I got yaml file for specifying ssl certificate (provided by aws certificate manager)to load balancer for kubernetes deployment. But, we are running kubernetes cluster in aws china account where certification manager option is not available. Now if I have SSL certificate provided by Godaddy, how can I install it? Is any other alternative ways to install certificate rather than load balancer? Can I install it in my tomcat container itself and build new image with it?
As far as I know, you cannot setup an ELB deployed with a kubernetes Service to use a certificate which is NOT an ACM certificate. In fact, if you take a look at the possibile annotations here you'll see that the only annotation available to select a certificate is service.beta.kubernetes.io/aws-load-balancer-ssl-cert and the documentation for that annotation says the following:
ServiceAnnotationLoadBalancerCertificate is the annotation used on the
service to request a secure listener. Value is a valid certificate ARN.
For more, see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-listener-config.html
CertARN is an IAM or CM certificate ARN, e.g. arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
As you ask, you can for sure terminate your ssl inside your kubernetes Pod and make the ELB a simple TCP proxy.
In order to do so, you need to add the following annotation to your Service manifest:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'tcp'
Also, you will need to forward both your http and https ports in order to handle http to https redirect correctly inside you pod.
If you need more specific help, please post you current manifest.
Related
I think I misunderstand the concept of adding ssl protection to my aws ec2 instance with a load balancer!
I have an Ionic app web, ios and android. I want to switch all http requests to https.
What I did:
Purchasing a url with route53
getting certificate with acm
setting up a load balancer like this...
https:443 -> ec2 instance (Here a applied the certificate)
http:80 -> https:443
http:8080 -> https:443
In Hosted Zones I added an A type record that points from my url to the Load balancer.
In my Ionic code I changed the endpoint addresses to https://my-backend-api-url.com/ (Yes I changed the my-backend-url.com in the real url :)
in the web deployment this set up lets me call the backend. But in the ios and android deployments it doesnt work and returns a 0 unknown error.
In the load balancer i can see that the requests from mobile deployments produce client tls negotiation errors.
My Attempt to fix this:
If I understand it right ( and there is a big if) I need a ssl/tls certificate that is in my app build in a certificate folder and i need the same certificate on my load balancer. Since aws ACm certificates only work for other aws services I think I can not use the certificate I created and applied via ACM.
So I think I need an ssl certificate from an ca and tried to get one with:
sudo certbot certonly --apache
When i enter my url it says:
"Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80"
Maybe also helpful to know is that I can access my backend api with the browser but it shows me that its unsecure and certificate is not valid:
Am I on the right track with my approach or did I completely misunderstand something? If my approch is correct what do I have to do that certbot can access port 80.
Any hint, link to a good tutorial, or help in any way is highly appreciated.
I think there is no need to get an ssl certificate from an external provider. You are accessing without ssl your load balancer. Your load balancer is doing the decryption for you. So, just check that your load balancer is in a security group with an open 443-port.
I am posting this here to help others facing this problem as I could not find any useful information on the web.
If you have mapped your ACM certificate to an end-point (EC2, ELB, EKS service.. whatever) You will need to enable
CertificateTransparencyLoggingPreference
Else you will get:
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
Error in chrome. To do this via the aws-cli, the command is:
aws acm update-certificate-options --certificate-arn <ARN of ACM certificate> --options CertificateTransparencyLoggingPreference=ENABLED
I have provided the full response from AWS support as the answer, as this contains even more information.
This is Vivek from AWS Containers team. I will assist you on this
case.
From the case description, I understand that you requested an ACM
certificate and created ELB(service load balancer) behind which you
are running nginx pods in EKS cluster example-EKS-CLUSTER-dev.
When accessing the site https://test-aws.example.co/ from browser you
are getting error as below:
Error: NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
You would like to use a third party CA such as lets encrypt to issue
free SSL certificate for your domains. You do not want to move the
domain to Route53.
You wish to know how to to do this and achieve https.
Please let me know if my understanding is correct.
Regarding the error ERR_CERTIFICATE_TRANSPARENCY_REQUIRED, this error
is thrown by Chrome browser when it can not find CT(certificate
transparency) logs.
For Google Chrome to trust the certificate, all issued or imported
certificates must have the SCT information embedded in them.
By default ACM logs all new and renewed certificates. However, it
provides option to opt out from AWS API or CLI.
You may find more about this on link [1].
I checked the load balancer mapped to the domain “test-aws.example.co”.
It is mapped to ELB
abce6962e05794f36a23435db3f1837d-1755308045.eu-west-2.elb.amazonaws.com
which uses ACM certificate
arn:aws:acm:eu-west-2:150737547637:certificate/f932b11d-af17-4023-be41-045c6fcc5e86
I checked this certificate and found that the option
“CertificateTransparencyLoggingPreference” is disabled.
You may enable transparency on the certificate to fix the issue by
running following command:
aws acm update-certificate-options --certificate-arn --options
CertificateTransparencyLoggingPreference=ENABLED
Once the certificate is updated with
CertificateTransparencyLoggingPreference as enabled, the issue will
resolve i.e. you should not longer receive the error
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED when accessing the site
over https.
Regarding your other query, i.e. how to use a third party certificate
such as LetsEncrypt with ELB for https, you may obtain the desired
certificate(get it issued from desired CA) and import it in ACM or
IAM. Once the third party certificate is imported in ACM/IAM, it can
be associated with the https listener of ELB similar to how you
associate certificate issued by ACM(by using annotation
service.beta.kubernetes.io/aws-load-balancer-ssl-cert in service
definition yaml with value as the ARN of imported certificate).
Please find the steps to import certificate in ACM on link [2]. The
steps to import a certificate in IAM can be found on [3].
i am trying to install my ca certificates with in ingress controller. I am following this guide. https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
I could run cert-manager in Node group while running other pods in fargate. I want to know
I am getting the error that says x509 error
certificate is valid for *.corp not aws-load-balancer-webhook-service.kube-system.svc
Do i need to install cert manager though i have my own tls certs. how to route traffic with tls certs from aws-load-balancer-controller.
Thanks,
Surya.
You dont need cert manager to use certs with load balancers. Cert manager is a utility to dynamically generate & manage the lifecycle of the certificate.
If you have your own certificate you can import those into your alb or nlb created by load balancer controller for ingress or service objects respectively.
I am trying to use an amazon SSL certificate for my app. Currently, I have dockerized application hosting on the AWS server with envoy front-proxy. I am using lets-encrypt SSL certificates for a trusted domain certificate. Now I want to switch it with amazon's SSL certificates.
I am exploring this but I didn't get any clear idea. This blog show how to enable traffic encryption between services in AWS App Mesh using AWS Certificate Manager. but they have not mentioned how to do it with enovy proxy.
For envoy, we have to provide cert and key files. But as per this question, we are not able to download these files from amazon. Is it possible to use the Amazon certificate with envoy front-proxy? If yes then can you please give me the idea/example of how to do it?
Thanks in advance..
Only AWS Services can use AWS SSL Certificates. If you want to use an AWS SSL Certificate for TLS/HTTP traffic you would use an Application Load Balancer to handle the certificate and send it to your Envoy proxy hosted on an EC2 box. Ideally you would keep the network traffic encrypted which would require you to use a LetsEncrypt certificate between the Application Load Balancer and EC2.
What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"