribution, it might be useful :)
https://lucasfsantos.com/posts/deploy-react-angular-cloudfront/
I have an ELB instance installed on my AWS account (http://editoradbosco.us-east-2.elasticbeanstalk.com), and it is working normally. My domain is installed on Hostgator (https://centrodombosco.org), and on this, I have a CNAME that points to my AWS endpoint (http://editora.centrodombosco.org).
However, I need to use an HTTPS (SSL) protocol. How can I proceed? I have an SSL contracted on Hostgator for this subdomain, but Hostgator has informed me that I need to make adjustments to AWS so that it works, but I do not know how to proceed.
How can I make this work?
I tried to create an SSL by Certificate Manager on AWS, appointing the CNAMES on my DNS Panel on Hostgator. But it fails. I guess its not possible to use AWS Certificates outside AWS Domains.
There are two ways you can do this.
Since you already have an SSL from Host Gator, you can import that certificate to AWS Certificate Manager (instructions here). Once you import a certificate it is immediately considered validated and you can immediately proceed to configure your EB environments Load Balancer to terminate HTTPS as described here.
Alternatively, if you’d like to use Amazon Certificate Manager but for some reason the DNS validation isn’t working, or its not possible for you to validate ownership of the domain using the DNS method, Amazon Certificate Manager also offers you the option to use email to validate your ownership of the domain, as described here. Once your ownership of the domain is validated you can then proceed to configure your EB environments Load Balancer to terminate HTTPS as described here.
As a side note, you may wish to consider using Route53 to handle DNS for your domain. Route53 is tightly integrated with AWS services such as ACM and, as is the case with ACM, services requiring custom DNS entries will often offer to make the correct DNS entries directly in to your Route53 hosted zone on your behalf.
Is there a way to validate domain control without using the email process? As I need to be able to add additional domains to the certificate for new clients...
The problem I'm facing is I can't add to the existing AWS certificate and have to create a new one with all the domains. When I do that everyone for every domain get's emailed and asked to confirm at:
administrator#domain.com
hostmaster#domain.com
admin#domain.com
postmaster#domain.com
webmaster#domain.com
So I have had to register a seperate certificate and upload it to ACM instead which is not ideal. Mainly as it's limited to 99 domains and was hoping to automate the whole process.
Is this possible with AWS?
Thank you.
Q: Are any other methods for validating a domain or approving a certificate supported?
Not at this time.
https://aws.amazon.com/certificate-manager/faqs/#provisioning
Having so many domains on one certificate isn't really a good practice, for other reasons, as well.
You're making your certificate physically longer and longer, wasting some amount of bandwidth, because the cert is sent to every connecting client, on every new connection.
Renewals will also be messy, if any of the domains on the cert are no longer pointing to your site, because auto-renewal requires that the issued cert be reachable on the Internet for each hostname.
ACM tries to automatically renew your Amazon-issued SSL/TLS certificates before they expire so that no action is required from you. To renew your certificate automatically, the following must be true:
ACM must be able to establish an HTTPS connection with each domain in the certificate.
For each connection, the certificate that is returned must match the one that ACM is renewing.
http://docs.aws.amazon.com/acm/latest/userguide/configure-domain-for-automatic-validation.html
One cleaner solution (the one I am using) is to provision each domain's cert individually, and attach each one to its own CloudFront distribution, pointing that to your origin server (which I assume in this context to be an ELB) and whitelisting all headers for forwarding to the origin, which bypasses caching and causes CloudFront to function as a simple but distributed reverse proxy. Setting "compress objects automatically" in CloudFront may also save some bandwidth charges, and even with caching disabled, CloudFront should improve the responsiveness of your sites by keeping traffic on the AWS network for more of the path between origin and viewer.
I have an application in Cloud Foundry lets say http://something.cfapps.io. Also I purchased a custom domain lets say http://mynewapp.com. Currently, I am masking the custom domain to the domain from Cloud Foundry.
My question is, if I want to enable SSL in Cloud Flare which domain should I put as secured ? Is it the first one or second one ?
You can actually do both through our SSL options. I assume you're looking at something like Flexible SSL?
Step-by-step instructions for setting up SSL on a custom domain can be found here.
http://docs.run.pivotal.io/marketplace/integrations/cloudflare/index.html
Basically this results in requests going to CloudFlare over HTTPS and being sent to your application over SSL via https://.cfapps.io. This is the "Full SSL" option and it gives you end to end encryption. What it doesn't give you is certificate checks and so despite it being very unlikely, it is technically susceptible to a man-in-the-middle attack.
The "Full SSL (strict)" option would eliminate the possibility of a man-in-the-middle style attack, however this doesn't work at the moment because the certificate check expects the incoming domain (i.e. your domain) to match the domain on the backend server's certificate, which it won't since your domain won't match ".cfapps.io".