I am struggling to get SSL to work on an elastic beanstalk environment with the following configuration:
I have the domain hosted with GoDaddy, which I have routing through cloudflare, which then routes to Route53 with an A record pointing to my subdomain api.myapp.com (which points to my EB environment).
I am using Cloudflare's full E2E encryption, and am using the SSL certificate provided by cloudflare.
In my EB environment, I am using a Classic Load Balancer and have the following configuration (note: my application uses websockets hence the TCP port):
I've added the SSL certificate to the HTTPS configuration but when I navigate to api.myapp.com I am still getting the "your connection is not secure" in the browser.
Does anyone have any suggestions on how to resolve the issue?
The free ssl from zerossl.com works. After the validation and others stuffs at the end you will get three files.
Using AWS Console
Download the zip files containing certificate, chain and private. Goto AWS certificate manager -> import certificate -> add all the details -> review and import the certificate.
Using AWS CLI, which will output the certificate identifier
aws iam upload-server-certificate --server-certificate-name ish --certificate-body file://certificate.crt --certificate-chain file://ca_bundle.crt --private-key file://private.key
Goto AWS Console load balancer and select 443 HTTPs the recent certificate will be available which can be identified by an identifier provided on both the above cases. Apply changes and restart the env. The new certificate will be available.
Turns out that AWS doesn't allow the use of SSL certificates purchased from cloudflare anymore, so I solved it by provisioning one with CA on AWS.
Related
Can anyone help me with the pricing and support for Subdomain for Google-managed SSL certificate in Load Balancing.
I am working with https for Static website.
https://medium.com/#marco_37432/create-a-custom-domain-cdn-with-google-beta-7ad9531dfbae
I want to create a Subdomain with admin.example.com to link Google-managed SSL certificate in Load Balancing
But with Google docs I can see "Its not supporting wildcard common names or multiple subject alternate names" I cant understand, Can any one explain me and can I use create admin.example.com to link Google-managed SSL certificate.
With pricing I can see its free in https://geekflare.com/google-managed-certificate-lb/ Can I find them google Document to confirm.
Google Cloud Managed SSL Certificates are free.
You can only use Google Managed SSL Certificates with Google services such as load balancers. You cannot use them on services you control. Google does not make the certificate private key available.
Google services such as load balancers support more than one SSL certificate. Each Google managed certificate can only have one verified domain name. This can be a subdomain of a root domain you own/control. Wildcards are not supported.
If any of the above limitations affect you, then you will need to select self-managed certificates. You can easily create your own Let's Encrypt SSL certificates with Cloud Shell.
Example commands to run on Cloud Shell:
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
./certbot-auto certonly --manual --preferred-challenges dns -d 'example.com' -d '*.example.com'
I wrote an article that covers this in detail here.
As of today (2020-01-28) Google supports multiple domains in a single certificate (in beta):
Cloud Load Balancing – multiple domain support for Google-managed SSL
certificates: beta
https://cloud.google.com/load-balancing/docs/ssl-certificates
https://cloud.google.com/load-balancing/docs/quotas#ssl_certificates
I'm trying to have https for a website which is hosted in AWS EC2. I have followed the steps mention in the following link.
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
But still its showing the privacy thing to all user who are visiting the website. How can make the certificate as trusted or how long it will take Amazon to make it a trusted one.
Please help me to solve this. I'm stuck with this for last 2 days. Answers will be appreciated and Thank you.
You can use AWS Certificate Manager to issue free SSL certificate signed by AWS Certificate Authority. However for this to work, you need to use a Load Balancer and attach the certificate to the Load Balancer which will forward the traffic to the EC2 instance.
Depending on your requirements you may wish to use SSL termination on an Elastic Load Balancer (ELB) instead.
This involves creating a free AWS certificate and an ELB. Attach both your instance the certificate to the ELB with HTTPS forwarded to port 80 on your instance.
Then just point your DNS name to the ELB. If you're using Route53 then you can just use an A-record alias.
Edit: If you want to automatically direct HTTP to HTTPS you'll need to check the X-Forwarded-Proto header in Apache's .htaccess file. More information here.
The certificate which you are using is a "Self Signed Certificate (https://en.wikipedia.org/wiki/Self-signed_certificate)".
