We got a certificate from ACM for our domain say example.com. On the application load balancer I deployed this and created a HTTPS listener with forwarding to my target group. The target group is an EC2 instances in a ASG.
Now the issue is when I access my LB URL with HTTPS I get the SSL_ERROR_BAD_CERT_DOMAIN error with the description
XXXXXX.us-west-2.elb.amazonaws.com uses an invalid security certificate. The certificate is only valid for example.com
I now this is probably the expected behavior, but in this case, how do I apply a ACM certificate of my domain on the application load balancer?
Thanks,
You have created a certificate for a specific domain, say 'example.com'. But you are not using this domain when accessing the ALB. Since there is a mismatch between the domain/hostname you are using ('XXXXXX.us-west-2.elb.amazonaws.com') and the certificates domain ('example.com'), your HTTP client shows you an error.
Create a DNS entry
example.com CNAME XXXXXX.us-west-2.elb.amazonaws.com
and access the domain using example.comas a hostname.
Related
I have a EC2 Instance in which I've installed an SSL certificate via LetsEncrypt
The Instance hosts a FastApi and Gunicorn which serves as server for a mobile app
There's an elastic IP attached to the EC2 instance
All inbounds and outbounds EC2 ports are opened
I have imported in the Certificate Manager (east-2 Virginia) the SSL certificate generated by LetsEncrypt
I have created an hosted zone in Route53 adding a domain (www.example.com) and creating the CAA (0 issue "letsencrypt.org") + changed the nameservers in godaddy as per the ones in the Route53 NS
I have created a CloudFront distribution having as origin the Public IPv4 DNS of the EC2 instance, redirecting HTTP to HTTPS, setting the Custom SSL certificate equal to the one uploaded in the Certificate Manager (LetsEncrypt) and in the Alternate domain name (CNAME) added the www.example.com
I have added in Route53, in the A record, the CloudFront Distribution domain name
Given these premises, in the EC2 instance there is not a landing html page (like hello world!) to be reached if the CloudFront Distribution domain name or the domain name is pinged.
However, If I ping it, I get the 502 error (502 ERROR The request could not be satisfied.
CloudFront wasn't able to connect to the origin. We can't connect to the server for this app or website at this time).
The domain was validated in the SSLlab without throwing errors except a "Chain issues Incorrect order, Extra certs" in the "Additional Certificates section" (not in the "Server Key and Certificate #1") and the X-Cache says: Error from CloudFront.
How can I fix the 502 error?
EDIT
I've posted the solution in the comment
The solution was to keep everything as above stated but:
remove the ssl certificate from the instance
generate a new ssl certificate in Certificate Manager from Amazon (this also implies creating records in Route 53 of the CNAME of the new certificate and selecting the new certificate in the Cloudfront distribution).
At the end the issue was a conflict between the two ssl certificates. Only one had to be kept.
I followed the following tutorial to setup an SSL Certificate with a parent domain hosted at another provider than aws to create a secure connection to my REST Api.
https://medium.com/#sonalishah_63223/how-to-host-subdomain-in-aws-route-53-for-an-existing-parent-domain-with-different-service-9b4dde061b85
Setup:
Hosted Zone -> Record pointing to - Elastic Load Balancer - Beanstalk -> EC2 (Spring Application)
Setup Description:
I created a hosted zone (sub.mydomain.at).
In that hosted zone I created a record (api.sub.mydomain.at) pointing to the Elastic Load Balancer.
Everything works fine, API is callable.
Afterwards I created a certificate through ACM.
(*.mydomain.at) which has been successfully issued.
I attached it to my load balancer and it seems to work, when calling the API via https://.
But Postman throws the following error.
SSL Error: Hostname/IP does not match certificate's altnames
I could turn off "Enable SSL certificate verification" and it would work, but this does not seem to be the right solution.
So I created another Certificate for the domain api.sub.mydomain.at which is not verifying. According to nslookup the server can't find the domain even if the CNAME is setup. (I assume it is not possible to create a CNAME with multiple 'sub-domains')
_12312<long-_number>.api.sub.mydomain.at
So how can I resolve the Issue "Hostname/IP does not match certificates alt names"?
