For testing purposes, would it be possible to create a certificate without a domain name? http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
According to the above documentation I can, "if you don't own a domain name, you can still use HTTPS with a self-signed certificate for development and testing purposes," but I can't seem to figure out how exactly to go about doing so.
Further research tells me I can assign a SSL Certificate ID: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html
But when I followed the directions, my dropdown for the SSL certificate ID was empty. I figured I would need to create and upload a certificate first.
I have found this documentation concerning the creation of an SSL certificate: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl.html
After following the instructions, I can't seem to upload the certificate on the EC2 instance. This is the documentation I am following to upload the SSL certification, http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl-upload.html
I keep receiving this error when I try to upload it from the EC2 instance:
A client error (AccessDenied) occurred when calling the UploadServerCertificate operation: User: arn:aws:sts::172656543253:assumed-role/aws-elasticbeanstalk-ec2-role/i-62a85ce6 is not authorized to perform: iam:UploadServerCertificate on resource: arn:aws:iam::172656543253:server-certificate/elastic-beanstalk-x509
I'm guessing it has something to do with IAM roles, but I'm not entirely sure and don't really know where to begin. Any help would be appreciated. Thank you.
Please see this SO answer for one way to enable https for elastic beanstalk. (In the AWS Management Console for EC2 under 'Load Balancers'-> Listeners add the certificate to be able to use it within Elastic Beanstalk.)
Now that AWS has support for ACM in all regions it's much easier to get it working because you only need to create a certificate and then reference it. ACM certificates are usually only available in the region they were issued.
Unfortunately I have nothing to add to your main question concerning SSL without a domain name.
Related
I am posting this here to help others facing this problem as I could not find any useful information on the web.
If you have mapped your ACM certificate to an end-point (EC2, ELB, EKS service.. whatever) You will need to enable
CertificateTransparencyLoggingPreference
Else you will get:
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
Error in chrome. To do this via the aws-cli, the command is:
aws acm update-certificate-options --certificate-arn <ARN of ACM certificate> --options CertificateTransparencyLoggingPreference=ENABLED
I have provided the full response from AWS support as the answer, as this contains even more information.
This is Vivek from AWS Containers team. I will assist you on this
case.
From the case description, I understand that you requested an ACM
certificate and created ELB(service load balancer) behind which you
are running nginx pods in EKS cluster example-EKS-CLUSTER-dev.
When accessing the site https://test-aws.example.co/ from browser you
are getting error as below:
Error: NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
You would like to use a third party CA such as lets encrypt to issue
free SSL certificate for your domains. You do not want to move the
domain to Route53.
You wish to know how to to do this and achieve https.
Please let me know if my understanding is correct.
Regarding the error ERR_CERTIFICATE_TRANSPARENCY_REQUIRED, this error
is thrown by Chrome browser when it can not find CT(certificate
transparency) logs.
For Google Chrome to trust the certificate, all issued or imported
certificates must have the SCT information embedded in them.
By default ACM logs all new and renewed certificates. However, it
provides option to opt out from AWS API or CLI.
You may find more about this on link [1].
I checked the load balancer mapped to the domain “test-aws.example.co”.
It is mapped to ELB
abce6962e05794f36a23435db3f1837d-1755308045.eu-west-2.elb.amazonaws.com
which uses ACM certificate
arn:aws:acm:eu-west-2:150737547637:certificate/f932b11d-af17-4023-be41-045c6fcc5e86
I checked this certificate and found that the option
“CertificateTransparencyLoggingPreference” is disabled.
You may enable transparency on the certificate to fix the issue by
running following command:
aws acm update-certificate-options --certificate-arn --options
CertificateTransparencyLoggingPreference=ENABLED
Once the certificate is updated with
CertificateTransparencyLoggingPreference as enabled, the issue will
resolve i.e. you should not longer receive the error
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED when accessing the site
over https.
Regarding your other query, i.e. how to use a third party certificate
such as LetsEncrypt with ELB for https, you may obtain the desired
certificate(get it issued from desired CA) and import it in ACM or
IAM. Once the third party certificate is imported in ACM/IAM, it can
be associated with the https listener of ELB similar to how you
associate certificate issued by ACM(by using annotation
service.beta.kubernetes.io/aws-load-balancer-ssl-cert in service
definition yaml with value as the ARN of imported certificate).
Please find the steps to import certificate in ACM on link [2]. The
steps to import a certificate in IAM can be found on [3].
I want to add an SSL certificate to my application that is currently deployed on Elastic Beanstalk. I had created the certificate using AWS Certificate Manager using both the validation methods but none of them worked. I neither got an email nor adding the CNAME to godaddy as well as Route 53 got it validated. I had followed the exact steps specified in the documentation. I am the owner of the domain so I should have gotten an email but I didn't. Any idea what might I might be doing wrong?
Also, is there another way to generate the SSL certificate besides AWS CM for my application?