In order to get rid of insecure certificate or privacy issues on HTTPS, you need to get your CSR signed from a trusted CA like Comodo, Godaddy etc.
Ref -
https://in.godaddy.com/help/apache-generate-csr-certificate-signing-request-5269
https://help.comodo.com/topic-437-1-843-10843-.html
OR
In case you want free verified SSL certificates, "letsencrypt" is the way to go.
https://letsencrypt.org/
You don't need to pay anyone for a certificate. Just use LetsEncrypt and their CertBot ACME client. The CertBot automates the task of issuing and renewing certificates.
LetsEncrypt is the leading free SSL certificate authority (CA) and their certs are as good as any paid cert.
So I've been trying to get this SSL certificate installed on an Amazon NodeJS EC2/EJB server I have set up, but for the life of me I can't get it working.
Basically, I have a Godaddy domain and SSL certificate, and I setup a subdomain (let's say admin.example.com) on the Goddaddy site to point to the amazon server through Amazon's Route 53 tool. So, nameservers and redirecting is all fine, but my site doesn't show that it's secure.
If I go to admin.example.com, the site says 'Not Secure' with no warning, and I can't connect to https://admin.example.com. If I instead go to the beanstalk url (https://example.beanstalk.com), the site says 'Not Secure' with a red mark. I ran the beanstalk url through an HTTPS checking tool, and it said the only problem was the url's mismatching (since the SSL is registered for admin.example.com, not the beanstalk url).
Do I need to register a certificate for the beanstalk url instead? How can I setup this subdomain so it will use HTTPS? I'm pretty new to this, but I don't believe it should be this difficult to setup. Is there something I'm missing?
Thanks in advance for all the help!
First question to make sure it will is, is the Certificate a wildcard certificate? If it is not it will, most likely, only work for the root domain and admin.example.com. Are you using an ELB with the Beanstalk deployment or just one instance?
How to request a wildcard from ACM ( This will work for Load Balancers and Cloudfront)
You can also use an asterisk (*) as a wildcard in the leftmost
position to protect several site names in the same domain. For
example, *.example.com protects corp.example.com, and
images.example.com. The wildcard name will appear in the Subject field
and the Subject Alternative Name extension of the ACM Certificate.
http://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request.html
How to upload a certificate to IAM
$ aws iam upload-server-certificate --server-certificate-name elastic-beanstalk-x509 --certificate-body file://https-cert.crt --private-key file://private-key.pem
{
"ServerCertificateMetadata": {
"ServerCertificateId": "AS5YBEIONO2Q7CAIHKNGC",
"ServerCertificateName": "elastic-beanstalk-x509",
"Expiration": "2017-01-31T23:06:22Z",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:server-certificate/elastic-beanstalk-x509",
"UploadDate": "2016-02-01T23:10:34.167Z"
}
}
Make note of the Amazon Resource Name (ARN) for your certificate. You
will use it when you update your load balancer configuration settings
to use HTTPS.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html
I have a Docker container with nginx running on Jelastic. From the container I used certbot to get a ssl certificate from letsencrypt. Finally I changed the nginx conf accordingly. I have not enble ssl in the Jelastic user interface.
When browsing the site on https it seems that I get the generic certificate of the Jelastic provider but not my own certificate, because the error is SSL_ERROR_BAD_CERT_DOMAIN the ssl certificate served is for the domain of the provider. But I have not enabled the ssl on the Jelastic interface ?!
So can I use a letsencrypt ssl certificate in my docker container on Jelastic and how ?
Thank you
It seems that you are trying to use custom SSL cert without public IP.
In this case, all external traffic is going through the platform revers-proxies wich is providing platform shared SSL.
The solution is to use external IP.
I am attempting to get my domain (assetfarm.com.au) to use SSL. I have created a certificate and uploaded it to IAM. I associated it with my ElasticBeanstalk configuration.
I am also attempting to use Route 53 for my domain. Here are my current settings:
I'm using a self-signed certificate just to check that the issue wasn't with the certificate GoDaddy generated. Despite following the instructions on Amazon step-by-step, I am still unable to visit https://www.assetfarm.com.au or https://assetfarm.com.au. I can't even visit https with the elastic beanstalk or load balancer URL.
Please check your ELB Security Group for Port 443.
For some new AWS accounts, you may need to open Port 443 manually.