I've setup my Google Cloud Project to use a load balancer in combination with auto scaling instance templates. Currently the instance group only has one instance.
My domain name successfully refers to the load balancers IP. Till these steps everything is working correctly.
Now I want to setup SSL for this project. I would like to do this with the Letsencrypt service, however I'm having no success when trying to set this up.
In the Google Cloud Engine load balancer window there is an option to setup an earlier created certificate with Google Cloud shell to the load balancer frontend. Unfortunately I can only create a .csr and .key file with the Google Cloud Shell. Furthermore, I can create an unsafe ssl certificate and get the .cert file from it, but I would like to create a safe SSL cert file using letsencrypt. The Letsencrypt services requires direct access to the domain from to command line interface the commando was executed on, this is probably the reason why I’m getting an error indicating the domain name cannot be retrieved.
You can try this one https://hub.docker.com/r/bloomapi/letsencrypt-gcloud-balancer
P.S the certificates on the load balancer will automatically renew every month
Related
I have a domain purchased at 1and1 and set up at AWS EC2 with SSL and Apache server.
Even the domain pointing to the correct IP (using nslookup I can see it), it works from some places and not from others.
For example, here from my workplace, I see this page (the domain does not reach the EC2 server):
I launched a Windows EC2 at AWS to make a test and from there, everything is correct (the page loads and SSL is valid):
From my client's computer, it has another behavior. It reaches the EC2 server, but is says the SSL is invalid:
Has anyone faced the same problem?
The first thing you need to do is get an Elastic IP, the instance IP can change during reboot etc but elastic IP are static IP’s so you should make sure you create one of them and assign it your running instance.
Create Hosted Zone and Record Sets
Documentation is here - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html
Create a recordset and add values
Add the Amazon NameSpaceServers in Control panel of Domain Provider
Import the SSl certificate to AWS Certificate manager (Optional). Documentation is here https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html#import-certificate-api
Self signed certificate will not work.
Deploy the SSl certificate into Apache server and configure the traffic for https.
Open the AWS in-bond traffic port documentation is here - https://aws.amazon.com/premiumsupport/knowledge-center/connect-http-https-ec2/
I have a Docker, Django api application that can be called from multiple domains abc.xyx.com or def.lmn.com. I have added successfully the ssl certificate for abc.xyz.com from the configuration console in elastic beanstalk. That allows only one certificate to be added for 443 port.
How do i add the def.lmn.com certificate after creating it from aws certificate manager?
Multiple SSL secured applications can be hosted in aws with each having their own SSL certificates with the help of SNI (Server Name Indication).
In order to achieve this you need to use an Application Load Balancer for your application.
Hence, for using SNI you need to bind multiple certificates to the same listener on your Application Load Balancer.
If you have not configured Application Load Balancer while creating your environment, then you need to create a new environment and configure it.
Configuring Application Load Balancer: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-alb.html
Steps to be followed for adding multiple certificates, if you have configured Application Load Balancer while creating your Elastic Beanstalk Environment :
Step 1: Import/Upload all the certificates you require through “AWS Certificate Manager” service.
Step 2: Open your Load Balancer in the console.
Step 3: Go to the listeners tab, and select “view/edit certificates” .
Step 4: Now, use the “+” button in the top left corner and select the certificates you require. Then click the “Add” button.
That's it. In this way you can add multiple certificates to your application.
This can also done with the help of CLI using the following command:
aws elbv2 add-listener-certificates --listener-arn [listener-arn] --certificates CertificateArn=[cert-arn]
Hope this helps :)
You need to use an application load balancer instead of an elastic for your application. If you have an environment that already exists and you are not using an application load balancer then you need to create a new environment and while configuring the new environment specify the capacity as load balanced and select an application load balancer in the load balancer configuration. Once this is done then add a new listener for https. For now, select one certificate and launch your environment. Once your environment is launched, open the EC2 console and go to the loadbalancer in the sidebar. From there select your application loadbalancer, select your listener and click on view certificates. You can add multiple certificates, there.
I've setup my Google Cloud Project to use a load balancer in combination with auto scaling instance templates. Currently the instance group only has one instance.
My domain name successfully refers to the load balancers IP. Till these steps everything is working correctly.
Now I want to setup SSL for this project. I would like to do this with the Letsencrypt service, however I'm having no success when trying to set this up.
In the Google Cloud Engine load balancer window there is an option to setup an earlier created certificate with Google Cloud shell to the load balancer frontend. Unfortunately I can only create a .csr and .key file with the Google Cloud Shell. Furthermore, I can create an unsafe ssl certificate and get the .cert file from it, but I would like to create a safe SSL cert file using letsencrypt. The Letsencrypt services requires direct access to the domain from to command line interface the commando was executed on, this is probably the reason why I’m getting an error indicating the domain name cannot be retrieved.
I’m looking for a way to install the Letsencrypt certificate on the loadbalancer using Google Cloud. Is there a way how I can manually create a .cert file with letsencrypt instead of installing this directly? If not is there another way or service to create a .cert file from a .csr and .key file?
