I am facing issue with SSL certificate that I need to bind it to an ELB instance.
Here is the situation:
I have registered a wildcard SSL Certificate in Region A for *.example.com and example.com domain.
There is an ELB instance pointing to admin.example.com in region A which has a 443 listener to that SSL cert for HTTPS access and it's working fine.
Now, in Region B, I have another new ELB instance that I need to point to the SAME domain with different sub domain. store.example.com
To achieve this, I have created a new SSL Cert in the second region and assigned it to that ELB. However,I am keep seeing the "Not Secure" warning by the browser when I try to open store.example.com
This has to do by the way AWS structures their infrastructure.
The only way is to create a new one in the other region.
Related
I have AWS EC2 instance that sends the response using HTTP. The URL link is as below:
http://ec2-18-233-225-132.compute-1.amazonaws.com:3030/api/status
This works fine with the. S3 bucket after the deployment, but, the Cloudfront blocks request that are not comes using HTTPS. How do I make sure that HTTPS also work with this URL:
https://ec2-18-233-225-132.compute-1.amazonaws.com:3030/api/status
Thanks.
ec2-18-233-225-132.compute-1.amazonaws.com domain belongs to AWS, not you. This means that you can't have valid SSL certificate for it. You must have your own domain if you want to enforce https between CF and EC2.
Once you get your domain, you can use https://letsencrypt.org/ to get valid free SSL cert for it. Alternatively, you can front your instance with a load balancer, and get free SSL cert for your domain using AWS ACM. Then you associate the SSL cert with the LB.
For cloudfront https handling:
Create certificate in ACM. Update cloudfront distribution to use that certificate and set ssl/TLS.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html#cnames-and-https-updating-cloudfront
for EC2 https handling: You need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the Security Groups link on the left, then create a new security group with also HTTPS available. Then, just update the security group of the instance.
After these steps, if it's still not working it is an application problem.
You have to configure the Security Group of that Instance...
At left side ,down below the EC2 dashboard ; you can see Network and Security-- then click on Security Group.Click on it ...Then edit inbound Rules...Add https ,port 443
I am using a DigiCert Certificate for an AWS ALB that has a domain: www.example.com
For some reason - the underlying AWS ALB was deleted and a new one was created which also maps to www.example.com
There has been no other change to the underlying servers.
I am now seeing a Certificate is invalid error saying its not secure.
Do I need to procure a new certificate or is it some other issue?
Thanks.
I don't know DigiCert, so I guess that your certificate create trust for the IP of the ALB.
ALB are not static at all by design. This is basically a super huge cluster of HAProxy and ressources are allocated dynamically based on customers consumption. There is no way to have a static IP, that's why they give you a CNAME only.
You should seek for DNS validation or use AWS Certificate.
My certificate has expired and I recreated and reassociated with a load balancer.
The certificate has *.example.com and example.com attached (?) to it
and I can see that certificate works by visiting https://example.com.
Then I try to visit https://log.example.com and it errors with NET::ERR_CERT_DATE_INVALID (It must be the old expired certificate which is causing the error)
Question is, how can I let the new certificate to be used for the ec2 machine?
EDIT
log.example.com is not behind loadbalancer, it's directly mapped via IP address
The certificate being served by log.example.com is not using the ACM certificate attached to load balancer for example.com as it is served directly by the IP address.
You are limited to the following options:
If you want to use an ACM certificate you will need to either add a CloudFront distribution or a load balancer in front of your application. The DNS record for log.example.com would need to be changed to the new resource.
If you want to use direct connection to your instance then you are limited to using another certificate authority. You can use certbot to generate a free certificate, or purchase one from another provider. This will then need to be installed and configured on your server to use.
We got a certificate from ACM for our domain say example.com. On the application load balancer I deployed this and created a HTTPS listener with forwarding to my target group. The target group is an EC2 instances in a ASG.
Now the issue is when I access my LB URL with HTTPS I get the SSL_ERROR_BAD_CERT_DOMAIN error with the description
XXXXXX.us-west-2.elb.amazonaws.com uses an invalid security certificate. The certificate is only valid for example.com
I now this is probably the expected behavior, but in this case, how do I apply a ACM certificate of my domain on the application load balancer?
Thanks,
You have created a certificate for a specific domain, say 'example.com'. But you are not using this domain when accessing the ALB. Since there is a mismatch between the domain/hostname you are using ('XXXXXX.us-west-2.elb.amazonaws.com') and the certificates domain ('example.com'), your HTTP client shows you an error.
Create a DNS entry
example.com CNAME XXXXXX.us-west-2.elb.amazonaws.com
and access the domain using example.comas a hostname.
I have a blog(codeoverflow.in) hosted on aws-ec2 instance. I am using cloudfront and acm certificate to provide ssl for my blog. But when I access codeoverflow.in or www.codeoverflow.in, cloudfront redirect me to https version successfully but gives the following error:
The request could not be satisfied. CloudFront wasn't able to connect
to the origin. Generated by cloudfront (CloudFront) Request ID:
TE89T-COJiVFgBGUpBG_2gWd6Iim3c-svHsborUct49O9Owjb3nl6g==
I have type A and type AAAA alias records for both codeoverflow.in and www.codeoverflow.in in route 53, all pointing to cloudfront distribution.custom ssl certificate is also configured for both domains.as of now I have dissociated elastic ip from ec2, but I want to use it as well together with cloudfront and ec2. Please help me to configure all three together.
It looks like you're trying to connect to your origin via HTTPS, but it doesn't sound like you have SSL enabled on your instance.
The easiest thing to do is use a hostname for your origin - i.e. www-origin.codeoverflow.in. Create a load balancer that listens on both 80 & 443, deploy an appropriate cert to that (you may have to create a new one, or create a wildcard) and put your instance behind that listening on port 80. Finally, create an ALIAS record in Rour53 from www-origin to your load balancer.