I have create a AWS elastic search domain in Virginia and got a Endpoint url.
Now I wanted to configure the Route53 behavior around it, so that a caller can use the same url, even though there is some change in elastic search or in case of a disaster recovery.
So,
Virginia Route 53 -- 1 Points to -- Virgina Elastic Search Domain URL
Oregon Route 53 -- 2 Points to -- Oregon Elastic Search Domain URL
Main Route 53 -- 3 Points to -- Route 53 1 or 2
I have already create these and also created and uploaded SSL certificate with correct SAN entries. But when I execute,
curl https://mainroute53/health
curl https://virginiaroute53/health
curl https://oregonroute53/health
I am getting this error,
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
But when I am calling the Elastic Search URL directly its working. So I understand this is a issue with the way I am using the certificate. Any help appreciated.
Your Elastic Search endpoint will always return the Elastic Search SSL certificate.
So when you create a Route 53 "alias" for it, you may be connecting to it via your custom DNS entry, but Elastic Search will still use the Elastic Search SSL certificate.
Since the DNS endpoint you're using does not match the SSL certificate, you get that error.
You could use the --insecure curl flag to have it not check the SSL certificate, however, there are risks of doing that.
You can probably work around this by setting up a proxy server in front of the Elasticsearch domain, although it's kind of silly since there appears to also be an ELB inside the Elasticsearch domain. Ah well.
The domain Amazon ES creates for you includes the nodes in the Elasticsearch cluster and resources from several AWS services. When Amazon ES creates your domain, it launches instances into a service-controlled VPC. Those instances are fronted by Elastic Load Balancing (ELB), and the endpoint for the load balancer is published through Route 53. Requests to the domain pass through the ELB load balancer, which routes them to the domain’s EC2 instances.
https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service/
One way you can access Elasticsearch using your custom domain name is to use an API Gateway as an HTPP proxy. But then you have to deal with the authentication part since the Cognito cookies for ES will be pointing to the original domain (*.es.amazonaws.com).
In my experience this is doable and you should be able to use API Gateway (plus Custom Domain Names and Route 53) to achieve what you want (having a custom domain name over ES). It's just that it requires some Cognito knowledge and most likely, some coding (to handle the cookie problem).
You can use the http endpoint instead of the https one
i.e
curl **http**://mainroute53/health
This works around the fact that AWS does not allow providing custom domain certificate in its managed Elastic service
We had the same issue, wanted to be redirected to Kibana with a more friendlier DNS name and we used the solution with S3 bucket and the redirection as described here.
The steps:
Create a S3 bucket with any name.
In the bucket properties, enable “Static Website hosting”.
In the Static WebSite hosting properties, select the option to “Redirect Requests”.
In the target domain set the Kibana URL that is given from your elasticsearch domain: i.e. https://vpc-es-randomstring.us-east-1.es.amazonaws.com/_plugin/kibana/
Set Protocol to https
Then follow the steps from Step 5 on the guide above
Related
I've deployed my Django app on AWS Elastic Beanstalk Linux instance. I've used Route 53 to point it to a custom domain from GoDaddy.
Now I want to use SSL for my website.
I don't want to use Load Balancers for SSL since I'm using only 1 instance and it's costly to pay $18/month.
So what I did is using Let's Encrypt SSL by adding 00_apache_ssl.config file in my .ebextensions folder.
I've followed this tutorial to use the SSL. My SSL is working perfectly for Elastic Beanstalk URL. But the problem is it's not working for my custom domain.
My EB Url is showing secure connection while it's custom domain is showing Insecure connection.
What I'm lacking of? Do I need to do some changes in Route 53 Record sets as well?
Thank you.
Edit 1: My custom domain is showing the Let's encrypt certificate as Invalid Certificate.
According to your tutorial, you have got an SSL certificate for your elasticbeanstalk domain, not your custom domain.
If you want to access your website via your custom domain with https (for e.g https://my-cust-doamin.com), you have to get a certificate for your domain.
You can obtain SSL certificate from any provider who sells SSL certificates.
Note: You can also get a wildcard certificate(*.my-cust-domain.com), which could be used with any of your sub domains.
reference:
https://rickchristianson.wordpress.com/2013/10/31/getting-a-django-app-to-use-https-on-aws-elastic-beanstalk/
I have an ELB instance installed on my AWS account (http://editoradbosco.us-east-2.elasticbeanstalk.com), and it is working normally. My domain is installed on Hostgator (https://centrodombosco.org), and on this, I have a CNAME that points to my AWS endpoint (http://editora.centrodombosco.org).
However, I need to use an HTTPS (SSL) protocol. How can I proceed? I have an SSL contracted on Hostgator for this subdomain, but Hostgator has informed me that I need to make adjustments to AWS so that it works, but I do not know how to proceed.
How can I make this work?
I tried to create an SSL by Certificate Manager on AWS, appointing the CNAMES on my DNS Panel on Hostgator. But it fails. I guess its not possible to use AWS Certificates outside AWS Domains.
There are two ways you can do this.
Since you already have an SSL from Host Gator, you can import that certificate to AWS Certificate Manager (instructions here). Once you import a certificate it is immediately considered validated and you can immediately proceed to configure your EB environments Load Balancer to terminate HTTPS as described here.
Alternatively, if you’d like to use Amazon Certificate Manager but for some reason the DNS validation isn’t working, or its not possible for you to validate ownership of the domain using the DNS method, Amazon Certificate Manager also offers you the option to use email to validate your ownership of the domain, as described here. Once your ownership of the domain is validated you can then proceed to configure your EB environments Load Balancer to terminate HTTPS as described here.
