How to install SSL certificate on Amazon ELB? - ssl

So I've been trying to get this SSL certificate installed on an Amazon NodeJS EC2/EJB server I have set up, but for the life of me I can't get it working.
Basically, I have a Godaddy domain and SSL certificate, and I setup a subdomain (let's say admin.example.com) on the Goddaddy site to point to the amazon server through Amazon's Route 53 tool. So, nameservers and redirecting is all fine, but my site doesn't show that it's secure.
If I go to admin.example.com, the site says 'Not Secure' with no warning, and I can't connect to https://admin.example.com. If I instead go to the beanstalk url (https://example.beanstalk.com), the site says 'Not Secure' with a red mark. I ran the beanstalk url through an HTTPS checking tool, and it said the only problem was the url's mismatching (since the SSL is registered for admin.example.com, not the beanstalk url).
Do I need to register a certificate for the beanstalk url instead? How can I setup this subdomain so it will use HTTPS? I'm pretty new to this, but I don't believe it should be this difficult to setup. Is there something I'm missing?
Thanks in advance for all the help!

First question to make sure it will is, is the Certificate a wildcard certificate? If it is not it will, most likely, only work for the root domain and admin.example.com. Are you using an ELB with the Beanstalk deployment or just one instance?
How to request a wildcard from ACM ( This will work for Load Balancers and Cloudfront)
You can also use an asterisk (*) as a wildcard in the leftmost
position to protect several site names in the same domain. For
example, *.example.com protects corp.example.com, and
images.example.com. The wildcard name will appear in the Subject field
and the Subject Alternative Name extension of the ACM Certificate.
http://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request.html
How to upload a certificate to IAM
$ aws iam upload-server-certificate --server-certificate-name elastic-beanstalk-x509 --certificate-body file://https-cert.crt --private-key file://private-key.pem
{
"ServerCertificateMetadata": {
"ServerCertificateId": "AS5YBEIONO2Q7CAIHKNGC",
"ServerCertificateName": "elastic-beanstalk-x509",
"Expiration": "2017-01-31T23:06:22Z",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:server-certificate/elastic-beanstalk-x509",
"UploadDate": "2016-02-01T23:10:34.167Z"
}
}
Make note of the Amazon Resource Name (ARN) for your certificate. You
will use it when you update your load balancer configuration settings
to use HTTPS.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html

Related

How To Get SSL Working with Elastic Beanstalk, Route53 and Cloudflare

I am struggling to get SSL to work on an elastic beanstalk environment with the following configuration:
I have the domain hosted with GoDaddy, which I have routing through cloudflare, which then routes to Route53 with an A record pointing to my subdomain api.myapp.com (which points to my EB environment).
I am using Cloudflare's full E2E encryption, and am using the SSL certificate provided by cloudflare.
In my EB environment, I am using a Classic Load Balancer and have the following configuration (note: my application uses websockets hence the TCP port):
I've added the SSL certificate to the HTTPS configuration but when I navigate to api.myapp.com I am still getting the "your connection is not secure" in the browser.
Does anyone have any suggestions on how to resolve the issue?
The free ssl from zerossl.com works. After the validation and others stuffs at the end you will get three files.
Using AWS Console
Download the zip files containing certificate, chain and private. Goto AWS certificate manager -> import certificate -> add all the details -> review and import the certificate.
Using AWS CLI, which will output the certificate identifier
aws iam upload-server-certificate --server-certificate-name ish --certificate-body file://certificate.crt --certificate-chain file://ca_bundle.crt --private-key file://private.key
Goto AWS Console load balancer and select 443 HTTPs the recent certificate will be available which can be identified by an identifier provided on both the above cases. Apply changes and restart the env. The new certificate will be available.
Turns out that AWS doesn't allow the use of SSL certificates purchased from cloudflare anymore, so I solved it by provisioning one with CA on AWS.

Bit confused with cloudfront and why my cert for the CNAME is not working

I am getting this message on my main site, after I setup a CloudFront distribution. I created a certificate for cdn.example.com, chose custom and entered cdn.example.com for use with HTTPS.
I created a CNAME in my DNS configuration for cdn.example.com, and I added the validation record as requested by AWS. The certificate shows up as issued and validated.
Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “cdn.example.com”, which could put your confidential information at risk.
No images get loaded and the site does not render as it should. If I use the cloudfront url (i.e. d12345.cloudfront.net), all works fine. Do I need to add a SAN to my certificate, such as the main domain (i.e. example.com) in addition to cdn.example.com? If so, how does that work as I already use a SSL certificate for my www.example.com and example.com from Let's Encrypt.
I am using WordPress and wpfastestcache to integrate CloudFront with the website, where I specified cdn.example.com and the origin as example.com.
This question was confusing, since it seemed to describe a very unlikely condition. How could a newly-configured CloudFront distribution with a new certificate from ACM offer an invalid certificate?
In truth, I was distracted by part of the "helpful" browser error message, "You might be connecting to a server that is pretending to be..." I mistakenly assumed that this implied that the hostname in the certificate was correct ("pretending to be") but that the certificate was invalid for some other reason.
As it turns out, the certificate being offered was the default, generic *.cloudfront.net certificate, so the hostname in the cert didn't match the custom domain name.
After creating a certificate in ACM, it needs to be associated with the CloudFront distribution, as mentioned at https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesSSLCertificate.
Another hint to the nature of the problem would have been observable in the ACM console. There, the certificate would have shown In Use? No.
In Use? – Whether the ACM Certificate is actively associated with an AWS service such as Elastic Load Balancing or CloudFront. The value can be No or Yes.
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-list.html#gs-acm-list-console

