setup aws certification for a web page - amazon-web-services

I have a web page i would like to work with ssl (https)
for now it is working but with the private certification which alerts the user of "connection is not secure".
I issued a aws certification by following the link :
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html#dns-add-cname
And set my tomcat server to work with certificate by as shown in this link
http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/
but i can not seem to get ride of the "connection is not secure" issue

The blog post is too old around 11 years. not sure it working or not.
But you can generate a new free certificate using AWS Certificate Manager Link and add it to load balancer for terminate SSL connection.Your servers will be behind of that load balancers.

On AWS ACM you will need to have a load balancer in front of your web server, you can then terminate the SSL at the load balancer and forward HTTP connections to your tomcat webserver:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
Alternatively if you don't want to have a load balancer (cost etc), then you can look at using a free CA, such as letsencrypt. I've never used letsencrpt with tomcat before but a quick google came up with a few sensible solutions e.g. https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416
Once up and running with SSL I suggest you check how strong your SSL config is using https://www.ssllabs.com/

Related

SSl/TLS from Ionic mobile App to aws load balancer not working

I think I misunderstand the concept of adding ssl protection to my aws ec2 instance with a load balancer!
I have an Ionic app web, ios and android. I want to switch all http requests to https.
What I did:
Purchasing a url with route53
getting certificate with acm
setting up a load balancer like this...
https:443 -> ec2 instance (Here a applied the certificate)
http:80 -> https:443
http:8080 -> https:443
In Hosted Zones I added an A type record that points from my url to the Load balancer.
In my Ionic code I changed the endpoint addresses to https://my-backend-api-url.com/ (Yes I changed the my-backend-url.com in the real url :)
in the web deployment this set up lets me call the backend. But in the ios and android deployments it doesnt work and returns a 0 unknown error.
In the load balancer i can see that the requests from mobile deployments produce client tls negotiation errors.
My Attempt to fix this:
If I understand it right ( and there is a big if) I need a ssl/tls certificate that is in my app build in a certificate folder and i need the same certificate on my load balancer. Since aws ACm certificates only work for other aws services I think I can not use the certificate I created and applied via ACM.
So I think I need an ssl certificate from an ca and tried to get one with:
sudo certbot certonly --apache
When i enter my url it says:
"Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80"
Maybe also helpful to know is that I can access my backend api with the browser but it shows me that its unsecure and certificate is not valid:
Am I on the right track with my approach or did I completely misunderstand something? If my approch is correct what do I have to do that certbot can access port 80.
Any hint, link to a good tutorial, or help in any way is highly appreciated.
I think there is no need to get an ssl certificate from an external provider. You are accessing without ssl your load balancer. Your load balancer is doing the decryption for you. So, just check that your load balancer is in a security group with an open 443-port.

SSL cert for AWS domain?

I have a backend service i'm running in Fargate. I need this service to have an SSL cert on its load balancer so that it can talk to other HTTPS services. I've created the load balancer and it gives me an AWS domain (my-cool-app.us-east-1.elb.amazonaws.com).
Now, when I try to request a certificate through acm, it fails and says "Additional verification required". So i'm not sure if it's possible to add an SSL cert to this load balancer without registering a custom domain?
Also, this is a Django app and I haven't done anything other than keep it as runserver which I know isn't good for production but I just need to start by making it work as a dev environment. Do I need to change the way Django runs in order for SSL to work? Or is the load balancer sufficient?
To use an SSL for a domain you need to have control over that domain. For the AWS managed certificate service (ACM) you can verify through either DNS validation or email validation both of which you must essentially have domain control to validate.
As you're trying to use ACM for a AWS owned domain, someone from AWS would need to approve the SSL (which they won't).
Regarding your second point what you're describing is SSL offloading, in which the load balancer will serve HTTPS and then terminate encryption in transit. It will then forward the request to the Fargate container using the protocol and port defined in the target group.
The only thing you want to consider is how you display to the user, for example ensure that all CSS, JS ans links on your site are HTTPS. You can detect whether the incoming request used HTTPS at the load balancer by inspecting the X-Forwarded-Proto header in your application.

Your connection to this site is not secure?

I´ve created a EC2 instance, installed a service and I was able to routed it to my address with Route 53. So I can go to example.com/myservice and see it on the browser.
However, in the browser, I get a small info card in the address bar that says
"Not secure" and information about not entering sensitive information.
What does this message mean? How can I avoid this message? What do I need to change in my existing setup?
All info is welcome, as this is fairly new for me.
This means that you are connecting to your website using HTTP protocol, not HTTPS. HTTP is not secure as all data is in plain text, while in HTTPS your data is encrypted.
To rectify the issue you can install an SSL certificate directly on your instance or leverage Load Balancer or CloudFront in front of the instance.
Some useful links from AWS documentation:
Tutorial: Configure SSL/TLS on Amazon Linux 2 for direct installation of the certificate
Add an HTTPS Listener for Application Load Balancer
Using Alternate Domain Names and HTTPS for CloudFront

How do I know if I am using AWS Certificate Manager correctly?

What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"

AWS Install SSL from Certificate Manager (Free from AWS) to ELB and apply to EC2 Windows Platform IIS Instance

Greeting
I have created the Certificate through Certificate Manager in AWS, the free one. And successfully verified as well as put it in the Elastic Load Balancer (ELB). The status of the certificate shows it's issued and Is Used? shows Yes in the Certificate Manager.
Overall, I have completed these two steps without any problem, but the SSL does not work with my domain name. When I type "mydomain.com" with or without prefix http://, it works, but when I type "mydomain.com" with https:// prefix, it does not work
I have researched to find the solution and a way to install SSL into Microsoft Windows IIS on AWS, but no document describes about that.
Can anyone share this experience? I really appreciate
Looking forward for the reply and thanks
You do not need to setup SSL on your web server when you use a load balancer. Assign the SSL certificate to the load balancer (as you did). Then in your HTTPS listener in the load balancer listen on HTTPS, but connect to your web server over HTTP.
In the Amazon Console for your load balancer under the "Listeners" tab, the "Load Balancer Protocol" will be HTTPS and the "Instance Protocol" will be HTTP.
This has the benefit of offloading SSL to the load balancer which decreases CPU load on your web server.
If you do want to setup SSL on your web server, then you cannot use the Amazon SSL certificate. You will need to use the standard methods and purchase a certificate from someone else.