We have 3 load balancers on GCP: Dev, Staging and Production.
Our SSL certificate expired, so it was time to replace it. I went to:
Network services > Load balancing > Load balancers > Edit > Frontend configuration
and added new certificate. It worked perfectly for Staging and Production.
Dev was working for 5-10 minutes, and after that old certificate was re-applied automatically. I decided to delete the old certificate (if it is not there, it cannot be applied). It worked for 10 minutes and miraculously GCP restored deleted certificate and re-applied it to Dev.
Tried it a few times with the same result.
Is this a bug, or am I missing something?
Visit the certificates list in the advanced load-balancing menu, and delete the certificates you want to:
https://console.cloud.google.com/net-services/loadbalancing/advanced/sslCertificates/list?project=[project_name]
Because target proxy also using same SSL certificate. Update the target proxy with another SSL certificate, after that you can delete SSL certificate from load balancer.
Go to cloud sdk shell or cloud shell on browser and run the below command on exact project
gcloud compute target-https-proxies update PROXY_NAME --ssl-certificates=SSL_CERTIFIFCATE
replace PROXY_NAME & SSL_CERTIFIFCATE with exact names
you will get an output like below
Updated [https://www.googleapis.com/compute/v1/projects/project-id/global/targetHttpsProxies/target-proxy-name].
Now try to delete old SSL certificate from LB.
Related
I have a website which is running on AWS windows EC2.
XAMPP is running and I already have my own Domain.
I need to put SSL certificate on my web server, but unfortunately I still haven't found a good guide.
In my opinion,
first step is to create CSR file,
second step is to make SSL by using CSR on SSL service,
final step is to put SSL certificate on my AWS windows EC2....
But I don't know how to do it for every step.
Looking forward to hearing from your answer.
Im currently building an application that will reside at app.mydomain.com which is running on Heroku. All users will have their own entry points, like app.mydomain.com/client1, app.mydomain.com/client2, etc. I want clients to be able to setup their own domain (www.clientdomain.com) and cname it to their entry point. I understand this is pretty straight forward up until now.
All my DNS is handled by Cloudflare and I believe I can configure Cloudlfare into Full (Strict) mode, all I need to do is install their Origin Cert onto my Heroku dyno. This will ensure that all direct connects to my domain will be secure (going to app.mydomain.com/client1).
Question is, how does a client go about getting an SSL'ed connection for their domain; do I need to get a multidomain cert and start adding domains to it as I get clients, or am i supposed to install their cert onto Heroku (I believe I can only install 1 so thats a no go) or is it supposed to live on Cloudflare somewhere, or are there additional options I'm not seeing (I hope there are!).
Im not wondering what to do for my own domains, but rather, how do clients setup an SSL connection with their domains that resolve onto my servers.
This is rather perplexing!
The flow would be (I think):
User Browser -> Clients DNS -> (cname to) My Cloudflare -> Heroku
Hmm, it looks like this might be a pretty solid solution to this issue...
https://blog.cloudflare.com/introducing-ssl-for-saas/
Edit - after clarification
I'm currently building an application that will reside at
app.mydomain.com which is running on Heroku. All users will have their
own entry points, like app.mydomain.com/client1,
app.mydomain.com/client2, etc. Question is, how does a client go about
getting an SSL'ed connection for their domain; do I need to get a
multidomain cert and start adding domains to it as I get clients?
If you are going to use the same Heroku app for all of your clients (I think this is a bad idea by the way, but you might be required to) - then yes - you should get a multi-domain certificate and keep adding domains to it as your list of clients expand.
Original answer - which explains SSL + Load Balancing on Heroku.
Im currently building an application that will reside at
app.mydomain.com which is running on Heroku. I was clients to be able
to setup their own domain www.clientdomain.com and cname it to mine.
You will need a wildcard certificate to cover your subdomain (for the app.mydomain.com). You'll have use that cert in heroku.
...all I need to do is install their Origin Cert onto my Heroku dyno.
You are correct - except it's not on your Heroku dyno, it's on your Heroku app endpoint. There's a good read here: https://serverfault.com/questions/68753/does-each-server-behind-a-load-balancer-need-their-own-ssl-certificate
If you do your load balancing on the TCP or IP layer (OSI layer 4/3,
a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL
certificate installed.
If you load balance on the HTTPS layer (L7), then you'd commonly
install the certificate on the load balancer alone, and use plain
un-encrypted HTTP over the local network between the load balancer and
the webservers (for best performance on the web servers).
So you should install your SSL certificate to your Heroku endpoint and let Heroku handle the rest.