As a side note, you may wish to consider using Route53 to handle DNS for your domain. Route53 is tightly integrated with AWS services such as ACM and, as is the case with ACM, services requiring custom DNS entries will often offer to make the correct DNS entries directly in to your Route53 hosted zone on your behalf.
I have created a subdomain demo.mysite.com which is hosted over godaddy.com. I have successfully mapped the subdomain demo.mysite.com to my AWS elastic IP in the go daddy console
On my AWS EC2 instance my website is secured runing over HTTPS and I have deployed the certificates corresponding to demo.mysite.com on my AWS EC2 instance. Now the problem I am facing is
1 - When I access my subdomain it points to my EC2 instance and the URL in my web browser changes to my Elastic IP ie www.demo.mysite.com --->> https://201.12.34.58:8443/myApp , which must not happen and it must remain as https://demo.mysite.com
2 - And since my URL changes so I start getting the certificate error saying
The certificate is only valid for demo.mysite.com.
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Can someone help in solving these two issues, I feel that if first issues gets solved the second issue will automatically get solved. I am not sure though
Guys I need your help
I suggest to manage your domain DNS with CloudFlare. Add a CNAME record for your subdomain demo which points to that IP. On CloudFlare Console go to Crypto > Origin Certificates. Create a new one with RSA, then import it to AWS Certificate Manager at us-east-1. For the certificate chain use this. Be sure that Always use HTTPS in Crypto tab is on. After some minutes you should be using your domain pointing to AWS with HTTPS working fine.
That's what I did to make a subdomain to work with an AWS API endpoint with SSL.
I am attempting to add HTTPS to my AWS Elastic Load Balancer.
I obtained a certificate through AWS Certificate Manager:
I have enabled HTTPS on the load balancer:
I made sure the security group for the load balancer accepts 0.0.0.0/0 on 443:
When going to my domain on HTTP, it works.
However, when trying to load my domain with HTTPS, it does not work ("ERR_CONNECTION_TIMED_OUT")
EDIT and UPDATE:
It is the API that I am attempting to get HTTPS working for, not necessarily the domain. The domain serve's a static file (angular web app) from S3, and it is angular that is calling the load balancer (to transfer the request to an EC2 instance) for DB data.
When angular calls the api directly via the load balancer domain name over HTTP, the request responds as expected.
When angular makes the same api call over HTTPS, I get the following error:
You enabled HTTPS for your domain name, not the ELB domain which Amazon owns. You can only create SSL certificates for domains that you own. You can't enable SSL for "mydomain.com" and then excpect that to somehow work on a completely different domain. You need to change your AngularJS code to reference the API by your custom domain name which you have created an SSL certificate for. You need to point the domain to the ELB and install the SSL certificate for the domain on the ELB.
Mark B provided the almost full solution.
As my javascript code is calling the elastic load balancer (ELB) via it's DNS name provided by AWS, I can't obtain an SSL certificate for the domain I don't own.
As Mark B pointed out, I need to point my javascript code to the domain I do own, and have an SSL cert for.
So I can create a sub domain (e.g. api.mydomain.com) of the domain I own that then points to the ELB.
An A Record (e.g domain pointing to an IP) looks like it could fit the need.
However, an A Record can't point to the ELB because it's IP could change.
The missing step was to use AWS Route 53 to point the A Record to an alias (Route 53 allows you to do this) that represented my AWS Elastic Load Balancer.
I'm in the process of moving from another cloud provider. Currently I'm just testing in the default environment that has a url looking like this:
http://example-env-1.us-east-1.elasticbeanstalk.com
I'm trying to get SSL/HTTPS working for this address. I then plan using a CNAME to redirect to this address and eventually move the nameservers over completely.
However, after setting everything else up successfully I get to the point of adding the certificates and it just says "failed":
And even though I have my actual "example.com" ssl certificate successfully issued nothing shows up in the load balancer certificate selection dropdown (and yes I have refreshed):
How do I enable SSL using the Certificate Manager?
That's because you are trying to request a cert for the elasticbeanstalk.com domain. You will not be able to get a cert for that domain as you are not the owner of it :). Nor can you setup https for the default elastic beanstalk domains they give you.
You should use ACM to get a certificate for your custom domain, the one you plan on making a CNAME record for.
Example:
If you were to own say the domain amyneville.com. You could create a cert through ACM for that domain.
If you use your custom domain, you do NOT need a to get a cert for the elasticbeanstalk.com domain.
A couple more things:
You cannot create a CNAME record on a TLD (amyneville.com). You can create the CNAME record for www.amyneville.com. So if you want to use the CNAME approach you will have to create a non-www redirect to www..
But better then a CNAME would be to use an A record and point it to the elastic beanstalk resource that was setup. So the load balancer that was created for you, use it's A record.
Last but not least, you cannot apply the ACM cert through the elastic beanstalk console. Instead you will have to use the AWS CLI tools. Here's a link on how to do it: https://stackoverflow.com/a/35173500/1445460
I was looking for this myself and found this useful blog post from one of the Amazon team ...
https://medium.com/#arcdigital/enabling-ssl-via-aws-certificate-manager-on-elastic-beanstalk-b953571ef4f8#.frcj0rj4t
Whilst you can't use the console to select the certificate as stated in your question you can use the Elastic Beanstalk CLI to set the certificate to one you have created in Certificate Manager.