I have an Application Load balancer and 1 EC2 instance currently behind it. Before, I was using another CA for receiving SSL certificates for my domain which was running on the EC2 with nginx. Now, I use SSL from Amazon's Certificate Manager for the load balancer's listener.
Should the domain's certificate be purchased individually on each EC2 instance for https connection to my application after moving it behind the ELB?
Is there any other way to establish https connection without using the separate certificates on the EC2 instances and with just the ACM on the load balancer?
You can use the same certificate on EC2.
But whenever you need to update the certificate you have to change in EC2.
If you have the EC2 in a private subnet (Not accessible to the internet)
you can use the self-signed certificate (self signed certificate nginx).
I encountered this problem and solved it by using the self-signed certificate.
You can use self-signed certificates on the EC2 instances to enable the load balancer to talk to your EC2 instances via https - the load balancer will not to certificate validation, so you do not need commercial certs.
Related
I am using AWS and I created an Instance in EC2 and created a SSL Certificate in Certificate Manager, I have a domain from whois.com which I was able to connect to my instance using Route 53.
I am now trying to install the SSL Certificate to my EC2 instance and have googled a bunch on tutorials on the subject, but they all are super confusing and don't seem to work, must of them say I need to use a Load Balancer, but either I am missing a step or something I am doing is wrong because the SSL certificate is not working, http works like a charm, https is not working at all.
Is someone able to point me in the right direction?
AWS do not allow the certificates to be downloaded for ACM public CA so you are limited with where it can be attached.
You cannot use a public ACM certificate directly in your EC2 instance. The following resources support attachment for HTTPS of your application:
Elastic Load Balancer (ALB, CLB or Network Load Balancer with a TLS target group)
CloudFront Distribution
API Gateway
If you do not want to use one of these resources then the following 3 options are available for you:
Use a free SSL CA to generate the SSL for your EC2 instance such as certbot
Purchase a SSL from another CA and install on your host
Use AWS ACM Private CA (Although this can be expensive)
We are using Cloudflare, which points to an AWS load balancer in front of an EC2 instance. The goal here is to have end-to-end encryption but I am trying to understand which parts of this setup actually require a certificate from a Certificate Authority, and whether or not we can use a complete set of free certificates between Cloudflare and AWS.
Cloudflare - We can use their free Universal SSL certificate to secure the traffic from Cloudflare to the load balancer.
AWS Load Balancer - We can use a free AWS certificate which is attached to the load balancer. This same certificate cannot be installed on the EC2 instance.
EC2 Instance - Can we use a self-signed certificate here, or do we need to continue purchasing certificates from a recognised authority? My understanding here is that, yes, we can just use a self-signed certificate and everything will be secure without raising any warnings about the self-signed nature of the certificate, as long as the load balancer has a valid CA certificate from Amazon or other authority.
Cloudflare is set to Full SSL mode which does not validate the origin certificate and will allow it to be self-signed, but I assume this only applies to the load balancer in our case.
You can use whichever SSL you want on the instance, self signed or from a certificate authority.
By doing this the data will be encrypted in transit between your load balancer and the EC2 instance.
It is only the AWS services that require either an ACM cert or an uploaded cert from a valid certificate authority.
Ensure that your servers are kept private if you're using self signed certificates.
I have an ec2 instance behind Application ELB in AWS. I want to apply SSL to both ec2 instance as well as loadbalancer. For ec2 instance i have purchased ssl and installed it and it is working fine. For load balancer i will be using the free AWS ACM certificate and installing it on load balancer. Will this have any issues? i.e. installing SSL on both places ec2 and elb.
It will not have any issues but it does come with a caveat. The traffic in to the Application Load Balancer (ALB) will be encrypted and the ACM cert will be validated by the client. The traffic to the host from the ALB will also be encrypted but the certificate on the host will not be validated.
It looks like ALB Backend Authentication is on AWS's roadmap per the reference below. The reason given for it not being a priority is summarized in this quote from the AWS Engineer who wrote the first reference:
The role that server certificates play in TLS is to authenticate the server, so that it can’t be impersonated or MITM. ALBs run exclusively on our Amazon VPC network, a Software Defined Network where we encapsulate and authenticate traffic at the packet level.
The upside of this is you can use self-signed certs on your hosts to save money when using an ALB or ELB in front of them.
If you need to ensure the certificate on the host is valid you can use a Classic Elastic Load Balancer (ELB). See the reference for more details.
References
AWS ALB Validation TLS Reply
AWS ELB Configure Backend Authentication
If you use SSl/TSL at ELB, it will handle the encryption/decryption of the HTTPS connections (freeing your EC2 instance's CPU to do other work).
If you use an HTTPS/SSL connection for your back end, you can enable authentication on the back-end instance. This authentication can be used to ensure that back-end instances accept only encrypted communication, and to ensure that the back-end instance has the correct certificates.
Using SSL/TLS on both ELB and Backend can create problems since ELB HTTPS listener does not support Client-Side SSL certificates.
I have considered that you are using a 2-way SSL (Mutual or Client Authentication)
Can I use let's encrypt SSL certificate for main domain (www.example.com) and free amazon ssl certificate for (api.example.com)? Because I am using EC2 instance without application load balancer (ELB) for www.example.com. But for api.example.com, I am using application load balancer (ELB) and connects with EC2 instance. Do you think I can to do that? I am new to it.
Any suggestion appreciated.
Yes. There is nothing stopping you from creating all the SSL certificates you want.
For an aws classic load balancer with a https listener, the aws ELB docs says that "If the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted". I want to know that how communication between the ELB and the instances can be encrypted without having an ssl certificate on the instances and if this communication is encrypted then which keys are used to encrypt it? and how does the instances decrypt the data at their end?
You would have to install an SSL certificate on each of the instances. It could be the same certificate you have installed on the ELB (if it wasn't an ACM generated certificate) or it could be another SSL certificate or a self-signed SSL certificate.
Whatever SSL certificate is installed on the instance is what will be used to encrypt communication between the ELB and the instance.