I have a server running on Amazon Web Services as an EC2 instance and want to reach it in a secured manner (https). I decided to use Let's Encrypt, following this tutorial to install the SSL Certificates to the server (using the --webroot plugin type). I used puTTY to reach the EC2 instance. In the final step, I was prompted to provide the domain name, wherein I keyed in the URL generated for the instance by AWS (not my own/masked domain name).
I get an Unauthorized error with a note saying
FailedChallenges Failed authorization procedure abcd.efgh.us-west-2.elasticbeanstalk.com (http-01) :urn:acme:error:unautorized :: The client lacks sufficient authorization :: Invalid response from http://abcd.efgh.us-west-2.elasticbeanstalk.com/.well-known/acme-challenge/...
NOTE : abcd.efgh.us-west-2.elasticbeanstalk.com is just an example of an AWS domain name I have provided for the question.
I also get a note following the error:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain contain(s)
the right IP address.
I'm not sure if this occurs because I'm directly using the AWS domain name and not a domain name that I own.
So will I get rid of this error, if I use a domain name that I own or is this issue because of something else that I need to add/change? Please advice.
Issue is that you are trying to run Let's Encrypt with URL that is the Amazon EC2 instance's. You need to register a domain, point it at that EC2 instance, and then run Let's Encrypt with that domain name.
Helpful: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
Related
I'm struggling to use AWS Cloud Former to generate a CloudFormation template. I have already launched the Cloud Former stack twice and attempted to connect to the associated DNS for the EC2 instance generated each time and keep receiving the error pictured below.
I have already tried to create a new SSL certification for the EC2 instance via AWS Certificate Manager, but AWS does not allow this for EC2 instances. I'm not very familiar with SSL/HTTPS processes and would appreciate any guidance on next steps I should pursue to address/troubleshoot this.
Upon further research into this, I have found the following issue:
Specifically, I'm seeing the following SSL certification issue:
Has anyone else seen this yet with CloudFormer recently?
CloudFormer uses self signed certificates that are generated by the stack. This is the normal browser warning when the browser encounters a self signed certificate. For your purposes, you can simply click on the link at the bottom (Proceed to EC2-xxx (Unsafe)) of the warning page, and ignore the warning. You will connect successfully in spite of the warning.
SSL certificates require a domain. On AWS you can set one up with the certificate manager, but it will still have an issue until you correctly configure Route 53 on AWS as well.
I have a problem when using a custom CNAME and SSL/HTTPS for a CloudFront distribution. I set up a CloudFront distribution to use as a CDN on my WordPress site, using the W3TC plugin to configure things.
I imported an SSL certificate from my hosting provider to use with the CloudFront distribution. I also configured a CNAME at my hosting for the distribution (e.g., "cdn.example.com") to use in place of the CloudFront domain name (e.g., "d1234.cloudfront.net").
After setting all this up I immediately noticed that all the images were just broken image links. Right-clicking an image to open it in a new browser window resulted in the browser warning me that "the connection is not private" and that the website "may be impersonating cdn.example.com". The source showed that none of the CloudFront CDN resources were being loaded. Chrome reported "Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID" for several resources.
After experimenting I found that if, I stopped using the CNAME (by removing it from the W3TC plugin field) and used the CloudFront domain name (i.e., "d1234.cloudfront.net") instead, everything worked all right. So images loaded successfully from d1234.cloudfront.net, where they wouldn't from cdn.example.com.
I have another site that is set up exactly the same except it doesn't use SSL/HTTPS: the use of a custom CNAME for the CloudFront distribution there doesn't cause any problems at all.
So the problem with CloudFront seems to appear when I try to use SSL/HTTPS and a custom CNAME.
The Chrome error report seems to indicate that there's a problem with the SSL certificate that I imported (what, I don't know - I'm not at all clued-up with SSL certificates). If that's the cause of the problem, should I get a certificate from AWS to enable the use of a custom CNAME? If so, what should I stipulate for the certificate? And I'm not sure how that works having two certificates - one for my domain and another for CloudFront?
It sounds like you may have missed adding your CNAME to the Cloudfront distribution, i.e. under 'Alternate Domains Names':-
(I know this is an old question but as it stands unresolved and I just hit the same issue, I think this might help others)
Below are the issues.
Certificate does not match issuers name
Google Chrome browser error
Address error due Certificate Mismatch
Please check SSL generated for domain is valid and uploaded same to cloudfront.