Question is, how does a client go about getting an SSL'ed connection;
do I need to get a multidomain cert and start adding domains to it as
I get clients, am i supposed to install their cert onto Heroku (I
believe I can only install 1 so thats a no go) or is it supposed to
live on Cloudflare somewhere?
If you're referring to adding servers to your service from heroku, all you need to do is increase the number of web-dynos. Heroku will handle the load balancing in between these dynos. Your SSL certificate should be resolved in the load balancer so your dynos will be serving requests for the same endpoint. You shouldn't need another SSL certificate for the endpoint you've defined - as long as you're serving traffic from multiple dynos attached to it.
I have an app (hosted in heroku) where customers have an individual subdomain e.g. client1.myapp.com, client2.myapp.com I am using a wildcard SSL cert here.
If however a client wants to use their own custom domain e.g. CNAME app.client1.com
How can i automatically provide an SSL cert (I'm guessing using Lets Encrypt) for the client without them providing me a certificate to upload in a similar way to firebase etc.. provides SSL certs for domains.
As long as app.client1.com is reachable from the internet, you are free to set up a lets-encrypt certificate.
If your applications run on unix-like system, then the cerbot docs describe all the steps for automating the renewal.
You basically have to set up a cronjob that launches the renewal command.
You can edit the crons in you linux machine with the command crontab -e and place something like this at the end of the file:
0 15 1 * * certbot renew
This will run the command the first day of each month and attempt the renewal of your certificate. Check crontab.guru if you need different settings.
If you want to call the cerbot command from a custom script, you can add such script to your cronjob (and save the output to a custom file).
E.g:
0 15 1 * * python cert_autorenew.py >> cron.log 2>&1
Keep in mind that if you want a certificate for app.client1.com, then the renewal request you send, must resolve to the server app.client1.com.
That's how you demonstrate the control over your domain to letsencrypt.
If you are hosting the new application in Heroku/new domain is directed to Heroku app, they will take care of the SSL Certificates for you, as long as you run the application on a paid dyno. Which you should as its a client's application!
https://devcenter.heroku.com/articles/ssl
Heroku provides free Automated Certificate Management (ACM) for all
applications running on paid dynos. With ACM, Heroku automatically
provisions and renews SSL certificates for your application. If you
prefer to upload your own certificate manually, follow the steps in
this article.
You only have to make an application in Heroku, upgrade the dyno and configure the custom domain name (app.client1.com) for the application, following instructions at https://devcenter.heroku.com/articles/custom-domains
I'm not the most advanced AWS user there is, and have come across a bit of a roadblock.
I've got 2 Elastic Beanstalk Environments, each with a Load Balancer, 2 EC2 instances and they share a RDS instance. One environment is for Development and the other for Production.
I have purchased a wildcard SSL certificate from Thawte, and would like to install it on both the Development and Production environments. I've gone through other threads about adding SSL certificates in AWS, but the admin interface has changed since they were written so I've been going round in circles trying to figure it out.
Also, do I install the same SSL certificate on both Load Balancers? Or is it a case of only having one load balancer and redirecting traffic depending on the domain?
Thanks
You will need two load balancers, one for each environment. For uploading the certificate, it sounds like you are creating your Beanstalk environment through the console. In that case, after you create the environment, go to the EC2 tab, then 'Load Balancers', then 'Listeners'. Edit that, change the protocol to https. You'll see there is a place to change the certificate:
That will give you a place to upload the certificate:
Now that the cert is there, you can use the Elastic Beanstalk configuration to change future environments to use that cert:
My ssl certificate has expired and I have created a new one using Startssl. I have followed the steps for Nginx server that I have found in the FAQs from Startssl but, although the paths to the certificate and the key are correct, when I try to load the website with any browser it always gets the old certificate instead of the new one. Do anyone knows what can be happening?
Thanks!
March 22th UPDATE:
I have found something of what is happening: we have 2 web servers in AWS and a Load balancer. I have seen the load balancer has also the ssl certificate and I guess I have to update it too. I have done it and now the new certificate is in usage. But I still see an error: the server cannot check my domain because my certificate comes from one of my subdomains. When I created the certificate in StartSSL there was an step that asks me for a subdomain. It said the certificate will be for the domain and subdomain, but now I'm getting this message. Any idea?
I have found the answer:
When StartSSL asked for a subdomain when I was following the steps to get the new certificate, I was indicating one of my real subdomains. If I set as subdomain "www" everything works. So I wanted to share my experience with everyone hoping it helps:
First: when you are asked for a subdomain in StartSSL, set it as "www".
Second: If you are using AWS and you have a load balancer, don't forget to update the SSL certificate in the load balancer, using the AWS NETWORK & SECURITY -> Load balancers option (Listeners tab).
Hope it helps.
Thanks for reading and trying to help me.