My iOS software platform runs on AWS Elastic Beanstalk and has a URL we'll call "something.elasticbeanstalk.com". I have a website we'll call "website.com" I purchased and operate the DNS records for through Namecheap. I need to make the URL my iOS client apps use to connect to the server HTTPS since Apple is requiring this soon due to App Transport Security.
WHAT I THINK I'M SUPPOSED TO DO
What I think I'm supposed to do is, create an SSL certificate for "website.com" and apply that SSL certificate to the AWS EB load balancer. Then I need to create a subdomain for "website.com" that redirects traffic to "something.elasticbeanstalk.com". Client apps connect to the subdomain of "website.com" which is now HTTPS and redirects to "something.elsastic.beanstalk.com". Is that correct?
WHAT I'VE DONE SO FAR
So far, I created a SSL certificate for "website.com" using AWS Certificate Manager. For this I had to verify my email address associated with "website.com". I then applied that SSL certificate to my environment's load balancer int the AWS Management Console. After that, I went into Namecheap and followed this guide in the 'Domain Name & AWS 53 Management' section to do it.
I read in this article that I needed to create an alias and/or set up Nameservers in AWS Route53. I tried doing that but don't know what I'm doing and it seems to conflict with the Medium article I linked above that I followed telling me to change the CNAME record for the URL and the Redirect URL record for "website.com".
QUESTION
What do I do from here?
SITUATION
-I have a Parse Server on Elastic Beanstalk with URL “something.elasticbeanstalk.com”
-I have a domain with Namecheap called “website.com”
WHAT I NEEDED
I needed to make my client app connect to an HTTPS address since Apple is requiring it shortly with App Transport Security. Since I couldn’t get an SSL certificate using AWS certificate manager for “something.elasticbeanstalk.com”, I created one for “website.com”. I then needed to have my client app connect to the HTTPS “website.com” which would forward it over to “something.elasticbeanstalk.com”. This satisfied the HTTPS requirements of Apple.
HOW TO DO IT
Make an SSL certificate for “website.com” using AWS Certificate Manager. You will need to confirm the domain via a confirmation email to the administrator for it.
Apple the SSL certificate for “website.com” to the AWS EB Load Balancer. Go to your AWS EB Console, click "configuration", click "Load Balancing" under the "Network Tier" category. Now under the first category which is "Load Balancer", select the SSL record you made and apply it in the "SSL certificate ID" section.
Set a CNAME record for “website.com” with a host of whatever subdomain of “website.com” you want. I chose “data” as my host value and subdomain (so my subdomain is “data.website.com”). Set the value of the CNAME record to “something.elasticbeanstalk.com”. Wait for it to propagate. It’s usually pretty fast but not always.
(I’m unsure if this particular step is proper but it worked for me) Set the serverURL of Parse-Server to “https://something.elasticbeanstalk.com” and the publicServerURL to “https://data.something.com”
In the Parse “initializeWithConfiguration” method in your client app that enables the app to connect to the server, change the server URL to “https://data.something.com/parse”. NOTE: include the “/parse” which is the MOUNT PATH of the parse-server. This value MAY BE DIFFERENT for you depending on how you set it but I set it to “/parse” since that’s what I saw in the Parse-Server docs.
NOTES
-I deleted all Route53 records since they are irrelevant here since “something.com” DNS services are controlled by Namecheap.
-A Redirect URL record in Namecheap is unnecessary
Related
I bought a domain named studileih.de, then I deployed my Angular frontend on firebase: https://studileih-ceb70.web.app/ and redirected from my domain studileih.de to the firebase URL.
Then I deployed my Spring Boot backend to AWS Elastic Beanstalk on: http://studileih1.eu-central-1.elasticbeanstalk.com/
-> Problem: Since the frontend on firebase used https and the backend on AWS used http I got a Mixed content error. The frontend wasn't able to load any of the backend data.
So I tried to solve this by creating a SSL certificate for my backend in the AWS Certificate Manager (ACM) and adding this to my Elasting Beanstalk Load Balancer. This worked and I could now at least make a connection from my frontend to my backend.
But now I get this error whenever a request to my backend gets sent:
When I click on "Accept the Risk and Continue" once, it works fine and all my backend data gets loaded. But I can't ask my users to do that.