I need to update/delete my certificate in the aws certificate manager. However when i try to do so, it says my certificate is being used by
Associated resources
arn:aws:cloudfront::<my-user-id>:distribution/ABC
However, when i navigate to the cloudfront section, there is no cloudfront distribution with that arn.
Does anyone experienced something similiar and knows how to resolve this issue?
I am running a Qualys scan on a Windows EC2 instance and it reports some vulnerabilities. One of them is "SSL Certificate - Subject Common Name Does Not Match Server FQDN".
Solution for this, as recommended by Qualys, is to "Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN."
Now the problem is the self-signed certificates which are not verified by a third party.
How do i get a valid certificate for this scenario such that Qualys does not report the error.
I looked into ACM, but i guess it does not provide certificates for EC2.
Can anyone provide an insight on how to go about this?
Where do i get a valid certificate and how to add it to the instance.
I am using Cloudformation template to create the instacne using a Custom AMI created using packer. I mention this because it would be helpful to know if the steps to add certificate need to be added to the AMI creation stage.
Unfortunately You can not use Certificate issued by AWS Certificate Manager directly on EC2 Directly.
You can use it On Load Balancer and Cloudfront and API Gateways , Refer this.
But a Workaround is that if you have single EC2 Put it behind Classic LB And terminate ssl to LB so that when you try to access your content on ec2 it is via HTTPS.
Thanks
The easiest way to pass a scan like this is restrict access to your instance so your only exposing public services (like HTTP or HTTPS), and then "harden" the configuration of each required public service. All none public services/ports should be limited to just your IP address(/es). That will probably fix a number of your issues reported by the scan.
RDP and numerous other services (MSSQL, MSDeploy, POSH Remoting to name a few) are for administrators only and should not be visible to a Qualys scan (or hackers and bots that roam the internet...).
As Kush suggests above, adding a load balancer would allow you to use ACM certificates for web traffic, but it also adds an additional layer of security between the internet and your instance. This means you can further limit access to your instance to just your VPC - as public web traffic would go via the load balencer in your VPC, not directly to your instance anymore.
If your hosting a website over HTTPS without a load balancer you will also need to edit the SChannel settings (component responsible for SSL/TLS in Windows) to pass the scan as well as installing a valid certificate for the website.
You can edit SChannel by hand in the registry here:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
(Reboot required - take a snapshot before you start ;)
WARNING - misconfiguring SChannel can break RPD or limit which web browsers can access your site etc. Test carefully!
FYI I find it easier to use a tool called IIS Crypto to configure SChannel (https://www.nartac.com/Products/IISCrypto) - it has a GUI and a CLI interface for scripting changes to SChannel. (You can still break your server with this tool though!)
If you want to look at using ACM and a loadbalencer with CloudFormation i would suggest registering & approving the certificate via the aws console and make a note of the ARN of the certificate. This ARN can be used when creating a loadbalencer in a CloudFormation template.
NOTE: The above will resolve the issue on your scan, but not actually fix it. It is possible to use your own certificate for RDP (never tried), but not an ACM cert sadly. You could also look at a service like LetsEncrypt to get a free/basic certificate. Another option to avoid this error is you could export the self-signed cert from the instance and import it into your computer ( or domain?)'s certificate store.
This question already has answers here:
How to add SSL certificate to AWS EC2 with the help of new AWS Certificate Manager service
(4 answers)
Closed 5 years ago.
I am using AWS and I have used ACM to generate a certificate. (This process is different than I am used to where I generate a certificate signing request and give it to a signing authority.) I requested a certificate:
Now I am trying to install it using the instructions from AWS:
aws iam get-server-certificate --server-certificate-name <<ExampleCertificate>>
Only, when I replace <<ExampleCertificate>> with the name of my certificate, I am not sure what I am supposed to replace it with. Notice that in the picture above, the Name column for my AWS certificate is blank. (Note: I made sure to give the IAM user that is configured with API IAMFullAccess temporarily to do this so there aren't permission issues.) If I try to use the domain name xxxxx.com as the name, I am told this message:
A client error (NoSuchEntity) occurred when calling the GetServerCertificate operation:
The Server Certificate with name xxxxxxxx.com cannot be found.
This happens when I use the identifier and the ARN also.
My end goal is to have a signed SSL certificate on NGINX to serve the web content of my EC2 instance.
A: Is this the right track? (Are these the right preliminary steps?)
B: If so, what do I use to reference the certificate? Or do I use a different API?
You have to use AWS ACM API (IAM certificate and ACM certificate are different).
Equivalent API is GetCertificate in ACM
aws acm get-certificate --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
Now, I think you are trying to get the certificate and the chain to use it on your instance, but Amazon issued certificate cannot be used with EC2 instances as you can't get the private key. You have to use the certificate with ELB.
If you want to install SSL certificate in your instance, you can get certificate from other CA or can use Let's Encrypt certificate (which is free as well).