I think in your case, you are forwarding the requests (cname record api.sub.mydomain.at from alb public dns to your custom domain)
So you need to add ALB public dns name on hearder like this:
request({host: 'ALB public DNS'... headers: req.headers
I have created an microservice API application and hosted it on AWS ECS cluster and attached this cluster to AWS Application Load Balancer (ALB). Added a certificate from AWS Certificate Manager to the ALB. When I try to call using the link provided by AWS ALB, from my frontend app, it returns an error:
net::ERR_CERT_COMMON_NAME_INVALID
The link from ALB is sonething like this:
xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com
I attached a SSL certificate to the listener. The SSL is issued using AWS Certificate Manager for my-site.xyz and *.my-site.xyz
The frontend application is react application hosted on different-site.ai using AWS Amplify
Edit
The OP wanted this to resolve for their root/apex domain example.com, as they use Namecheap (which support an Alias record) a value was added for the root domain following these instructions.
Alias records are also supported in Route 53.
It needed to be an alias record as a root domain traditionally can only resolve to an IP address which would be an A record, whereas Alias will map the IP of the CNAME record to the value instead.
Original
The error thrown is because the SSL certificate that is attached is not applicable for the domain you're trying to access.
For example the cert is for example.com but you're trying to access xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com.
To access this you must access on a valid domain name, to do this add a DNS record so that example.com resolves to xxxxx-xx-xxxxxxxxx.ap-south-1.elb.amazonaws.com. Then when accessing example.com the SSL will be valid.
In my case, when I was requesting a certificate, I failed to list the domain names correctly.
For example, if your website was www.somewhere.com, you would need to add
www.somewhere.com
and also add
somewhere.com
I am trying to setup HTTPS across my app which consists in a frontend (S3 bucket distributed with CloudFront), and a backend (node.js app inside Elastic Beanstalk).
For the CloudFront part, I created an SSL certificate in N. Virginia (apparently I don't have a choice here) and I made the binding in the CloudFront distribution. It works and my app is served over HTTPS.
For the Elastic Beanstalk part, I created an SSL certificate in Ireland (where my EBS app is hosted) and I bound this certificate to the EBS load balancer using the port 443. It works and I can reach my server with HTTPS using Postman.
However, when my frontend tries to make an API call to the backend I get this error :
I guess I made a mistake while creating the certificates, but I cannot find it. I gave both certificates the same set of CNAMES, I am not sure if I am supposed to do that.
EDIT :
I get the exact same error after updating the frontend so that it points the DName of the load balancer (also mapped to subdomain with Route 53).
CloudFront is attempting to load an HTTPS URL from your load balancer. I assume you have an SSL certification assigned to the load balancer. The domain name of the SSL certificate on the load balancer needs to match the domain name that CloudFront is requesting.
For example if the load balancer's SSL certificate is something like beanstalk.mydomain.com then CloudFront would need to be making requests for https://beanstalk.mydomain.com. The error CloudFront is giving you says that the domain name of the SSL certificate served by the load balancer does not match the domain name djumbo-back-debug.eu-west-1.elasticbeanstalk.co.
You need to setup something like the following:
DNS Name www.mydomain.com points to CloudFront Distribution
Configured to serve www.mydomain.com
Configured with an SSL certificate for the domain www.mydomain.com
Configure to pull from the origin beanstalk.mydomain.com
DNS Name beanstalk.mydomain.com points to Elastic Beanstalk application
With a Load Balancer, with an SSL certificate for beanstalk.mydomain.com
I am trying to setup HTTPS for my EC2 instance created from Elastic Beanstalk using a certificate from AWS's ACM.
According to this article https://colintoh.com/blog/configure-ssl-for-aws-elastic-beanstalk, I need to go to EC2 panel/load balancer and add a new listener rule.
My problem is that for the HTTPS load balancer protocol, when I try to add SSL Certificate, and click "Choose a certificate from ACM (recommended)", there's no ACM certificate available for me.
I know that I will have to request for a new Certificate for this load balancer address, but WHICH VERIFICATION METHOD SHOULD I USE?
As far as I know, there are 2 ways to verify your domain ownership(Email or DNS). I guess email is not an option here because you cannot send an email to a "elb.amazonaws.com" address. But I'm not sure how to verify certificate request by DNS.
And also, I tried to past the load balancer address xxx.xxx.elb.amazonaws.com into ACM to request a certificate for this address, but it says "invalid domain name"
And also, if I were to add custom domain name for my load balancer (for example, create a alias of api.example.com for the load balancer), how can I set up https for that custom domain of api.example.com?
Thanks a lot!
Problem solved. Need to request certificate in the same region as load balancer.
And then point the custom domain(the one used to request for certificate) to load balancer using route 53