I have a PHP based application in AWS EC2 instances (Amazon Linux, master-worker/s configuration, with worker/s in auto-scale) and I am attempting to enable HTTPS. The application is accessed via ELB URL, not the instance itself, given below (anonymized):
[alt_names]
DNS.1 = primary.dev.myapp.ourdomain.com
DNS.2 = primary.test.myapp.ourdomain.com
DNS.3 = primary.prod.myapp.ourdomain.com
The above is also my setup in my .conf file in generating the .csr file for certificate signing. (For the meantime I am using self-signed certificate for testing).
I followed the usual steps in installing the certificate:
- Install `mod24_ssl`
- Put `.pem` file in `/etc/pki/tls/certs`
- Put `.key`, `.csr` file in `/etc/pki/tls/private`
- Edit SSLCertificate and SSLCertificateKeyFile entries in `/etc/httpd/conf.d/ssl.conf` file
- Restart the httpd
The HTTPS still won't work and when I investigated the log file:
It refers to the master EC2 instance URL, ip-10-16-226-221.ourdomain.com instead of the ELB URL. How do I enable httpd to look for the ELB URL instead?
Related
I am struggling to get SSL to work on an elastic beanstalk environment with the following configuration:
I have the domain hosted with GoDaddy, which I have routing through cloudflare, which then routes to Route53 with an A record pointing to my subdomain api.myapp.com (which points to my EB environment).
I am using Cloudflare's full E2E encryption, and am using the SSL certificate provided by cloudflare.
In my EB environment, I am using a Classic Load Balancer and have the following configuration (note: my application uses websockets hence the TCP port):
I've added the SSL certificate to the HTTPS configuration but when I navigate to api.myapp.com I am still getting the "your connection is not secure" in the browser.
Does anyone have any suggestions on how to resolve the issue?
The free ssl from zerossl.com works. After the validation and others stuffs at the end you will get three files.
Using AWS Console
Download the zip files containing certificate, chain and private. Goto AWS certificate manager -> import certificate -> add all the details -> review and import the certificate.
Using AWS CLI, which will output the certificate identifier
aws iam upload-server-certificate --server-certificate-name ish --certificate-body file://certificate.crt --certificate-chain file://ca_bundle.crt --private-key file://private.key
Goto AWS Console load balancer and select 443 HTTPs the recent certificate will be available which can be identified by an identifier provided on both the above cases. Apply changes and restart the env. The new certificate will be available.
Turns out that AWS doesn't allow the use of SSL certificates purchased from cloudflare anymore, so I solved it by provisioning one with CA on AWS.
I am on a very newby level when it comes to AWS and SSL.
I got an SSL from GoDaddy. After that I generated the .csr file on AWS and I got an elastic IP. I created a subdomain on godaddy sub.mydomain.com that points to that IP.
I installed the certs following the instructions a found online, but now I get an error. I've tried installing apache2 on the EC2 and rebooting the instance but no luck yet.
Is there a way to remove the SSL cert or Fix the issue? When I got the SSL from GoDaddy, the zip had 2 files and ran the following command to install them:
sudo java -jar lib/ace.jar import_cert gd_bundle-g2-g1.crt gdroot-g2.crt sfroot-g2.crt 54581acbeba8a74e.crt
System said the certs were installed but now as I get that error, on the EC2 we have a unifi controller and we want to get that SSLrunning to accept payments for the hotspot.
I had the same issues my controller is hosted on an EC2 instance.
Check your system.properties which sits in /var/lib/unifi/ open the file with vim or your text editor of choice.
Have a look at your HTTPS options, the important ones are the ciphers and protocols.
The Protocols you need are TLSv1 and potentially SSLv2Hello there should be no other SSL protocols in there.
The Ciphers you ideally want are TLS, so for example TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA
If you are having issues throw them all in, CAUTION! only use this in a demo /test environment.
unifi.https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
Remember once you have edited the system.properties you need to restart the controller.
sudo service unifi restart
Lots of help on the Unifi page
UniFi - SSL Certificate Error
UniFi - Explaining the config.properties File
UniFi - system.properties File Explanation
The following are steps that I executed:
Created CSR using https://www.digicert.com/easy-csr/openssl.htm
Obtained CA certificate & Certificate chain in pem format
Modified files for HTTPS implementation: httpd.conf, ssl.conf, server.xml
I put the certificate & key in /etc/httpd/certificates:
armdev.key certnew.cer certnew-chain.crt
stop/start apache and artifactory service
launch https://arm.cn.ca:8443/artifactory. Errors:
IE error: "This page can not be displayed".
