I'm trying to have https for a website which is hosted in AWS EC2. I have followed the steps mention in the following link.
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
But still its showing the privacy thing to all user who are visiting the website. How can make the certificate as trusted or how long it will take Amazon to make it a trusted one.
Please help me to solve this. I'm stuck with this for last 2 days. Answers will be appreciated and Thank you.
You can use AWS Certificate Manager to issue free SSL certificate signed by AWS Certificate Authority. However for this to work, you need to use a Load Balancer and attach the certificate to the Load Balancer which will forward the traffic to the EC2 instance.
Depending on your requirements you may wish to use SSL termination on an Elastic Load Balancer (ELB) instead.
This involves creating a free AWS certificate and an ELB. Attach both your instance the certificate to the ELB with HTTPS forwarded to port 80 on your instance.
Then just point your DNS name to the ELB. If you're using Route53 then you can just use an A-record alias.
Edit: If you want to automatically direct HTTP to HTTPS you'll need to check the X-Forwarded-Proto header in Apache's .htaccess file. More information here.
The certificate which you are using is a "Self Signed Certificate (https://en.wikipedia.org/wiki/Self-signed_certificate)".
In order to get rid of insecure certificate or privacy issues on HTTPS, you need to get your CSR signed from a trusted CA like Comodo, Godaddy etc.
Ref -
https://in.godaddy.com/help/apache-generate-csr-certificate-signing-request-5269
https://help.comodo.com/topic-437-1-843-10843-.html
OR
In case you want free verified SSL certificates, "letsencrypt" is the way to go.
https://letsencrypt.org/
You don't need to pay anyone for a certificate. Just use LetsEncrypt and their CertBot ACME client. The CertBot automates the task of issuing and renewing certificates.
LetsEncrypt is the leading free SSL certificate authority (CA) and their certs are as good as any paid cert.
Related
I want to generate SSL certificate automatically on Kubernetes. My site is already up and running but it is on HTTP:// not on HTTPS:// so which is the best way to provide them and generate the SSL certificate automatically.
I am new to k8s and learning. If the first time I manually install it then also the next time if the pod gets recreated the certificate will be deleted.
So suggest me easy way to manage certificate manager on K8s
A few of options I can think of:
You can try the certificate manager with Letsencrypt certificates.
You can try an a Kubernetes Ingress with an ingress controller like nginx also with Letsencrypt and this described here.
You can try a Traefik ingress controller also with Letsencrypt.
Can I use a certificate from letsencrypt to sign local certificates?
I'm annoyed when accessing routers and APs at 192.168.x.x to get security warnings.
I could create my own root cert, and import it into all my browsers etc, and create certs for all the local servers.
But I'd rather have the chain device -> www.example.com -> letsencrypt -> root
Then also guests could use my local servers/services without this security error.
No, you can not because the certificate issued to you by letsencrypt will not have the keyusage certificate signing enabled. Without this attribute in the issuer, any browser or SSL client musth reject the certificate.
If this were possible, anyone could issue valid certificates for any server simply by having a valid certificate from a trusted CA
If you want to issue certificates for your local servers you will need to create your own CA and include the root certificate in the truststore of each client
Yes, you can... but not like that
Yes, you can get certificates for servers on a private network. The domain must be a real domain with public txt records, but the A, AAAA, and CNAME records can be private/non-routable (or in a private zone).
No, the way to do that isn't by using Let's Encrypt certificates to sign local certificates.
You can accomplish exactly what you want to accomplish using the DNS-01 challenge (setting txt records for your domain).
Who is your domain / dns provider?
Immediate, but Temporary Solution
If you want to test it out real quick, try https://greenlock.domains and choose DNS instead of HTTP for the "how do you want to do this" step.
Automatable Integration
If you want a configurable, automatable, deployable solution try greenlock.js (there are node plugins for Cloudflare, Route 53, Digital Ocean, and a few other DNS providers).
Both use Let's Encrypt under the hood. Certbot can also be used for either case and can use python plugins.
Possibly related...
P.S. You might also be interested in a service like Telebit, localtunnel, or ngrok.
i want to transfer my GoDaddy website hosting to EC2 apache. But i do have a confusion that how do i transfer SSL certificates from GoDaddy to EC2 apache.
Do i need to export certificates from GoDaddy?
How to i install those certificates on apache, including priavte key?
Thanks,
Saqib
There is no such thing as transfer SSL certificates when it comes to Apache.
You need to configure Apache server with SSL.
You can refer to the below blog post on how to do so:
https://www.digicert.com/ssl-certificate-installation-apache.htm
I have just installed a wildcard ssl certificate on a custom domain, this is working fine for any subdomain of *.example.com. I can verify that the correct ssl certificate is being issued.
However the problem is with www. which is issuing the Bluemix certificate not my own certificate.
In the browser i am getting "Your connection is not private"
This server could not prove that it is www.example.com; its security certificate is from *.eu-gb.mybluemix.net. This may be caused by a misconfiguration or an attacker intercepting your connection.
I am guessing that the problem is with Bluemix, how can i get Bluemix to serve up my certificate for www, baring in mind that it is serving up my certificate for other subdomains.
All help will be greatly recieved
I have fixed this issue, the problem was with the DNS setup.
The key piece of information for me, was that my dns was point to 2 IP's of Bluemix 5.10.124.142, and 5.10.124.141, therefore only serving up my certificate on one, and the Bluemix default certificate on the other
From googling how to add a custom domain, i added a CNAME record to point to *****.eu-gb.mybluemix.net and an A record to 5.10.124.142
This is wrong, i need to change my CNAME record to be my actual domain now.
I am attempting to get my domain (assetfarm.com.au) to use SSL. I have created a certificate and uploaded it to IAM. I associated it with my ElasticBeanstalk configuration.
I am also attempting to use Route 53 for my domain. Here are my current settings:
I'm using a self-signed certificate just to check that the issue wasn't with the certificate GoDaddy generated. Despite following the instructions on Amazon step-by-step, I am still unable to visit https://www.assetfarm.com.au or https://assetfarm.com.au. I can't even visit https with the elastic beanstalk or load balancer URL.
Please check your ELB Security Group for Port 443.
For some new AWS accounts, you may need to open Port 443 manually.