Recently, I started searching about security procedures and came across SSL. Actually, I already knew about SSL, but I found to be too expensive at the time.
Luckily, yesterday I found out that Amazon gives SSL certificates for free!
However, I have spent a whole day trying to set it up but it didn't work.
I have a domain registered at GoDaddy, let's assume its www.mydomain.com. My website is hosted, however, on Amazon Web Services (AWS). I also have access to edit the GoDaddy's DNS records and full access to my AWS account. I have seen LetsEncrypt, but my website runs in ASP.NET (IIS Windows) and currently they only support Linux OS.
Here's what I've tried to do:
Get a SSL Certificate from AWS Certificate Manager
I have chosen to setup via DNS, which means I had to add a CNAME record to GoDaddy domain records.
If you look above carefully on the two images, the CNAME record on AWS is on the center of the page. I've added a record as CNAME containing the values.
Add HTTPS to Load Balancer Listeners:
Allowed HTTPS on Security Groups
NOTE: Both Inbound and Outbund rules are just like above. I have also set the Load Balancer and my Running Instance to use this security group.
Added records to Route 53 Hosted Zones
The A type record points to my instance IP.
The NS record was generated by Amazon (I added GoDaddy's Name servers as well).
The SOA record was generated by Amazon and I didnt touch it.
The CNAME was added by me, It's again the SSL protocol.
I don't know what else to do or if I have a wrong setup.
If I'm not mistaken, you have an EC2 instance behind an ELB (Classic/Application/NLB), requested an ACM certificate which has been issued successfully for *.mydomain.com, created HTTPS listener to use the SSL certificate but getting connection time out on port 443.
The issue is the DNS record of mydomain.com still points to the EC2 instance's IP, which might not be listening on port 443 (and the ELB is not being used at all).
So, to resolve this, you have to use the ELB's DNS name and use it as CNAME in your DNS record (not sure whether in Route 53 or GoDaddy because I don't know which is authoritative NS).
Also, you might consider requesting a new certificate with mydomain.com and *.mydomain.com and update the listener because ACM cert with *.mydomain.com does not protect mydomain.com.
Related
I have set up an EC2 instance. Logged in with server and set up apache2 in it.
Example Domain: www.example.com
Created Route53 for example.com and pointed NS record to Domain provider. So, I am going to use Route53 for DNS.
In DNS, I have created A record with EC2 IP.
In apache2 set up VirtualHost for www.example.com, Reloaded apache2 server, and also enable site www.example.com.
Now, I have purchased a certificate from the AWS certificate manager for www.example.com. I have added the CNAME record in Route53 and also validated the domain. The certificate was also activated.
Now, I am going to hit the site www.example.com, It's redirecting to https://www.example.com but the page is giving an error regarding HTTPS.
I have also opened 443 port for that instance.
I think you forget to add a Load Balancer (ALB) or a CloudFront Distribution in front of your EC2 instance since Certificates produced with ACM must be configured on these kind of components. Not possible with EC2. And it can not suggest where to use it.
I want to have a subdomain (api.mysite.com) which makes calls to an EC2 classic load balancer (load-balancer-123456789.us-east-2.elb.amazonaws.com). Everything is hosted on AWS, to (theoretically) make it as straightforward as possible.
I created a domain and subdomain in AWS Route 53, as per the instructions here, and created an "A" record in the subdomain that links to my load balancer as an alias. That works fine, I can make calls to the load balancer through api.mysite.com, as long as I use HTTP.
But when I try to use HTTPS, I get ERR_SSL_PROTOCOL_ERROR. If I try to open the API in a browser, the security icon says that it's "not secure". I think the problem might be that the certificate is connected to the main domain (mysite.com) instead of the subdomain (api.mysite.com), but I can't figure out how to get it to resolve properly.
This SSL checking site shows the EC2 server itself (the one that the load balancer points to) and reports "Certificate not valid for domain name". It's an Ubuntu server, though I'm not sure if that should matter.
The SSL certificate needs to specify the subdomain as well as the main domain. The easiest way to do this is through AWS's Certificate Manager, by requesting a new certificate.
Make sure to specify each relevant domain and subdomain in the certificate (in this case, both mysite.com and api.mysite.com.)
After creating the certificate, go to the Load Balancer, open up the Listeners tab, and select the HTTPS port. Then, change the SSL certificate for that port to the certificate that includes the relevant subdomain. If you use AWS Certificate Manager, it can be selected from the dropdown menu.
I already have a domain, like exmaple.com and I have a simple app running on an ec2 instance.
I've allocated an elastic IP for this instance, and created a zone on route 53, created A record, and also an alias record.