(You can try this out by following: https://studileih1.eu-central-1.elasticbeanstalk.com/products and clicking "Advanced" -> "Accept the Risk and Continue" (if you dare ^^)
after you've done that, click on studileih.de and it will now load with the backend data.)
I know the problem exists because when creating the SSL certificate, I entered studileih.de as the domain that the certificate is for. I think I have to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com instead.
But when I try to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com:
I get this error from ACM:
How do I create a SSL Certificate for the Elastic Beanstalk URL?
p.s. I also tried to issue a certificate for my firebase URL https://studileih-ceb70.web.app/ but this one already uses Https by default. Also I couldnt find out how to DNS/Email validate the ACM request in the firebase console. But I think I need a certificate for the Elastic Beanstalk backend at studileih1.eu-central-1.elasticbeanstalk.com, not for the firebase frontend, right?
p.p.s. I don't really need to use https, so a solution would be to make firebase use http instead of https, but I couldn't find anything on how to do that.
UPDATE:
I added a subdomain called api.studileih.de (the immediate access is blocked by spring security, as you're not logged in to my site, but you can test it with api.studileih.de/products, because this API is accessibly without login). Then I redirected that subdomain to my AWS Load Balancer as suggested by Mark B by adding a CNAME to the subdomain:
(it's not possible to change to english there, sorry)
this is my Load Balancer:
I tried to put the DNS-Name as A-Record into my subdomain, but it was only possible to enter a IP4 adress there, so I entered it as CNAME instead. I also tried to find out the IP Adress of the Load Balancer, but Load Balancer don't have a static IP Adress.
This approach with the subdomain and the CNAME unfortunately didn't work, so I'm still looking for a solution...
(Here's the menu for setting a A-Record. You can only enter IP Adresses there:)
I know the problem exists because when creating the SSL certificate, I
entered studileih.de as the domain that the certificate is for. I
think I have to create a SSL certificate for
studileih1.eu-central-1.elasticbeanstalk.com instead.
You can only create an SSL certificate for a domain you own. You need to point a subdoomain of studileih.de, like api.studileih.de, at the Elastic Beanstalk load balancer, and then attach an SSL certificate to that load balancer that matches that subdomain.
I am trying to map an external sub domain into my Elastic Beanstalk Environment. I know, the common way is to use Route53 but I see no use of using it when my client's domain provider has already provided CPanel and stuff to set the CName and things. So, I am about to follow the below method to set domain to Beanstalk.
Login to your provider website and select your domain
Click on "Advanced DNS"
Create a CNAME record.
host: www
value: {{enter-your-subdomain}}.elasticbeanstalk.com.
Create a URL Redirect record.
host: #
value: http://www.{{your-custom-domain}}.com
By doing the above, I expect to have subdomain.example.com instead of subdomain-region.elasticbeanstalk.com
You can see detailed info in this - https://colintoh.com/blog/map-custom-domain-to-elastic-beanstalk-application
I am going to apply this to 2 things.
The REST API which resides in Beanstalk. (Will be used by few mobile and web apps)
The Web Portal app which resides in Beanstalk.
Now, I can see my client already has couple of subdomains for other purposes with SSL enabled. They have purchased SSL from a CA. Therefor, can we enable SSL in CPanel and point the SSL enabled sub domains to Beanstalk? Or we have to reconfigure everything in Route53 and go through their complex process of setting up the SSL?
Using SSL certificates issued by external vendor
From the side of SSL vendor you would need three files : certificate-chain.pem, https-cert.crt and private-key.pem .
Steps would be as follows:
Import certificate to ACM
aws acm import-certificate –certificate file://https-cert.crt
–private-key file://private-key.pem –certificate-chain
file://certificate-chain.pem
Once the import is complete to edit Load Balancer settings in AWS Elasticbeanstalk from Console to choose the imported certificate. For detailed step by step instruction refer https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html .
Using SSL certificates from AWS ACM
Steps would be as follows:
Create a Public Hosted Zone in Route 53 with the subdomain in discussion (say app.mydomain.com). AWS will return multiple ns server names.
Create an SOA record in the existing domain registrar for app.mydomain.com pointing to the ns server names returned in step 1.
Go to ACM and create domain validated certificates for app.mydomain.com .
Edit Load Balancer settings in AWS Elasticbeanstalk from Console to choose the new ACM certificates. For detailed step by step instruction refer https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html .
I've deployed my Django app on AWS Elastic Beanstalk Linux instance. I've used Route 53 to point it to a custom domain from GoDaddy.
