We want to secure the connection between all our internal servers, as well as from outside.
A basic diagram in AWS is:
As I have never installed SSL before, I don't know whether I really need a wildcard certificate, *.domain.com, or just a single certificate installed in the load balancer domain.com would be enough.
You need a certificate which matches all the domains you use. example.com only matches example.com but neither www1.example.com nor www2.example.com. This means you need either a certificate containing a wildcard for *.example.com or a certificate including both names you need to match as subject alternative names.
Related
My recent infrastructure had the following setup:
A domain on Route53 as example.com.
Several subdomains e.g. blog.example.com, dev.example.com etc.
A certificate on ACM with *.example.com as its entry.
Everything worked as expected, until I was required to add another domain, e.g. abc.dev.example.com. SSL doesn't work on this newly created subdomain.
My previous experience suggests creating a new certificate for this new subdomain, it has worked for me earlier as well. But it doesn't seem to be a best practice. Can I refresh/update my current certificate to accommodate the new subdomain?
This is because wildcard SSL cert can only support one subdomain level. From docs:
When you request a wild card certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com, and test.example.com, but it cannot protect test.login.example.com.
So in your case you need new certificate for *.dev.example.com.
SSL Certificate is already enabled on my main domain but now I want to enable SSL on my subdomain too, So how can I enable on my subdomain, I am using AWS services.
If you're wanting to generate an SSL for your subdomain you will need to go through the ACM process again in the region(s) you're operating in.
When you specify the domain for the certificate you can either specify an absolute subdomain (foo.example.com) or specify a wildcard domain (*.example.com).
Once you have specified this you will need to go through the standard validation approach to have the certificate approved.
As an additional point going forward, AWS supports adding multiple domains to a single certificate so you could add the root domain (example.com) and the wildcard subdomain (*.example.com) to the same certificate which would allow you to use the same certificate.
No, it is not possible to edit an existing certificate to add more domains or a sub-domain of an already existing domain on an ACM certificate.
In case you wish to obtain a certificate for a new domain or sub-domain you can either have two separate certificates for the domain and sub-domain or delete the older certificate and request a new certificate with both the domain and sub-domain on the certificate.
A single certificate can hold domain.com & *.domain.com. Also the same certificate can also have domain1.com & *.domain1.com
Source https://forums.aws.amazon.com/thread.jspa?messageID=931119
This domain is not secure. The .sunrise and www.sunrise load the website, but neither of them have a secure connection.
I have attached a certificate to the domain, and it's entries are in the 2nd and 3rd rows from the top of this picture, and end with "validation.aws".
I think, maybe some of these rows will seem obviously useless, and I can delete them. I can also delete the two certificate rows and reapply them from the certificate page. Does anything stick out as the problem?
This is likely down to one of the following:
The certificate does not cover the domain(s) that you're trying to use
The certificate has expired
Debug Steps
When you access in the browser it should normally detail why the certificate is insecure.
Alternatively run the below command on your domain to get the full error.
curl -iv https://example.com
By running this command you'll get an error along the terms of the below.
curl: (60) SSL: no alternative certificate subject name matches target host name 'example.com'
Domain name not valid for certificate
You will need to ensure that the domain names that you included in the certificate match the domain you're trying to access in the browser.
From the console you can see the list of domains that are included on the certificate (including wildcard domains e.g. *.example.com. If the domain(s) you're trying to use would not match the rulesets you would need to generate a new SSL and then attach it to whichever resources are using it.
Certificate has expired
This will only occur if you're not using the ACM managed service which auto renews (you're using ACM so this is not the cause), in addition this is a new SSL so it would not have expired (the lifetime is 13 months).
During migration we moved subdomains from our previous SSL provider to LetsEncrypt for SSL certificate change. Some of the subdomains had uppercases in them, but during certificate generation, in LEtsEncrypt the subdomain can be created only in lowercase.(We even tried to create subdomain names with uppercase, but it didn't work) After the migration, the subdomains that had uppercases in them arent working if we point the newly generated Letsencrypt certificates but they are working with perfectly with the previous provider. Does anyone know how to solve this problem or even better know any way to generate the certificate name with uppercases in them?
Example
The subdomain names are Support.Example.com but the certificate can only be generated for support.example.com
DNS is case insensitive. So you wrongly define your hosts (presumably in apache) with upercase. Rename them to lower case and use Lets Encrypt certificates.
I am looking for some advice as how to most cost efficiently setup SSL for a subdomain e.g https://images.example.com.
Images are hosted in AWS S3 and I have a cloudfront distribution pointing to that bucket.
I have purchased a single domain SSL cert from Comodo and successfully added it to my cloudfront distribution. That part was easy as pie.
However, when loading images on the subdomain I get a "Not secure / certificate invalid" in the browser bar.
Is this because I require a wildcard SSL cert?
I have not tested that the SSL cert works on the main domain. Reason being there is currently a production site that I don't want to interfere with.
Before I rush out and purchase a much more expensive wildcard SSL cert, I want to make sure it is required.
I have a single subdomain for image hosting. I don't expect to ever ad more subdomains. What if I just purchase two single domain certs?
What are my options?
Try using ACM (https://aws.amazon.com/certificate-manager/ ) to issue an AWS issued wildcard certificate for your domain and use that instead?
As to why your existing cert won't work - does it have the domain in the cert (eg images.domain.com) as either the primary domain or as a SAN? If not, it won't work.
If you don't want to use a wildcard, you can use an ACM cert (or a cert you purchase from somewhere else) and issue it for the domain subdomain only? You don't have to use a wildcard but from a cost point of view if you are purchasing them, its often more cost-effective (although there are of course security concerns to consider). If you are using ACM, the certs are free - either domain specific or wildcard.