You can use sslforfree.com, which calls LetsEncrypt for you and gives you the keys for downloading. It can also remind you to renew your certs. (There's currently no way to auto-renew certs in Google LB)
You can use certbot
Here is an example of how to create only the certificates
$ ./certbot-auto certonly --standalone --email admin#example.com -d example.com -d www.example.com
If you use Kubernetes on top of Google Compute Engine, a good solution is cert-manager, which is a successor of kube-lego. Both can automatically requests certificates for Kubernetes Ingress resources from Let's Encrypt:
Features
Recognizes the need of a new certificate for this cases:
No certificate existing
Existing certificate is not containing all domain names
Existing certificate is expired or near to its expiry date (cf. option LEGO_MINIMUM_VALIDITY)
Existing certificate is unparseable, invalid or not matching the secret key
Creates a user account (incl. private key) for Let's Encrypt and stores it in Kubernetes secrets (secret name is configurable via LEGO_SECRET_NAME)
Obtains the missing certificates from Let's Encrypt and authorizes the request with the HTTP-01 challenge
Makes sure that the specific Kubernetes objects (Services, Ingress) contain the rights configuration for the HTTP-01 challenge to succeed
Official Kubernetes Helm chart for simplistic deployment.
A step-by-step tutorial for GCE is available.
A good way to achieve your goal is cloud function + cloud scheduler + https://github.com/bloomapi/letsencrypt-gcloud-balancer
I'm trying to use my aws certificate with elastic load balancer on my EC2 instance which has Apache. I followed this tutorial http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-getting-started.html#configure-health-check to create my classic load balancer.After that creation everything looks right in my load balancer console . But when i try to browse my website with https instead of http chrome says connection is not secure. When i look inside of certificate from browser i see that certificate published by localhost.
So is there any additional configuration that i have to do like in my httpd-ssl.conf file or something else? By the way all this services are in the same region.(Frankfurt)
Thanks George!!! Route DNS to ELB is the key point. Since you sent that comment i had been working on it. Now i got it! Here is the link of routing DNS to ELB;
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html
The site works perfectly fine on HTTP, however, does not work on HTTPS.
I've followed all the steps on this page to create a self-signed certificate and add it to my Elastic Beanstalk environment.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
I'm also getting a successful certificate response back from IAM using the following command:
aws iam get-server-certificate --server-certificate-name
After updating Elastic Beanstalk with the certificate, I've also added add a rule to the security group that allows inbound traffic from 0.0.0.0/0 to port 443.
Finally, I've also validated that my load-balancer listener has HTTPS set up correctly.
In spite of all that, my calls to https is not resolving, while http is working perfectly fine.
Any other thoughts on this? Any help would be much appreciated.
Please let me know if you need any more information. Desperately looking for some insight/help into this.
Anyway, not being able to resolve this issue with my site/code, I tried to set up HTTPS on the sample site provided on Elastic Beanstalk. Interestingly enough, even that is not working.
I want to provide an update that I was finally able to resolve the issue.
The root-cause was because I missed to set up an Inbound Rule for the Security Group of the Load Balancer.
For whatever reason, when I read the documentation, I understood that the Inbound Rule needed to be set up for the Security Group of the Instance (and not the Load Balancer). Only after I started tracing the Load Balancer did I realize that I should perhaps try setting up the Rule for the Security Group of the Load Balancer. So, the problem is resolved. Below is the setting I used.
HTTPS 443 HTTP 80 <name of the certificate>
I'd have to say that the documentation could be a bit more clear to clearly identify the change required to the Security Group of the Load Balancer (and not the Instance).
Amazon recently released AWS Certificate Manager :
Go to https://console.aws.amazon.com/acm/home
Add your domain and validate it by email
After the certificate is issued, deploy it to your Elastic Load Balancers following the steps (and easily setup your security groups)
It's event better for a performance point of view:
Because ELB supports SSL offload, deploying a certificate to a load
balancer (rather than to the EC2 instances behind it) will reduce the
amount of encryption and decryption work that the instances need to
handle.
follow the doc for more information:
https://aws.amazon.com/fr/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
I can't believe this...but it goes to show how bad the AWS console is...I had to scroll down and click "Apply" on an invisible button when it shows "Pending create" after add making me think it's working...facepalm.
Hello i was had like this and i follow this steps and works to me:
Generate certificate
the first thing is request a Request certificate on AWS Certificate Manager (ACM)
take a look on this video to create a new one https://youtu.be/bWPTq8z1vFY
Configurations of the Elastic Beanstalk
on the configuration -> load balancer
create a new listener:
in this step i get this :
Creat a new record on route 53
so i use route53 to host my site
go to route 53 ->select your host zone and create a new record
choose the option of alias to select your route traffic in your case Elastic Beanstalk, your region and the name of your application
this works if you use route 53 and EB but in other host providers i thing i woiuld work too.