I am attempting to add HTTPS to my AWS Elastic Load Balancer.
I obtained a certificate through AWS Certificate Manager:
I have enabled HTTPS on the load balancer:
I made sure the security group for the load balancer accepts 0.0.0.0/0 on 443:
When going to my domain on HTTP, it works.
However, when trying to load my domain with HTTPS, it does not work ("ERR_CONNECTION_TIMED_OUT")
EDIT and UPDATE:
It is the API that I am attempting to get HTTPS working for, not necessarily the domain. The domain serve's a static file (angular web app) from S3, and it is angular that is calling the load balancer (to transfer the request to an EC2 instance) for DB data.
When angular calls the api directly via the load balancer domain name over HTTP, the request responds as expected.
When angular makes the same api call over HTTPS, I get the following error:
You enabled HTTPS for your domain name, not the ELB domain which Amazon owns. You can only create SSL certificates for domains that you own. You can't enable SSL for "mydomain.com" and then excpect that to somehow work on a completely different domain. You need to change your AngularJS code to reference the API by your custom domain name which you have created an SSL certificate for. You need to point the domain to the ELB and install the SSL certificate for the domain on the ELB.
Mark B provided the almost full solution.
As my javascript code is calling the elastic load balancer (ELB) via it's DNS name provided by AWS, I can't obtain an SSL certificate for the domain I don't own.
As Mark B pointed out, I need to point my javascript code to the domain I do own, and have an SSL cert for.
So I can create a sub domain (e.g. api.mydomain.com) of the domain I own that then points to the ELB.
An A Record (e.g domain pointing to an IP) looks like it could fit the need.
However, an A Record can't point to the ELB because it's IP could change.
The missing step was to use AWS Route 53 to point the A Record to an alias (Route 53 allows you to do this) that represented my AWS Elastic Load Balancer.
Related
I want to have a subdomain (api.mysite.com) which makes calls to an EC2 classic load balancer (load-balancer-123456789.us-east-2.elb.amazonaws.com). Everything is hosted on AWS, to (theoretically) make it as straightforward as possible.
I created a domain and subdomain in AWS Route 53, as per the instructions here, and created an "A" record in the subdomain that links to my load balancer as an alias. That works fine, I can make calls to the load balancer through api.mysite.com, as long as I use HTTP.
But when I try to use HTTPS, I get ERR_SSL_PROTOCOL_ERROR. If I try to open the API in a browser, the security icon says that it's "not secure". I think the problem might be that the certificate is connected to the main domain (mysite.com) instead of the subdomain (api.mysite.com), but I can't figure out how to get it to resolve properly.
This SSL checking site shows the EC2 server itself (the one that the load balancer points to) and reports "Certificate not valid for domain name". It's an Ubuntu server, though I'm not sure if that should matter.
The SSL certificate needs to specify the subdomain as well as the main domain. The easiest way to do this is through AWS's Certificate Manager, by requesting a new certificate.
Make sure to specify each relevant domain and subdomain in the certificate (in this case, both mysite.com and api.mysite.com.)
After creating the certificate, go to the Load Balancer, open up the Listeners tab, and select the HTTPS port. Then, change the SSL certificate for that port to the certificate that includes the relevant subdomain. If you use AWS Certificate Manager, it can be selected from the dropdown menu.
I have enabled HTTPS for my custom domain name (haydenclay.page), but I also need the Beanstalk url (app-name.elasticbeanstalk.com) to run through HTTPS as well.
HTTPS does not work currently, because the cert name matches my custom domain name, yielding: ERR_CERT_COMMON_NAME_INVALID
I need HTTPS because I make API requests, and going from HTTPS to HTTP throws a mixed content error. How can I enabled HTTPS on the beanstalk url?
I have already tried making an alias
Sadly you can't enable https directly for app-name.elasticbeanstalk.com domain. This is because this domain is controlled by AWS. You can only register SSL certificates for domains that you control.
If you want to server your content from EB over ssl, you have generally three options.
Front your instance with load balancer. This is the easiest* way as you can associated ACM SSL certificate with the balancer for your domain.
Front your EB instance with CloudFront (CF). You can setup alternative name for your cloudfront domain with your CF distro and your SSL cert. You can also use ACM for that. Also easy setup, but it should be noted that traffic between CF and your EB instance will be http only, unless you also setup your own SSL cert (not from ACM) on the instances (point 3).
