My application domain was bought on GoDaddy, the NS servers point to Route 53. Route53 has A records to Elastic Load Balancers for different urls which manage traffic to my Elastic Beanstalk.
Do I require more than one SSL certificate? Will a wildcard certificate be fine for this scenario (I assume it will be).
The reason I'm confused is because of the setup of the system and a lack of understanding how SSL certificates work with A records and Load Balancers.
A wildcard certificate should be sufficient, but you'll need to use CNAME records to map your subdomains to your various ELBs. A records are a recipe for disaster, because the ELBs change IP frequently.
You'll also need to load your certificate into AWS and create an HTTPS listener for each ELB, which is a lot of fun. See the ELB developer's guide.
This question is a little old, and I wanted to point out that today there is a free way to do this (rather than a wildcard cert which is typically expensive.)
Using Amazon certificate manager, you can request a cert for free, and assign a number of domains and subdomains to it. I have a cert running that has a total of six subdomains across two different domains. Four of the subdomains all point to the same application, with the load balancer on elastic beanstalk application pointing to the one cert.
Related
I need to point thousands of TLDs to the same Rails app hosted in Heroku.
So far I have automated the process of adding domains to CloudFlare and Heroku, but SSL has proven to be a challenge.
Heroku has ACM on by default, which will fail when the CF orange cloud is on (which I need on).
I can't turn ACM off with Flexible SSL in CloudFlare because I need SSL from edge to origin.
I can't use an Origin CA because Heroku only supports 1 certificate per app (not per domain) and I'm going to be well over 100 domains. I also don't want to have to manage multiple certificates which contain multiple TLDs and re-generate the certificate with every single domain in it every time I add a new domain.
Question: Is there a downside to just pointing www and # to my-app.herokuapps.com?
So far it works perfectly from a DNS perspective with Full SSL in CloudFlare, even though it says in Heroku docs that the herokudns.com strategy is encouraged. I just wanted to ensure there aren't any deprecations or hidden limits that will suddenly make this stop working after I've committed to it.
I'm also open to any other solutions.
Im currently building an application that will reside at app.mydomain.com which is running on Heroku. All users will have their own entry points, like app.mydomain.com/client1, app.mydomain.com/client2, etc. I want clients to be able to setup their own domain (www.clientdomain.com) and cname it to their entry point. I understand this is pretty straight forward up until now.
All my DNS is handled by Cloudflare and I believe I can configure Cloudlfare into Full (Strict) mode, all I need to do is install their Origin Cert onto my Heroku dyno. This will ensure that all direct connects to my domain will be secure (going to app.mydomain.com/client1).
Question is, how does a client go about getting an SSL'ed connection for their domain; do I need to get a multidomain cert and start adding domains to it as I get clients, or am i supposed to install their cert onto Heroku (I believe I can only install 1 so thats a no go) or is it supposed to live on Cloudflare somewhere, or are there additional options I'm not seeing (I hope there are!).
Im not wondering what to do for my own domains, but rather, how do clients setup an SSL connection with their domains that resolve onto my servers.
This is rather perplexing!
The flow would be (I think):
User Browser -> Clients DNS -> (cname to) My Cloudflare -> Heroku
Hmm, it looks like this might be a pretty solid solution to this issue...
https://blog.cloudflare.com/introducing-ssl-for-saas/
Edit - after clarification
I'm currently building an application that will reside at
app.mydomain.com which is running on Heroku. All users will have their
own entry points, like app.mydomain.com/client1,
app.mydomain.com/client2, etc. Question is, how does a client go about
getting an SSL'ed connection for their domain; do I need to get a
multidomain cert and start adding domains to it as I get clients?
If you are going to use the same Heroku app for all of your clients (I think this is a bad idea by the way, but you might be required to) - then yes - you should get a multi-domain certificate and keep adding domains to it as your list of clients expand.
Original answer - which explains SSL + Load Balancing on Heroku.
Im currently building an application that will reside at
app.mydomain.com which is running on Heroku. I was clients to be able
to setup their own domain www.clientdomain.com and cname it to mine.
You will need a wildcard certificate to cover your subdomain (for the app.mydomain.com). You'll have use that cert in heroku.
...all I need to do is install their Origin Cert onto my Heroku dyno.
You are correct - except it's not on your Heroku dyno, it's on your Heroku app endpoint. There's a good read here: https://serverfault.com/questions/68753/does-each-server-behind-a-load-balancer-need-their-own-ssl-certificate
If you do your load balancing on the TCP or IP layer (OSI layer 4/3,
a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL
certificate installed.
If you load balance on the HTTPS layer (L7), then you'd commonly
install the certificate on the load balancer alone, and use plain
un-encrypted HTTP over the local network between the load balancer and
the webservers (for best performance on the web servers).
So you should install your SSL certificate to your Heroku endpoint and let Heroku handle the rest.