I have updated the nameservers from route53 NS records in GoDaddy domain settings(and I should mention that I've waited 48 hours for ns to be propagated, and that part is fine).
When I ping example.com on my own computer, the DNS Name resolve to the correct IP address.
When I check the elastic IP, it's working and shows my website, but when I check example.com it does not show my app and shows This site can’t be reached:
this is a screenshot of what it shows
I cannot see where's the problem!
Based on the comments.
The issue was due to using https, rather then http. The http connection works. To setup https the following general procedure needs to be undertaken:
Get a public SSL certificate. Since you are using instance, you can't use AWS ACM for that. In this case a popular choice is https://letsencrypt.org/ where you can register free SSL certificate for your domain and its subdomains.
Setup ssl connectivity on your instance. Often this is done by using nginx as a revers proxy. The nginx will provide HTTPS for your instance using the SSL certificates from step 1.
Open port 443 (HTTPS) in your security group.
The alternative is to front your instance with an application load balancer (ALB). Using it, you can easily get free AWS ACM free certificate and deploy it on the ALB. No actions required on your instance in this case.
I'm currently working on upgrading my company's application infrastructure.
We started off with having the basic infrastructure - One EC2 instance which is our web server linked to RDS, MySQL database.
The new infrastructure requires a VPC with 2 Public Subnets with EC2 instances and 2 Private subnets for the DB.
So, here's what I did, I created an image from the existing EC2 instance which has SSL certificate installed in it and it matches with the domain name.
From that image, I launched 2 new AMI and added a load balancer. Now the whole infra has been set up but here's the issue now - after pointing the load balancer's DNS to to the mobile app (via API), there's an error that's coming up,
javax.net.ssl.SSLException: hostname in certificate didn't match: != OR OR
03-10 13:41:23.641 29743-30234/example.hr W/System.err: at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:190)
03-10 13:41:23.641 29743-30234/example.hr W/System.err: at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:59)
From what I understand is that I'll have to add the load balancer DNS to the root domain (can be done but we cant put down the existing server). Will that work? I can do it but it will take a while for the domain service provider to add it as a CNAME record (Since it is a .hr domain, it's controlled and some records can't be added easily. It will take more than a day for it to be done)
Secondly, if I were to add an SSL cert on the load balancer's level, will it create conflicts with the SSL cert on instance level?
I'm also looking at getting a new domain and to configure on an instance level, will be a nuisance. Is there an alternative to this?
Terminating secure connections at the load balancer and using HTTP on the backend may be sufficient for your application. However, if you are developing an application that needs to comply with strict external regulations(EX: HIPPA Cert), you may be required to secure all network connections.
ELB does SSL Offloading/Termination. The load balancer uses the certificate to terminate the connection and then decrypt requests from clients before sending them to the instances and then the instance can use the self-signed certificates.
Ref:
Elastic Load Balancer SSL Support Options
Classic ELB HTTPS Listeners
I am attempting to add HTTPS to my AWS Elastic Load Balancer.
I obtained a certificate through AWS Certificate Manager:
I have enabled HTTPS on the load balancer:
I made sure the security group for the load balancer accepts 0.0.0.0/0 on 443:
When going to my domain on HTTP, it works.
However, when trying to load my domain with HTTPS, it does not work ("ERR_CONNECTION_TIMED_OUT")
EDIT and UPDATE:
It is the API that I am attempting to get HTTPS working for, not necessarily the domain. The domain serve's a static file (angular web app) from S3, and it is angular that is calling the load balancer (to transfer the request to an EC2 instance) for DB data.
When angular calls the api directly via the load balancer domain name over HTTP, the request responds as expected.
When angular makes the same api call over HTTPS, I get the following error:
You enabled HTTPS for your domain name, not the ELB domain which Amazon owns. You can only create SSL certificates for domains that you own. You can't enable SSL for "mydomain.com" and then excpect that to somehow work on a completely different domain. You need to change your AngularJS code to reference the API by your custom domain name which you have created an SSL certificate for. You need to point the domain to the ELB and install the SSL certificate for the domain on the ELB.
Mark B provided the almost full solution.
As my javascript code is calling the elastic load balancer (ELB) via it's DNS name provided by AWS, I can't obtain an SSL certificate for the domain I don't own.
As Mark B pointed out, I need to point my javascript code to the domain I do own, and have an SSL cert for.
So I can create a sub domain (e.g. api.mydomain.com) of the domain I own that then points to the ELB.
An A Record (e.g domain pointing to an IP) looks like it could fit the need.
However, an A Record can't point to the ELB because it's IP could change.
The missing step was to use AWS Route 53 to point the A Record to an alias (Route 53 allows you to do this) that represented my AWS Elastic Load Balancer.