Install your own SSL certificate (not from ACM) directly on the EB instance, using nginx. This requires manual setup and a valid public certificate. Popular choice is LetsEncrypt, to get the SSL cert from.
If you use CloudFlare, go to DNS -> Records
Type: CNAME
name: api
Content: "YOUR_URL.eu-west-1.elasticbeanstalk.com"
Proxy status: Proxied
And call your new url: api.your_domain.com
I made a AWS Load Balancer for a simple ECS fargate server (with flask). Because the server will be used as my main server's api, and because the main server use 'https', I have to use https on my Load Balancer's url.
But when I want to make SSL certificate using ACM, I can't verify the URL of Load Balancer is mine because the load balancer has any information (I think).
If I add my email info on the url(or Load Balancer), I can do this, but I have no idea..
Until now, I thought using AWS Route 53 can help me, but I don't know what I have to do.
What Can I do for this problem?
To use ACM you need to have control of the domain you're attempting to validate, as the load balancer URL is owned by Amazon (not yourself), only an Amazon employee with domain control is capable of performing the actions to validate the domain.
Instead you would need to generate an ACM certificate for your own domain which you can validate, you would then need to add a DNS record resolving the domain to the CNAME of the load balancer. When you access in the browser you would need to access from that domain and not the load balancers.
I am trying to setup HTTPS across my app which consists in a frontend (S3 bucket distributed with CloudFront), and a backend (node.js app inside Elastic Beanstalk).
For the CloudFront part, I created an SSL certificate in N. Virginia (apparently I don't have a choice here) and I made the binding in the CloudFront distribution. It works and my app is served over HTTPS.
For the Elastic Beanstalk part, I created an SSL certificate in Ireland (where my EBS app is hosted) and I bound this certificate to the EBS load balancer using the port 443. It works and I can reach my server with HTTPS using Postman.
However, when my frontend tries to make an API call to the backend I get this error :
I guess I made a mistake while creating the certificates, but I cannot find it. I gave both certificates the same set of CNAMES, I am not sure if I am supposed to do that.
EDIT :
I get the exact same error after updating the frontend so that it points the DName of the load balancer (also mapped to subdomain with Route 53).
CloudFront is attempting to load an HTTPS URL from your load balancer. I assume you have an SSL certification assigned to the load balancer. The domain name of the SSL certificate on the load balancer needs to match the domain name that CloudFront is requesting.
For example if the load balancer's SSL certificate is something like beanstalk.mydomain.com then CloudFront would need to be making requests for https://beanstalk.mydomain.com. The error CloudFront is giving you says that the domain name of the SSL certificate served by the load balancer does not match the domain name djumbo-back-debug.eu-west-1.elasticbeanstalk.co.
You need to setup something like the following:
DNS Name www.mydomain.com points to CloudFront Distribution
Configured to serve www.mydomain.com
Configured with an SSL certificate for the domain www.mydomain.com
Configure to pull from the origin beanstalk.mydomain.com
DNS Name beanstalk.mydomain.com points to Elastic Beanstalk application
With a Load Balancer, with an SSL certificate for beanstalk.mydomain.com
I am trying to setup HTTPS for my EC2 instance created from Elastic Beanstalk using a certificate from AWS's ACM.
According to this article https://colintoh.com/blog/configure-ssl-for-aws-elastic-beanstalk, I need to go to EC2 panel/load balancer and add a new listener rule.
My problem is that for the HTTPS load balancer protocol, when I try to add SSL Certificate, and click "Choose a certificate from ACM (recommended)", there's no ACM certificate available for me.
I know that I will have to request for a new Certificate for this load balancer address, but WHICH VERIFICATION METHOD SHOULD I USE?
As far as I know, there are 2 ways to verify your domain ownership(Email or DNS). I guess email is not an option here because you cannot send an email to a "elb.amazonaws.com" address. But I'm not sure how to verify certificate request by DNS.
And also, I tried to past the load balancer address xxx.xxx.elb.amazonaws.com into ACM to request a certificate for this address, but it says "invalid domain name"
And also, if I were to add custom domain name for my load balancer (for example, create a alias of api.example.com for the load balancer), how can I set up https for that custom domain of api.example.com?
Thanks a lot!
Problem solved. Need to request certificate in the same region as load balancer.
And then point the custom domain(the one used to request for certificate) to load balancer using route 53