http to https in EC2 apache2 in AWS

I'm trying to have https for a website which is hosted in AWS EC2. I have followed the steps mention in the following link.
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
But still its showing the privacy thing to all user who are visiting the website. How can make the certificate as trusted or how long it will take Amazon to make it a trusted one.
Please help me to solve this. I'm stuck with this for last 2 days. Answers will be appreciated and Thank you.
You can use AWS Certificate Manager to issue free SSL certificate signed by AWS Certificate Authority. However for this to work, you need to use a Load Balancer and attach the certificate to the Load Balancer which will forward the traffic to the EC2 instance.
Depending on your requirements you may wish to use SSL termination on an Elastic Load Balancer (ELB) instead.
This involves creating a free AWS certificate and an ELB. Attach both your instance the certificate to the ELB with HTTPS forwarded to port 80 on your instance.
Then just point your DNS name to the ELB. If you're using Route53 then you can just use an A-record alias.
Edit: If you want to automatically direct HTTP to HTTPS you'll need to check the X-Forwarded-Proto header in Apache's .htaccess file. More information here.
The certificate which you are using is a "Self Signed Certificate (https://en.wikipedia.org/wiki/Self-signed_certificate)".
In order to get rid of insecure certificate or privacy issues on HTTPS, you need to get your CSR signed from a trusted CA like Comodo, Godaddy etc.
Ref -
https://in.godaddy.com/help/apache-generate-csr-certificate-signing-request-5269
https://help.comodo.com/topic-437-1-843-10843-.html
OR
In case you want free verified SSL certificates, "letsencrypt" is the way to go.
https://letsencrypt.org/
You don't need to pay anyone for a certificate. Just use LetsEncrypt and their CertBot ACME client. The CertBot automates the task of issuing and renewing certificates.
LetsEncrypt is the leading free SSL certificate authority (CA) and their certs are as good as any paid cert.

ElasticBeanstalk GoDaddy and SSL

I am attempting to get my domain (assetfarm.com.au) to use SSL. I have created a certificate and uploaded it to IAM. I associated it with my ElasticBeanstalk configuration.
I am also attempting to use Route 53 for my domain. Here are my current settings:
I'm using a self-signed certificate just to check that the issue wasn't with the certificate GoDaddy generated. Despite following the instructions on Amazon step-by-step, I am still unable to visit https://www.assetfarm.com.au or https://assetfarm.com.au. I can't even visit https with the elastic beanstalk or load balancer URL.
Please check your ELB Security Group for Port 443.
For some new AWS accounts, you may need to open Port 443 manually.

Amazon EC2 + SSL

I want to enable ssl on an EC2 instance. I know how to install third party SSL. I have also enabled ssl in security group.
I just want to use a url like this: ec2-xx-xxx-xxx-xx.compute-1.amazonaws.com with https.
I couldn't find the steps anywhere.
It would be great if someone can direct me to some document or something.
Edit:
I have a instance on EC2. On Which I have installed LAMP. I have also enabled http, https and ssh in the security group policy.
When I open the Public DNS url in browser,I can see the web server running perfectly.
But When I add https to URL, nothing happens.
Is there a way I am missing? I really dont want to use any custom domain on this instance because I will terminate it after a month.
For development, demo, internal testing, (which is a common case for me) you can achieve demo grade https in ec2 with tunneling tools. Within few minutes especially for internal testing purposes with [ngrok] you would have https (demo grade traffic goes through tunnel)
Tool 1: https://ngrok.com Steps:
Download ngrok to your ec2 instance: wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip (at the time of writing but you will see this link in ngrok home page once you login).
Enable 8080, 4443, 443, 22, 80 in your AWS security group.
Register and login to ngrok and copy the command to activate it with token: ./ngrok authtoken shjfkjsfkjshdfs (you will see it in their home page once you login)
Run your http - non https server (any, nodejs, python, whatever) on EC2
Run ngrok: ./ngrok http 80 (or a different port if your simple http server runs on a different server)
You will get an https link to your server.
Tool 2: cloudflare wrap
Alternatively, I think you can use an alternative to ngrok which is called cloudflare wrap but I haven't tried that.
Tool 3: localtunnel
A third alternative could be https://localtunnel.github.io which as opposed to ngrok can provide you a subdomain for free it's not permanent but you can ask for a specific subdomain and not a random string.
--subdomain request a named subdomain on the localtunnel server (default is random characters)
Tool 4: https://serveo.net/
Turns out that Amazon does not provide ssl certificates for their EC2 instances out of box. I skipped the part that they are a virtual servers providers.
To install ssl certificate even the basic one, you need to buy it from someone and install it manually on your server.
I used startssl.com They provide free basic ssl certificates.
Create a self signed SSL certificate using openssl. CHeck this link for more information.
Install that certificate on your web server. As you have mentioned LAMP, I guess it is Apache. So check this link for installing SSL to Apache.
In case you reboot your instance, you will get a different public DNS so be aware of this. OR attach an elastic IP address to your instance.
But When I add https to URL, nothing happens.
Correct, your web server needs to have SSL certificate and private key installed to serve traffic on https. Once it is done, you should be good to go. Also, if you use self-signed cert, then your web browser will complain about non-trusted certificate. You can ignore that warning and proceed to access the web page.
You can enable SSL on an EC2 instance without a custom domain using a combination of Caddy and nip.io.
nip.io is allows you to map any IP Address to a hostname without the need to edit a hosts file or create rules in DNS management.
Caddy is a powerful open source web server with automatic HTTPS.
Install Caddy on your server
Create a Caddyfile and add your config (this config will forward all requests to port 8000)
<EC2 Public IP>.nip.io {
reverse_proxy localhost:8000
}
Start Caddy using the command caddy start
You should now be able to access your server over https://<IP>.nip.io
I wrote an in-depth article on the setup here: Configure HTTPS on AWS EC2 without a Custom Domain