I created a SSL certificate for my site using Amazon Certificate Manager. The certificate is for *.example.com. I have then attached this certificate to my ELB and have left the instance protocol as http. So SSL chain is only between the client and ELB.
I have two A records in Route53. One for example.com one for www.example.com. Both of these are aliased to ELB. When I do https://www.example.com it works perfect. But when I do https://example.com I get the following error in FireFox:
"example.com uses an invalid security certificate. The certificate is only valid for *.example.com Error code: SSL_ERROR_BAD_CERT_DOMAIN"
Shouldn't the certificate *.example.com work for the address example.com? Am I missing something?
EDIT May 31, 2016
Thank you to Steffen Ullrich for setting me on the right track. The problem is when using the AWS Certificate Manager (ACM) in the console (web browser) there is no option to add the alternative names. For those having the same problem you need to use CLI (command line interface). A quick web search for "Install AWS CLI" will give you all the information you need to complete the installation. Once CLI is installed then you can run the ACM commands. Here is a link to the documentation:
http://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html
The command I used was:
aws acm request-certificate --domain-name www.example.com --subject-alternative-names example.com
Once the request was approved I was able to see the SSL certificate in the ACM web interface. I installed it and everything working like a charm now!
A certificate for *.example.com matches whatever.example.com but not example.com only. This is because the * must match a label and example.com has no label in place of the *. If you want to match both whatever.example.com and example.com you need to create a certificate which has as subject alternative names both *.example.com and example.com.
When requesting a new certificate via the console, you can now add both *.domain.com and www.domain.com, before hitting next, in the next box, make sure you request to add another domain to the certificate.
Related
I have purchased SSL certificate from Namecheap and want to import it to my AWS instance. My application runs on docker container port 80.
1. Certificate is uploaded to ACM, and in use.
2. Created a LoadBalancer+Target group.
3. Configured CloudFront
4. In Route53, pointed the A-Record to my Application LoadBalancer name.
For some unknown reason I am unable to access the URL.
It gets redirected to Https:// but it's not accessible.
Am I missing anything here ? Your advice really appreciated on this.
I have one ELB with www.example.com
and another with dev.example.com
I have created separate certificates for both including wildcards and www in Certificate Manager.
Both certificates are verified and issued.
But SSL on www.dev.example.com is not working.
When I check the certificate in Mozilla/Chrome it shows the alt DNS to be example.com, www.example.com, and *.example.com but that's a different certificate which I have not assigned to the listener of ELB of dev.example.com
Any help to make it work?
Wildcards only work at one level. You would need to add *.dev.example.com to the certificate in order for it to work with www.dev.example.com.
My setup
EC2: app
Domain Registrar: namecheap
DNS: route 53
I use EC2 to host my app, AWS route 53 to direct the url, and cloudfront to fetch the static files for my app. Right now the cloudfront is using unfriendly domain *.cloudfront.net.
I am using certbot inside my EC2 to provide SSL connection.
When I tried to change cloudfront domain name, I use the Custom SSL Certificate generate by ACM (AWS certificate manager). And I encountered the error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 2d39c685-bf17-4d24-9c4b-82955daa878f; Proxy: null)
The ACM cert is generated in N.Virginia, which is fine since my EC2 is hosted there. I generated the cert using *.example.com and it is verified.
I am not sure how to fix that. Any advise?
This will be caused by an invalid domain name being used for the ACM certificate you have provisioned.
Because the ACM certificate generated is *.example.com only a 1 level deep subdomain can be used.
To explain this further:
www.example.com is a valid subdomain for the ACM certficate
foo.bar.example.com is not a valid subdomain for the ACM certficate
example.com is not valid for this ACM certficate as it is the root domain (and not referenced on the SSL).
Because it is generated in ACM, we can validate this certificate is compatiable as long as it meets the following conditions.
For the SSL to work for the root domain and subdomain it must contain both example.com and *.example.com to work correctly within CloudFront.
I created a front-end hosted at www.example.com through netlify. The front-end makes API calls to a load balancer address hosted on AWS. Through Netlify, I set up an A record, so that server.example.com points to the load balancer. In Amazon Certificate Manager, I got certificate imported successfully for example.com and server.example.com by creating CNAME records in Netlify.
However, when I visit server.example.com in the browser, it properly loads my Express Server, but it says Not Secure in the browser despite being served over https. It says the certificate is invalid.
I'm wondering how to get the certificate to be valid at server.example.com - any help would be much appreciated, as I've struggled with this for two days now.
Thanks!
The issue is that the certificate CN (common name) is drawafterdark.com and you are using it with server.drawafterdark.com. The certificate is valid but client (Chrome) will show that certificate is not valid because hostname doesn't match the CN. You either have to get the certificate for server.drawafterdark.com or wildcard certficate *.drawafterdark.com
You can also add server.drawafterdark.com to the SAN subject alternative name. Then it will we be validate it for both server.drawafterdark.com and drawafterdark.com
I have an app with a separate front end (AngularJS) and back end (Rails). They are hosted in separate AWS elastic beanstalk environments. We have purchased an SSL certificate via AWS which matches the domain name of the front end.
Our app involves completing a survey which includes submitting personal identifiable information.
Do I need an SSL certificate on both the front end and back end? Is it possible to use the same certificate for both? I am new to setting up these types of configurations and internet searches and AWS documentation have not helped.
Do I need an SSL certificate on both the front end and back end?
Yes
Is it possible to use the same certificate for both?
Yes
You need to request a free SSL certificate for your domain in the Amazon Certificate Management service (ACM). Once you have the certificate you can easily attach it to the load balancers in each of your Elastic Beanstalk environments by adding an HTTPS listener to the load balancers, and selecting the SSL certificate from the list it will present you.
When you request the certificate specify the root domain and a star wildcard for the subdomain. For example if your domain was example.com you would enter example.com and *.example.com in the SSL certificate request.