Chrome error: "This site can not be reached".
JFrog instruction to configure Artifactory behind Apache is not clear. Could you help please.
You can use the Artifactory reverse proxy configuration generator in order to create the Apache configuration.
Using the generator you can fill in a set of fields to generate the required configuration snippet which you can then download and install directly in the corresponding directory of your reverse proxy server.
I am attempting to get my domain (assetfarm.com.au) to use SSL. I have created a certificate and uploaded it to IAM. I associated it with my ElasticBeanstalk configuration.
I am also attempting to use Route 53 for my domain. Here are my current settings:
I'm using a self-signed certificate just to check that the issue wasn't with the certificate GoDaddy generated. Despite following the instructions on Amazon step-by-step, I am still unable to visit https://www.assetfarm.com.au or https://assetfarm.com.au. I can't even visit https with the elastic beanstalk or load balancer URL.
Please check your ELB Security Group for Port 443.
For some new AWS accounts, you may need to open Port 443 manually.
I want to enable ssl on an EC2 instance. I know how to install third party SSL. I have also enabled ssl in security group.
I just want to use a url like this: ec2-xx-xxx-xxx-xx.compute-1.amazonaws.com with https.
I couldn't find the steps anywhere.
It would be great if someone can direct me to some document or something.
Edit:
I have a instance on EC2. On Which I have installed LAMP. I have also enabled http, https and ssh in the security group policy.
When I open the Public DNS url in browser,I can see the web server running perfectly.
But When I add https to URL, nothing happens.
Is there a way I am missing? I really dont want to use any custom domain on this instance because I will terminate it after a month.
For development, demo, internal testing, (which is a common case for me) you can achieve demo grade https in ec2 with tunneling tools. Within few minutes especially for internal testing purposes with [ngrok] you would have https (demo grade traffic goes through tunnel)
Tool 1: https://ngrok.com Steps:
Download ngrok to your ec2 instance: wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip (at the time of writing but you will see this link in ngrok home page once you login).
Enable 8080, 4443, 443, 22, 80 in your AWS security group.
Register and login to ngrok and copy the command to activate it with token: ./ngrok authtoken shjfkjsfkjshdfs (you will see it in their home page once you login)
Run your http - non https server (any, nodejs, python, whatever) on EC2
Run ngrok: ./ngrok http 80 (or a different port if your simple http server runs on a different server)
You will get an https link to your server.
Tool 2: cloudflare wrap
Alternatively, I think you can use an alternative to ngrok which is called cloudflare wrap but I haven't tried that.
Tool 3: localtunnel
A third alternative could be https://localtunnel.github.io which as opposed to ngrok can provide you a subdomain for free it's not permanent but you can ask for a specific subdomain and not a random string.
--subdomain request a named subdomain on the localtunnel server (default is random characters)
Tool 4: https://serveo.net/
Turns out that Amazon does not provide ssl certificates for their EC2 instances out of box. I skipped the part that they are a virtual servers providers.
To install ssl certificate even the basic one, you need to buy it from someone and install it manually on your server.
I used startssl.com They provide free basic ssl certificates.
Create a self signed SSL certificate using openssl. CHeck this link for more information.
Install that certificate on your web server. As you have mentioned LAMP, I guess it is Apache. So check this link for installing SSL to Apache.
In case you reboot your instance, you will get a different public DNS so be aware of this. OR attach an elastic IP address to your instance.
But When I add https to URL, nothing happens.
Correct, your web server needs to have SSL certificate and private key installed to serve traffic on https. Once it is done, you should be good to go. Also, if you use self-signed cert, then your web browser will complain about non-trusted certificate. You can ignore that warning and proceed to access the web page.
You can enable SSL on an EC2 instance without a custom domain using a combination of Caddy and nip.io.
nip.io is allows you to map any IP Address to a hostname without the need to edit a hosts file or create rules in DNS management.
Caddy is a powerful open source web server with automatic HTTPS.
Install Caddy on your server
Create a Caddyfile and add your config (this config will forward all requests to port 8000)
<EC2 Public IP>.nip.io {
reverse_proxy localhost:8000
}
Start Caddy using the command caddy start
You should now be able to access your server over https://<IP>.nip.io
I wrote an in-depth article on the setup here: Configure HTTPS on AWS EC2 without a Custom Domain