This is my first time getting an SSL certificate for my website. I followed this tutorial https://devcenter.heroku.com/articles/automated-certificate-management
heroku certs:auto displays that Status is "Cert issued". I get no errors. I use git push and the website is still not certified. What could I be doing wrong?
Old question, but if anyone else runs into this problem, which I was just battling myself, here was my problem:
When following the Heroku dev center guide on how to point a custom domain to your herokuapp, the guide says, among other things:
"Create a CNAME record to map from www.example.com to example.herokuapp.com or your SSL endpoint if using SSL."
Neither one of these alternatives are, however, the way to go now (SSL endpoint is considered legacy at Heroku). Instead, once you have added your custom domain correctly, simply:
In Heroku CLI, run "heroku certs:auto:enable" to enable ACM.
Point your domain's DNS records at the Heroku DNS target for your custom domain, which you can find by running "heroku domains"
Wait a little.
This should do it.
I'm trying to use Heroku's Automatic Certificate Management to set up SSL for my site. My app is on heroku at myapp.herokuapp.com, and I currently have Subdomain Forwarding set up so that http://www.myapp.com properly shows my app.
What I want is to have my site hosted at https://myapp.com.
I ran heroku certs:auto:enable, but it shows:
=== Automatic Certificate Management is enabled on myapp
Domain Status
───────────────── ───────────
www.myapp.com Failing
Running heroku domains shows:
=== myapp Heroku Domain
myapp.herokuapp.com
=== myapp Custom Domains
Domain Name DNS Target
───────────────── ───────────────────────────────
www.myapp.com www.myapp.com.herokudns.com
Right now, in Google Domains, I have a Subdomain Forward from #.myapp.com to http://www.myapp.com. I also have a Custom Resource Record with the name www, type CNAME, and data myapp.herokuapp.com..
What do I need to change in my setup so that I can host my site at https://myapp.com?
Unfortunately, Google Domains does not support the ANAME or ALIAS record. You must use one of these for your apex domain. Here's the full list supported by Google Domains.
https://support.google.com/domains/answer/3290350
Heroku has a list of DNS providers that support the ALIAS or ANAME records here: https://devcenter.heroku.com/articles/custom-domains#add-a-custom-root-domain Personally, I use DNSimple and have had great success with them.
The CNAME target needs to be www.myapp.com.herokudns.com. In your question above you only have the apex record in your DNS in myapp.com.herokudns.com. If this is not the case can you share the domain so I can dig the record for more information?
I've had the same problem with Heroku and other PaaS providers over and over: depending who provides and manages the DNS for your domain you may or may not able to use a CNAME or ALIAS record on the naked domain. That's why we've created a simple service to solve this by applying a simple SSL redirection from the naked domain to the "www" under SSL, without changing your DNS management provider: NakedSSL will give you an IP and will create and host an SSL certificate for your naked domain (https://yourdomain.com), redirecting it to the HTTPS URL that you want (most likely "https://www.yourdomain.com").
Disclaimer: I'm obviously part of the team that created NakedSSL. I hope you don't take this as self-promotion (anyway we offer it for free for 1 domain, which totally fits the needs of 95% of developers/hobbyist out there), but as a way to deal with this annoying situation in an easy way.
I run a website affectionaries.com that has a valid SSL certificate hosted by Hostgator.
It has come to my attention that when searching in Google for terms such as "Affectionaries" or "Cupcakes Runcorn" an other domain appears higher up the SERP's using my meta data an is unrelated to my business. If you click the link for (https://www.miamiboxpanama.com/) then it takes you to an insecure warning page! Under advanced it tells you:
www.miamiboxpanama.com uses an invalid security certificate. The certificate is only valid for the following names: affectionaries.com, www.affectionaries.com Error code: SSL_ERROR_BAD_CERT_DOMAIN
I can not figure out what is going on here...
So far I can see that this domain is on the same nameservers and IP address as my site.
Has anyone have experience with this and know a solution to resolve this matter?
www.miamiboxpanama.com resolves to the same IP address as affectionaries.com (192.254.231.2). So both names lead to the exact same web server, and therefore also the exact same SSL certificate. Since that certificate is only for the name affectionaries.com, the browser correctly issues a warning when the name it used was www.miamiboxpanama.com.
This looks like a configuration error at Hostgator. You may want to contact them and ask what's going on.