I have purchased a domain from godaddy provider and I launched an application with AWS route 53 service.
My questions:
Where to get a SSL certificate? GoDaddy or AWS
How to setup SSL certificate?
Please tell me
This depends upon your use case or where are you running your application like ECS or EC2 or some static website over s3?
If you are using load balancer on the top of your application then the certificate from AWS is best. you don't need to worry about renewal etc and any other configuration just create load balancer with AWS Certificate Manager.
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
CloudFront:
Here is the link how you can configure with CloudFront.
If you to configure directly on your EC2 instance then it's not possible.
Although you install your website on an Amazon EC2 instance, you
cannot directly deploy an ACM Certificate on that instance source AWS Doc
Here is the list on which you can AWS certificate.
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway
AWS CloudFormation
Services Integrated with AWS Certificate Manager
You mention that you launched application with Route53 so want to clear one thing
Amazon Route 53 is a highly available and scalable cloud Domain Name
System (DNS) web service.
So Route 53 in DNS and it can be configured with
Amazon Route 53 effectively connects user requests to infrastructure
running in AWS – such as Amazon EC2 instances, Elastic Load Balancing
load balancers, or Amazon S3 buckets – and can also be used to route
users to infrastructure outside of AWS.
Amazon Route 53
As we are using AWS certificate and we feel good with AWS services, far better than any other service provider in our case.
Let me know if you need further details.
Related
We have to deploy Restful Webservice(API services) and static pages in the AWS environment.
Currently, our Webservice is hosted in EC2 instance with one ELB and Route53. Also, the static pages are deployed in the S3 bucket. The Webservice and Website, both should be in the same domain.
When the user calls "www.domain.com/" it should be routed to the S3 server. However the API calls (www.domain.com/api/**) should be routed to EC2 through ELB. Is there any way to
route API calls to ELB and website access calls to S3 using Route53?
or What is the best approach to resolve this?
Yes, you can deploy both using the same domain name. APIs should be deployed using api.domain.com and websites can deploy using domain.com. For that, you need to purchase an SSL certificate with a domain name and subdomain (eg: https://example.com and https://api.example.com) support and do the following.
Configure certificate in AWS ACM
Deploy your website in the S3 bucket with CloudFront
Deploy APIs in EC2 with the support of a Load balancer (ELB)
Configure Route53 and define two routes. Ie, create Records with 'A record type' in Route53 with ELB address and CloudFront address.
See sample deployment architecture
So far i did below configuration.
I hosted my site on EC2 AWS machine. Public ip and public DNS.
I can access my website by ip as well as public DNS.
I purchased domain name from GoDaddy. www.xxtrasc.com
On AWS I created Hosted Zone then map www.app.xxtrasc.com successfully.
Now i access my website directly www.app.xxtrasc.com
Next want to enable https
On AWS Certificate Manager order certificate with domain name *.xxtrasc.com
Did everything to add CNAME and all. I can see status gree colored Issued on ACM.
Now how i can attached this certificate to my web site so that i can access https://www.app.xxtrasc.com
You cannot use ACM to directly install your ACM Certificate on your AWS based website or application
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-install.html
You must use one of the following services:
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway
AWS CloudFormation
Please read the official doc : https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
So to install the certificate directly under apache2/nginx configuration you need to obtain the certificate from other third parties like Lets Encrypt, GoDaddy etc. you can read about that here - https://in.godaddy.com/help/manually-install-an-ssl-certificate-on-my-apache-server-centos-5238
On AWS I recommend using an ELB an placing your EC2 instances behind this ELB. This will allow you to select your ACM certificate from ELB itslef. Please read following doc to use classic load balancer with HTTPS https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html
If you want to enable SSL on your site, you need to purchase SSL certificate. You can purchase it with Godaddy and then setup it on AWS server. Without SSL certificate, your https site won't work.
Is there a way to retrieve a certificate from Amazon Certificate Manager in the .ebextensions file for a single beanstalk instance without a load balancer?
The documentation only shows a way to retrieve a certificate from an S3 Bucket. https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-storingprivatekeys.html
I'm considering rebuilding my app environment with an 'application' load balancer for this cert manager convenience even though I don't need it for this lightly used internal app. We don't have an S3 Bucket set up and I think the cost of that would be almost the same as a load balancer.
Unfortunately, there is no way to export the ACM private key for use outside of the service.
Please see How do I retrieve the private key for a certificate generated on AWS Certificate Manager? and https://serverfault.com/questions/822035/download-ssl-certificate-from-aws-certificate-manager
like #Rodrigo said, it's not possible to use the ACM cert on a single instance setup.
You can use the ACM certificate with only certain AWS services. as of today, here is the list of services that supports ACM certs.
• Elastic Load Balancing – Refer to the Elastic Load Balancing documentation
• Amazon CloudFront – Refer to the CloudFront documentation
• Amazon API Gateway – Refer to the API Gateway documentation
• AWS Elastic Beanstalk – Refer to the AWS Elastic Beanstalk documentation
Reference:
With which AWS services can I use ACM certificates?
