Can I use let's encrypt SSL certificate for main domain (www.example.com) and free amazon ssl certificate for (api.example.com)? Because I am using EC2 instance without application load balancer (ELB) for www.example.com. But for api.example.com, I am using application load balancer (ELB) and connects with EC2 instance. Do you think I can to do that? I am new to it.
Any suggestion appreciated.
Yes. There is nothing stopping you from creating all the SSL certificates you want.
Related
What is the best approach to enable https on ec2 public dns? I just have single instance running so i don't think adding load balancer is good approach and I don't have any domain name to point to my instance. I want to enable https on instance public DNS.
What is the best approach to enable https on ec2 public dns?
You can't do this, as the public DNS provided by AWS does not belong to you. The DNS belongs to AWS and only AWS can have a valid SSL certificate for it.
To have a valid public SSL certificate for HTTPS you need your own domain that you control. Then you have to use a third party service (ACM can't be used on EC2 instances, unless in enclave) to get a SSL cert for your domain. A popular choice is https://letsencrypt.org/ with certbot which provides free SSL certificates. By the way, StackOverlow is using letsencrypt as its SSL cert provider. Having the SSL cert you can setup nginx to server your application using HTTPs, or itegrate SSL certificates directly with your application.
If you don't want to do the above, you have to front your instance with load balancer, CloudFront or API Gateway. Having load balancer allows you to use ACM and easily get and provision SSL certificates You still need your own domain of course. Using load balancer is the easiest to setup. With CloudFront and API Gateway there are more things to consider.
I have an ec2 instance behind Application ELB in AWS. I want to apply SSL to both ec2 instance as well as loadbalancer. For ec2 instance i have purchased ssl and installed it and it is working fine. For load balancer i will be using the free AWS ACM certificate and installing it on load balancer. Will this have any issues? i.e. installing SSL on both places ec2 and elb.
It will not have any issues but it does come with a caveat. The traffic in to the Application Load Balancer (ALB) will be encrypted and the ACM cert will be validated by the client. The traffic to the host from the ALB will also be encrypted but the certificate on the host will not be validated.
It looks like ALB Backend Authentication is on AWS's roadmap per the reference below. The reason given for it not being a priority is summarized in this quote from the AWS Engineer who wrote the first reference:
The role that server certificates play in TLS is to authenticate the server, so that it can’t be impersonated or MITM. ALBs run exclusively on our Amazon VPC network, a Software Defined Network where we encapsulate and authenticate traffic at the packet level.
The upside of this is you can use self-signed certs on your hosts to save money when using an ALB or ELB in front of them.
If you need to ensure the certificate on the host is valid you can use a Classic Elastic Load Balancer (ELB). See the reference for more details.
References
AWS ALB Validation TLS Reply
AWS ELB Configure Backend Authentication
If you use SSl/TSL at ELB, it will handle the encryption/decryption of the HTTPS connections (freeing your EC2 instance's CPU to do other work).
If you use an HTTPS/SSL connection for your back end, you can enable authentication on the back-end instance. This authentication can be used to ensure that back-end instances accept only encrypted communication, and to ensure that the back-end instance has the correct certificates.
Using SSL/TLS on both ELB and Backend can create problems since ELB HTTPS listener does not support Client-Side SSL certificates.
I have considered that you are using a 2-way SSL (Mutual or Client Authentication)
I have an Application Load balancer and 1 EC2 instance currently behind it. Before, I was using another CA for receiving SSL certificates for my domain which was running on the EC2 with nginx. Now, I use SSL from Amazon's Certificate Manager for the load balancer's listener.
Should the domain's certificate be purchased individually on each EC2 instance for https connection to my application after moving it behind the ELB?
Is there any other way to establish https connection without using the separate certificates on the EC2 instances and with just the ACM on the load balancer?
You can use the same certificate on EC2.
But whenever you need to update the certificate you have to change in EC2.
If you have the EC2 in a private subnet (Not accessible to the internet)
you can use the self-signed certificate (self signed certificate nginx).
I encountered this problem and solved it by using the self-signed certificate.
You can use self-signed certificates on the EC2 instances to enable the load balancer to talk to your EC2 instances via https - the load balancer will not to certificate validation, so you do not need commercial certs.
I would like to decrease my AWS bill and deactivate load balancing on some of my elastic beanstalk applications.
I managed to setup https through AWS Certificate Manager with the free Amazon issued certificates.
When I remove the load balancing, I don't have the option to setup the SSL certificate. Any ways to add it somewhere else, like from the EC2 instant linked to EBS?
Thanks for your help,
You can't use ACM certificates without either a load balancer or a CloudFront distribution. If you don't have either of those, you will need to obtain an SSL certificate through some other means, and install it on your web server software running on the EC2 instance.
I have an existing EC2 instance running Apache2 where I set https on, using let's encrypt service. Now I'd like to create an autoscaling group (with 1 to 3 of these instances) and a load balancer and I'd like to keep my https certificate.
Which is the best way to do that?
If the SSL certificate is going to be installed on each EC2 instance, then you can just setup port 443 on the load balancer as a TCP listener, and it will pass the traffic on port 443 directly to the instance, where the SSL certificate will be served.
Note that this is going to require Let's Encrypt be working on each instance that gets created. It will really be easier for you to get a new (free) certificate via the AWS ACM service, and install that on the load balancer.