I have an app with a separate front end (AngularJS) and back end (Rails). They are hosted in separate AWS elastic beanstalk environments. We have purchased an SSL certificate via AWS which matches the domain name of the front end.
Our app involves completing a survey which includes submitting personal identifiable information.
Do I need an SSL certificate on both the front end and back end? Is it possible to use the same certificate for both? I am new to setting up these types of configurations and internet searches and AWS documentation have not helped.
Do I need an SSL certificate on both the front end and back end?
Yes
Is it possible to use the same certificate for both?
Yes
You need to request a free SSL certificate for your domain in the Amazon Certificate Management service (ACM). Once you have the certificate you can easily attach it to the load balancers in each of your Elastic Beanstalk environments by adding an HTTPS listener to the load balancers, and selecting the SSL certificate from the list it will present you.
When you request the certificate specify the root domain and a star wildcard for the subdomain. For example if your domain was example.com you would enter example.com and *.example.com in the SSL certificate request.
Related
I have enabled HTTPS for my custom domain name (haydenclay.page), but I also need the Beanstalk url (app-name.elasticbeanstalk.com) to run through HTTPS as well.
HTTPS does not work currently, because the cert name matches my custom domain name, yielding: ERR_CERT_COMMON_NAME_INVALID
I need HTTPS because I make API requests, and going from HTTPS to HTTP throws a mixed content error. How can I enabled HTTPS on the beanstalk url?
I have already tried making an alias
Sadly you can't enable https directly for app-name.elasticbeanstalk.com domain. This is because this domain is controlled by AWS. You can only register SSL certificates for domains that you control.
If you want to server your content from EB over ssl, you have generally three options.
Front your instance with load balancer. This is the easiest* way as you can associated ACM SSL certificate with the balancer for your domain.
Front your EB instance with CloudFront (CF). You can setup alternative name for your cloudfront domain with your CF distro and your SSL cert. You can also use ACM for that. Also easy setup, but it should be noted that traffic between CF and your EB instance will be http only, unless you also setup your own SSL cert (not from ACM) on the instances (point 3).
Install your own SSL certificate (not from ACM) directly on the EB instance, using nginx. This requires manual setup and a valid public certificate. Popular choice is LetsEncrypt, to get the SSL cert from.
If you use CloudFlare, go to DNS -> Records
Type: CNAME
name: api
Content: "YOUR_URL.eu-west-1.elasticbeanstalk.com"
Proxy status: Proxied
And call your new url: api.your_domain.com
My certificate has expired and I recreated and reassociated with a load balancer.
The certificate has *.example.com and example.com attached (?) to it
and I can see that certificate works by visiting https://example.com.
Then I try to visit https://log.example.com and it errors with NET::ERR_CERT_DATE_INVALID (It must be the old expired certificate which is causing the error)
Question is, how can I let the new certificate to be used for the ec2 machine?
EDIT
log.example.com is not behind loadbalancer, it's directly mapped via IP address
The certificate being served by log.example.com is not using the ACM certificate attached to load balancer for example.com as it is served directly by the IP address.
You are limited to the following options:
If you want to use an ACM certificate you will need to either add a CloudFront distribution or a load balancer in front of your application. The DNS record for log.example.com would need to be changed to the new resource.
If you want to use direct connection to your instance then you are limited to using another certificate authority. You can use certbot to generate a free certificate, or purchase one from another provider. This will then need to be installed and configured on your server to use.
I created an SSL certificate last night for use with an API (Tomcat, Spring Boot) on AWS Elastic Beanstalk using instructions provided by Amazon Certificate Manager.
When creating the cert, I entered the URL of my static site that calls the API, which is hosted by GoDaddy. ACM sent an email to my URL which I opened and approve and I now see the cert as issued, by Amazon, in my certs. I am also able to select it when I configure HTTPS for my EB load balancer. I am not able to export this cert though as it isn't private.
My question is, how is domain name used? I think I'm a little confused about how to use SSL on both my API and my static site AS WELL as the small bit of static content I'll host out of Tomcat.
Thanks.
ACM certs can only be used with AWS services - Cloudfront (if the cert is issued in us-east-1) and regionally on the classic load balancer and application load balancer.
You cannot export the cert for use in other products, so if you wanted to have Tomcat handle SSL you would need to get either a commercial cert or use something like Let's Encrypt.
If you have multiple host names you want to protect, you have different options.
You can get one cert per hostname if they are running on completely separate infrastructure; you can also have multiple host names in a single cert - even if there are multiple domains; and finally you can get a wildcard cert.
I am not into SSL at all, so bear with me please. I have no idea how to start to actually solve my problem.
Current situation:
1x Webserver with Webspace for a Website and it includes a Domain Administration, also to order SSL Certificates etc.
1x Different Webserver at Amazon Web Services with a PHP-based Software on it with Login etc.
A Subdomain that I created in the Domain Administration is pointing via DNS to the IP of the AWS.
What I need:
I want an https Connection (SSL) for the Subdomain that is pointing to the AWS so that the connection/login is secure.
My question is what I have to do on the side where I have the Domain Administration and after that what I have to do on the side of the AWS.
Thank you so much!
You have several options in hand,
If you already have a SSL certificate purchased, you can include it inside the webserver (e.g; configure apache for SSL).
If you plan to use free SSL certificates from Amazon, you can use one of the following options after creating a SSL certificate in AWS Certificate Manager.
Create a AWS CloudFront Distribution and attach the SSL certificate there while configuring an origin to forward traffic to the specific web server. However, you need to create the SSL certificate in North Virginia region and there won't be any upfront costs for CloudFront). CloudFront acts as a proxy and you can explicitly instruct to cache the static content reducing the load for web server and improving the performance.
The other option is to create a Application Load Balancer (ALB) and attach the SSL certificate there ( Create the SSL certificate in the same region) while forwarding traffic to the web server. However, this will add a monthly reoccurring costs for the ALB.
All you need to do is, on AWS ACM (AWS Certificate Manager) procure a certificate for your subdomain and use AWS ELB to use the certificate and point to the AWS webserver.
After this use the ELB IP in the DNS settings.
There are other options too like procuring the subdomain certificate and installing it on the webserver on AWS.
My parent domain is https & also with www. This certificate is purchased from comodo. I have two other sub-domains which I want to make https too.
Can I get a wildcard SSL from AWS (CouldFront) and use it for those sub domains?
Please let me know.
You cannot get a SSL certificate from AWS Cloud Front. You have to get that from AWS Amazon Certificate Manager (ACM). And yes you can get a wild card from AWS ACM and use that for your subdomains.