I am spinning a new EC2 instance on demand using AMI by script using Java SDK from here at http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/welcome.html
I am hosting rest API's on the newly spun EC2 instance from AMI on port 8000. I want to access instance from IP only as I will spinning many instances from base AMI when needed and will be destroying when not needed.
I want to call this API's from another web application which is hosted under HTTPS. I know it will not allow me to hit HTTP from HTTPS due to Mixed Content.
After some research, I found AWS provides ACM-Server Certificates service which can be applied to EC2. Ref http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-iam-server-certificates.html
But it works with services integrated with ACM as per document saying at below link
http://docs.aws.amazon.com/acm/latest/userguide/acm-services.html >>
You cannot install an ACM Certificate directly on your website or
application. You must install your certificate by using one of the
services integrated with ACM. For more information about these
services, see Services Integrated with AWS Certificate Manager.
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway AWS
CloudFormation
But I am not using any of above-mentioned services. Is there any way to achieve this and install SSSL on EC2 ip using script ?
This is a common question, because AWS ACS certificates are free.
Thus, to avoid using such certificates with other services than AWS ones, AWS never discloses the associated private keys to its customers.
To let the https server on your EC2 instance use such a certificate, AWS should give you the private key, for you to configure the https server itself.
This is why you can not use an ACS certificate with your EC2 instance. You need to configure an Elastic Load Balancing instance in front of it, so that AWS provides this ELB with your certificate and private key (or provide an HSM with this private key and connect this HSM to the ELB front-end).
Note that using an ELB instance in front of your EC2 instance, in order to be able to use a free certificate from the AWS ACS service, is probably a bad idea: certificates are often cheaper (depending on their type and duration, of course) than the ELB cost overhead.
Note that Let'sEncrypt (https://letsencrypt.org/) can provide your EC2 instance with free DV (domain validated) certificates. You just need to install the Certbot ACME client, since you have shell access to your EC2 instance.
AWS has come up with a new service AWS Certificate Manager. One thing I got from the description is that if we are using this service we don't have to pay for the certificate anymore.
They are providing certificates for Elastic Load Balancer (ELB) and CloudFront, but I didn't find EC2 anywhere.
Is there any way to use the certificate with EC2?
Q: Can I use certificates on Amazon EC2 instances or on my own servers?
No. At this time, certificates provided by ACM can only be used with specific AWS services.
Q: With which AWS services can I use certificates provided by ACM?
You can use ACM with the following AWS services:
• Elastic Load Balancing
• Amazon CloudFront
• AWS Elastic Beanstalk
• Amazon API Gateway
https://aws.amazon.com/certificate-manager/faqs/
You can't install the certificates created by Amazon Certificate Manager (ACM) on resources you have direct low-level access to, like EC2 or servers outside of AWS, because you aren't provided with access to the private keys. These certs can only be deployed on resources managed by the AWS infrastructure -- ELB and CloudFront -- because the AWS infrastructure holds the only copies of the private keys for the certificates that it generates, and maintains them under tight security with auditable internal access controls.
You'd have to have your EC2 machines listening behind CloudFront or ELB (or both, cascaded, would also work) in order to use these certs for content coming from EC2... because you can't install these certs directly on EC2 machines.
No, you cannot use aws certificate manager for deploying certs on EC2. The certificate manager certs can only be deployed against cloudfront and elastic load balancer. Inoredr to use it on ec2, you need to put elb on top of ec2, so that request from client to load balancer will be https protected and from elb to ec2 webserver will be on http.
If you are using AWS ACM Cert for internal purpose only then you could probably use AWS ACM Private CA to issue the certs.(I think you can use it for public/external traffic purpose as well if your root CA is publicly trusted CA).
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaGetStarted.html
During Application/EC2/Container startup, set a step to export your ACM Private CA issued Cert/Private Key to your destination and start referring that for serving the traffic.
https://docs.aws.amazon.com/cli/latest/reference/acm/export-certificate.html
One good thing is, you can control who can call export cert feature using IAM Role so not everyone can download private key of the cert.
One downside with this is, private CA is expensive AWS service($400/month).
https://aws.amazon.com/certificate-manager/pricing/
Adding to the comments above, you can't use the AWS Certificate Manager for this, but you can add a Let's Encrypt certificate to ec2 on a Windows server running IIS and it's pretty easy:
Associate an elastic ip with your ec2 instance.
Make sure you have a registered domain. You can't use ec2----------.us-east-1.compute.amazonaws.com type names that come with your instance.
Through your domain provider's DNS settings have your domain point to your Elastic IP.
Connect to your ec2 instance and add your domain name to the site bindings.
Go to https://github.com/PKISharp/win-acme/releases
Look under assets, and use the latest version (win-acme.v2.0.10.444.zip for example). This is the only assets folder that you need.
Unzip the folder, open the terminal as administrator, and cd into the unzipped folder.
Run wacs.exe and follow the prompts.
Make sure the security group assigned to your instance allows traffic (at the very least your own IP) through the HTTPS port you chose in IIS; this is port 443 by default.
I found the links below helpful when I was figuring this out. Here is a video using an earlier release if you need more help, but it's the same idea.
https://www.youtube.com/watch?v=fq5OUOjumuM
Also this article might be helpful:
https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows