I try to assign SSL certificate for my domain. I have created a www.domain.com certificate and assigned it to my elastic beanstalk; and it works really fine as I can see a little green lock next to my domain if I access with https://www.domain.com or www.domain.com. The problem is that when I try to access by domain.com, the lock is gone. Can anyone suggest what I should do in this case?
You have to get a new certificate for both www and non-www domain when you request the certificate there is option check below screenshot. And then you force the https on the application. And your site will serve through SSL certificate for both domains www and non www.
Related
I have one ELB with www.example.com
and another with dev.example.com
I have created separate certificates for both including wildcards and www in Certificate Manager.
Both certificates are verified and issued.
But SSL on www.dev.example.com is not working.
When I check the certificate in Mozilla/Chrome it shows the alt DNS to be example.com, www.example.com, and *.example.com but that's a different certificate which I have not assigned to the listener of ELB of dev.example.com
Any help to make it work?
Wildcards only work at one level. You would need to add *.dev.example.com to the certificate in order for it to work with www.dev.example.com.
I currently have my website running at https://www.example.com. I did this by creating an S3 bucket hosting the site called www.example.com, then I created a Cloudfront instance to add SSL.
I then created a CNAME in Godaddy which points to the Cloudfront URL.
If I visit http://example.com, GoDaddy correctly redirects to http://www.example.com, which Cloudfront correctly redirects to https://www.example.com.
HOWEVER, if I visit https://example.com, I get a blank page. How can I make the SSL naked domain redirect to www?
Proved myself wrong in rereading your question:
“Unfortunately, our forwarding servers don't accept HTTPS requests. This is why your forward isn't working. Traffic coming into the forwarding server using the HTTPS protocol won't resolve. The only way you'd be able to set this up is to have the domain hosted on a server where it has an SSL Certificate installed. You could then set up a redirect to point traffic from your old domain to your new one. “
https://www.godaddy.com/community/SSL-And-Security/Forwarding-works-as-long-as-URL-does-not-contain-https/td-p/44951
You should probably just move the domain to route53.
I'm currently hosting an S3 bucket with a static website, I'm using an SSL certificate via certificate manager that covers *.domain.com. Visiting the site www.domain.com results in a secure website, however simply going to domain.com does not even though the A record for domain.com points to www.domain.com through Route 53. The specific error message states that the site can't provide a secure connection, my question is, is the DNS not setup correctly to point domain.com to www.domain.com or is it because the SSL certificate is only for *.domain.com and not domain.com.
Secure: https://www.adambarlowlaw.com/
Insecure: https://adambarlowlaw.com/
Pointing domain.com to www.domain.com just has the effect of two separate records that both end up pointing to the same IP address. Lots of people mistake this sort of DNS pointer as a browser redirect, but that is not the case.
You are focusing on the DNS setup, but it is the SSL certificate that is incorrect. Since the server has both domain.com and www.domain.com pointing at it, the server needs to be able to serve both of those domains. You have configured the SSL certificate to work for *.domain.com but not domain.com.
When you request an SSL certificate you need to request two domains domain.com and *.domain.com
Going to http://example.com throws up a security warning right now, because I force all my traffic over SSL, and because Amazon Route 53 doesn't allow me to point the apex of the domain to my elastic beanstalk url. Instead I point the apex to an s3 static site, that has a redirect rule to redirect to www.example.com. The problem, I think, is that that redirect rule needs access to my SSL cert to perform the redirect, but doesn't have access. How can I fix this?
The problem, I think, is that that redirect rule needs access to my SSL cert to perform the redirect
Close, but backwards. The http request is sent encrypted over SSL, so your server can't see the request before SSL is negotiated, which can't happen with a mismatched cert.
As has been pointed out in comments, *.example.com only matches exactly-one-hostname-here.example.com -- not zero and not 2 or more. Add the additional name to your cert, to fix that.
It sounds as if you actually had 2 issues. You can't use a bucket to redirect and have your own SSL cert on that, with just Route 53 > S3. One alternative is Route 53 > CloudFront > S3 if for some reason you didn't want your app to handle these redirects, but wanted to stick with S3 for that. This works too, since CloudFront can front-end a bucket and can host a custom SSL cert.
I created a SSL certificate for my site using Amazon Certificate Manager. The certificate is for *.example.com. I have then attached this certificate to my ELB and have left the instance protocol as http. So SSL chain is only between the client and ELB.
I have two A records in Route53. One for example.com one for www.example.com. Both of these are aliased to ELB. When I do https://www.example.com it works perfect. But when I do https://example.com I get the following error in FireFox:
"example.com uses an invalid security certificate. The certificate is only valid for *.example.com Error code: SSL_ERROR_BAD_CERT_DOMAIN"
Shouldn't the certificate *.example.com work for the address example.com? Am I missing something?
EDIT May 31, 2016
Thank you to Steffen Ullrich for setting me on the right track. The problem is when using the AWS Certificate Manager (ACM) in the console (web browser) there is no option to add the alternative names. For those having the same problem you need to use CLI (command line interface). A quick web search for "Install AWS CLI" will give you all the information you need to complete the installation. Once CLI is installed then you can run the ACM commands. Here is a link to the documentation:
http://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html
The command I used was:
aws acm request-certificate --domain-name www.example.com --subject-alternative-names example.com
Once the request was approved I was able to see the SSL certificate in the ACM web interface. I installed it and everything working like a charm now!
A certificate for *.example.com matches whatever.example.com but not example.com only. This is because the * must match a label and example.com has no label in place of the *. If you want to match both whatever.example.com and example.com you need to create a certificate which has as subject alternative names both *.example.com and example.com.
When requesting a new certificate via the console, you can now add both *.domain.com and www.domain.com, before hitting next, in the next box, make sure you request to add another domain to the certificate.