Now I want to use SSL for my website.
I don't want to use Load Balancers for SSL since I'm using only 1 instance and it's costly to pay $18/month.
So what I did is using Let's Encrypt SSL by adding 00_apache_ssl.config file in my .ebextensions folder.
I've followed this tutorial to use the SSL. My SSL is working perfectly for Elastic Beanstalk URL. But the problem is it's not working for my custom domain.
My EB Url is showing secure connection while it's custom domain is showing Insecure connection.
What I'm lacking of? Do I need to do some changes in Route 53 Record sets as well?
Thank you.
Edit 1: My custom domain is showing the Let's encrypt certificate as Invalid Certificate.
According to your tutorial, you have got an SSL certificate for your elasticbeanstalk domain, not your custom domain.
If you want to access your website via your custom domain with https (for e.g https://my-cust-doamin.com), you have to get a certificate for your domain.
You can obtain SSL certificate from any provider who sells SSL certificates.
Note: You can also get a wildcard certificate(*.my-cust-domain.com), which could be used with any of your sub domains.
reference:
https://rickchristianson.wordpress.com/2013/10/31/getting-a-django-app-to-use-https-on-aws-elastic-beanstalk/
I created an SSL certificate last night for use with an API (Tomcat, Spring Boot) on AWS Elastic Beanstalk using instructions provided by Amazon Certificate Manager.
When creating the cert, I entered the URL of my static site that calls the API, which is hosted by GoDaddy. ACM sent an email to my URL which I opened and approve and I now see the cert as issued, by Amazon, in my certs. I am also able to select it when I configure HTTPS for my EB load balancer. I am not able to export this cert though as it isn't private.
My question is, how is domain name used? I think I'm a little confused about how to use SSL on both my API and my static site AS WELL as the small bit of static content I'll host out of Tomcat.
Thanks.
ACM certs can only be used with AWS services - Cloudfront (if the cert is issued in us-east-1) and regionally on the classic load balancer and application load balancer.
You cannot export the cert for use in other products, so if you wanted to have Tomcat handle SSL you would need to get either a commercial cert or use something like Let's Encrypt.
If you have multiple host names you want to protect, you have different options.
You can get one cert per hostname if they are running on completely separate infrastructure; you can also have multiple host names in a single cert - even if there are multiple domains; and finally you can get a wildcard cert.
I'm in the process of moving from another cloud provider. Currently I'm just testing in the default environment that has a url looking like this:
http://example-env-1.us-east-1.elasticbeanstalk.com
I'm trying to get SSL/HTTPS working for this address. I then plan using a CNAME to redirect to this address and eventually move the nameservers over completely.
However, after setting everything else up successfully I get to the point of adding the certificates and it just says "failed":
And even though I have my actual "example.com" ssl certificate successfully issued nothing shows up in the load balancer certificate selection dropdown (and yes I have refreshed):
How do I enable SSL using the Certificate Manager?
That's because you are trying to request a cert for the elasticbeanstalk.com domain. You will not be able to get a cert for that domain as you are not the owner of it :). Nor can you setup https for the default elastic beanstalk domains they give you.
You should use ACM to get a certificate for your custom domain, the one you plan on making a CNAME record for.
Example:
If you were to own say the domain amyneville.com. You could create a cert through ACM for that domain.
If you use your custom domain, you do NOT need a to get a cert for the elasticbeanstalk.com domain.
A couple more things:
You cannot create a CNAME record on a TLD (amyneville.com). You can create the CNAME record for www.amyneville.com. So if you want to use the CNAME approach you will have to create a non-www redirect to www..
But better then a CNAME would be to use an A record and point it to the elastic beanstalk resource that was setup. So the load balancer that was created for you, use it's A record.
Last but not least, you cannot apply the ACM cert through the elastic beanstalk console. Instead you will have to use the AWS CLI tools. Here's a link on how to do it: https://stackoverflow.com/a/35173500/1445460
I was looking for this myself and found this useful blog post from one of the Amazon team ...
https://medium.com/#arcdigital/enabling-ssl-via-aws-certificate-manager-on-elastic-beanstalk-b953571ef4f8#.frcj0rj4t
Whilst you can't use the console to select the certificate as stated in your question you can use the Elastic Beanstalk CLI to set the certificate to one you have created in Certificate Manager.