The setup
Route53 record(*.testing.domain.com) linked to an ELB(which uses an Amazon Certificate Manger issued certificate for *.domain.com and domain.com)
The targets of the ELB are running nginx which inturn proxy_passes the incoming requests to a (django)server running on port 80xx (ex: 127.0.0.1:8099).
Note: The nginx server listens to requests on port 80 and 443 and the targets of the ELB are registered on ports 80 and 443.
QUESTION:
I am able to access the following:
http://domain.com
https://domain.com
http://any.subdomain.domain.com
I want to know why I am getting a NET::ERR_CERT_COMMON_NAME_INVALID when I'm trying to access https://any.subdomain.domain.com
Thanks
You need request another certificate for *.subdomain.domain.com
https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html
*.example.com can protect login.example.com and test.example.com, but it cannot protect test.login.example.com. Also note that *.example.com
protects only the subdomains of example.com, it does not protect the
bare or apex domain (example.com). However, you can request a
certificate that protects a bare or apex domain and its subdomains by
specifying multiple domain names in your request.
Related
Currently, I have a domain(mysite.com) bought in the Google Domain, it's just a domain. My application is hosted on AWS, where I have my application deployed, the setup is quite straightforward - access to the application goes thru ALB(lb-123.com), which has no SSL configured yet. My problem is how to link the domain to ALB throughout HTTPS to my application in AWS which is accessed throughout HTTP. I should be able to access mysite.com using HTTPS and it should access lb-123.com either thru HTTP or HTTPS, but for a client, it should look like it accesses HTTPS.
ALB doesn't have an IP, only DNS - I should use the only CNAME for redirection mysite.com to lb-123.com?
Should I configure HTTTs for ALB too - If so, then what is the right way to do it? What certificate should I use? Is there any free certificate for ALB?
How usually ppl link using HTTPS their domains with any sort of backend which has only DNS name(e.g. AWS ALB)?
The easiest way to get SSL for your ALB is through AWS ACM with provides free SSL certificates:
How can I associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer?
So in your case, you have to got to AWS ACM, and request a free SSL public SSL cert for your domain. Domain can be at google, it does not matter. Once you verity that you control the domain, you will get a cert issued that you can associate with the ALB.
Then you use CNAME on google to point your domain to ALB's domain.
I have following setup at AWS ECS:
Container with Caddy web-server at 80 port that serves static files and performs proxying of /api/* requests to backend
Container with backend at 8000 port
EC2 instance at ECS
ALB at subdomain http://some-subdomain-12345.us-east-2.elb.amazonaws.com/ (subdomain was provided automatically by AWS) with HTTP Listener
I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?
P.S. I have seen an option for ALB with HTTPS Listener when we are attaching custom domain i.e. example.com and AWS will provide SSL certificate for it. But this is a pet project environment and I don't worry about real domain.
You can put your ALB behind CloudFront, which unlike ALB gives you a TLS certificate by default. So you can address your application at e.g.:
https://d3n6jitgitr0i4.cloudfront.net
Apart from the TLS certificate, it will give you the ability to cache your static resources at CloudFront's edge locations, and improve latency on the TLS handshake roundtrips.
I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?
You can't do this. This is not your domain (AWS owns it) and you can't associate any SSL certificate with it. You have to have your own domain that you control. Once you obtain the domain, you can get free SSL certificate from AWS ACM.
This could be a solution without using subdomains but using path redirection
https://caddy.community/t/caddy-2-reverse-proxy-to-path/9193
I have a domain example.com and I want to have https access with subdomain my_subdomain.example.com with aws loadbalancer
I have loadbalancer open for 443 and have route53 cname my_subdomain.example.com point to my loadbalancer address. I can access the site in my ec2 using browser on my_subdomain.example.com however its not secure in browser
My ACM has approve for both example.com and *.example.com
Is there an extra step I need for https to work, because when I do it with a single server with nginx I use https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx so I imagine I need a similar step
Can someone point me a direction?
Use AWS Certificate Manager for your certificate: it will provide a free certificate you can install on your load balancer. When you add the listener for port 443, step 3 will prompt you for a certificate, select 'Choose a certificate from ACM (recommended)'.
I have a slight problem with SSL.
Currently if I were to route to my domain as example.com, it goes to the http version instead of the https version.
However, if I were to force https://example.com, it stays as https://example.com
I'm wondering what I have to do on the certificate manager side of AWS to get https working when I type in example.com without the https.
I have already configured my route 53 aliases for my domain to route to my elastic beanstalk url. I also have an SSL certificate for my domain example.com and *.domain.com that were both validated successfully, that are Amazon issued and also In Use.
Have you tried redirecting http traffic (80) to https (443)? This answer contains the steps
For ALBs, you can follow the below steps,
1.Add lister for https and forward the traffic to the target group
2.Add Lister for http and forward the traffic to https
Final Setup:
If i use Cloudfront to sit in front of a webserver, which itself is behind an ELB, would the following apply?
I use Route53 to create a domain name record for the CF domain and apply an SSL certificate to that domain to secure the distribution
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
When CF forwards the request through the ELB the SSL is terminated
Is that right ? Will one FQDN cert suffice or better to use a wildcard? Is it better to use the origin server domain name instead?
As i can now use the new AWS certificate manager tool (ACM) to add these certs, does anyone know if CF still require the cost for use of custom SSL cert if using ACM (which makes CF an expensive AWS service)?
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
The SSL connection is not "forwarded". A new SSL connection is established between CloudFront and the ELB.
The SSL connection between the user and CloudFront is a completely different connection than the one between CloudFront and the ELB. Therefore, there is not requirements on matching the domain names used on the ELB and CloudFront.
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
The only restriction is that the SSL certificate on the ELB must match the domain name used on the ELB. It can be a different SSL cert and domain name than those used on CloudFront.
If you want to use the "Custom SSL" feature and support "All Clients", not just those that support SNI, then yes, you must still pay the extra charges, even is you are using ACM.
Example 1
You can create Route 53 records for www.domain.com and origin.domain.com and an SSL cert for *.domain.com. From these, you would assign www.domain.com to the CloudFront distribution, origin.domain.com to your ELB, and use the wildcard cert on both.
Example 2
You can create Route 53 records for www.domain.com and origin.domain.com and separate SSL certs for www.domain.com and origin.domain.com. From these, you would assign www.domain.com to the CloudFront distribution using the www.domain.com cert, and origin.domain.com to your ELB using the origin.domain.com cert.
Example 3
You can create Route 53 records for www.domain1.com and origin.domain2.com and separate SSL certs for www.domain2.com and origin.domain2.com. From these, you would assign www.domain2.com to the CloudFront distribution using the www.domain2.com cert, and origin.domain2.com to your ELB using the origin.domain2.com cert.