Question is, how does a client go about getting an SSL'ed connection;
do I need to get a multidomain cert and start adding domains to it as
I get clients, am i supposed to install their cert onto Heroku (I
believe I can only install 1 so thats a no go) or is it supposed to
live on Cloudflare somewhere?
If you're referring to adding servers to your service from heroku, all you need to do is increase the number of web-dynos. Heroku will handle the load balancing in between these dynos. Your SSL certificate should be resolved in the load balancer so your dynos will be serving requests for the same endpoint. You shouldn't need another SSL certificate for the endpoint you've defined - as long as you're serving traffic from multiple dynos attached to it.
I'm planning to set up HTTP/HTTPS load balancing (https://cloud.google.com/compute/docs/load-balancing/http/) on the Google Cloud Platform for over 1,700 domains (different websites); and all will have TLS/SSL. However, you can only add up to 10 SSL certificates per load balancer, according to this: https://cloud.google.com/compute/docs/load-balancing/http/ssl-certificates
How should I go about trying to set up load balancing to serve websites using Compute Engine? I'd like to have instances in several different regions, and all of the steps in adding a domain should be automated (I have the deployment process figured out).
Of course I'll be providing my own SSL certificates. I can add up to 100 domains per certificate using Let's Encrypt (https://letsencrypt.org/docs/rate-limits/). But do I need a separate certificate for each domain for the Google Cloud load balancer? But if I can use one certificate for every 100 domains, does that mean I can only use a load balancer for up to 1,000 domains (10*100)? Would I have to create multiple load balancers, each with its own Frontend, using the same Backend service? How many load balancers am I allowed to create per project?
We also had the same scenario and requirement (1000+ domains, letsencrypt SSL and Google LoadBalancer) but alas couldn't use Google Load Balancer to do that. Instead we made an TCP LoadBalancer instead of an HTTPS one, so that we could handle the 443 port.
Now the request directly came to our instances (even with ssl), and we made conf for all the domains in nginx and all the domains had their ssl certifciates configured using letsencrypt and serve the app based on the domain.
The limitation on number of certs is by IP, not by load balancer. The number of certs by ip is now 15 on each per the GCP docs. If in your case the sites can use a shared cert, then that would cover 1500 domains per IP address.
GCP quotas have a default but you can request an increase if your case needs it.
I have a https web app running on my aws ec2 instance.
https://ec2-52-91-100-69.compute-1.amazonaws.com/
I need to get a ssl certificate for the same so that the scary warnings do not appear.
How can I do this? I tried to buy a ssl from clickssl.com but their helpdesk emailed me with the following:
"You completed enrollment process for domain name
ec2-52-91-100-69.compute-1.amazonaws.com.
I believe you cannot get SSL for this domain name because root domain
name amazonaws.com is Amazon property."
If this is the case is there no way to get a ssl certificate for my application? I dont believe thats the case.
Any help will be appreciated.
First you need to register a domain through a registrar (e.g. GoDaddy or Amazon Route 53). Next you assign an Elastic IP to your EC2 instance and use your registrar's DNS tool to make your domain point to the Elastic IP address. Then you can request an SSL certificate for your own domain.
You do need to register a domain, or use a subdomain of a domain you already have registered. You do NOT need to use an Elastic IP - they are limited and eventually (if you use multiple domains in your AWS account) you will run out. Instead, you can use a CNAME to point to the AWS name (e.g., ec2-52-91-100-69.compute-1.amazonaws.com).
Once you have that set, use Let's Encrypt to get a free widely accepted certificate. There are plenty of tutorials on the installation process - try:
https://ivopetkov.com/b/let-s-encrypt-on-ec2/
Just noticed the original question is OLD - which means (among other things) that Let's Encrypt wasn't even an option at the time. But for anyone who stumbles across this question now, it is a great solution.
I'm not the most advanced AWS user there is, and have come across a bit of a roadblock.
I've got 2 Elastic Beanstalk Environments, each with a Load Balancer, 2 EC2 instances and they share a RDS instance. One environment is for Development and the other for Production.
I have purchased a wildcard SSL certificate from Thawte, and would like to install it on both the Development and Production environments. I've gone through other threads about adding SSL certificates in AWS, but the admin interface has changed since they were written so I've been going round in circles trying to figure it out.
Also, do I install the same SSL certificate on both Load Balancers? Or is it a case of only having one load balancer and redirecting traffic depending on the domain?
Thanks
You will need two load balancers, one for each environment. For uploading the certificate, it sounds like you are creating your Beanstalk environment through the console. In that case, after you create the environment, go to the EC2 tab, then 'Load Balancers', then 'Listeners'. Edit that, change the protocol to https. You'll see there is a place to change the certificate:
That will give you a place to upload the certificate:
Now that the cert is there, you can use the Elastic Beanstalk configuration to change future environments to use that cert: