HTTPS on Amazon EC2 for OwnCloud - ssl

I have a question which I hope somebody can answer for me.
My situation: I have an Ubuntu Server running Apache2 on a EC2 Amazon instance, which is serving an OwnCloud instance.
My goal: I want to deploy HTTPS on this instance. I already configured the security group to allow HTTPS traffic from anywhere (as the server should be accessible from anywhere on the internet). We already have a domain name bar.com registered at another domain hosting company. But we want to point foo.bar.com to this owncloud installation.
My questions:
1) Which IP-address do I use to configure the DNS at this domain hosting company. Because the public ip-address and public DNS of the EC2 instance is renewed every time the instance restarts.
2) How do I generate the SSL certificate for HTTPS configuration of Apache2? More specifically, which common name (CN) do I need to put in the certificate. Because the public dns of the EC2 instance is changing on every restart. I think if I put the foo.bar.com CN in the certificate that the browser will throw a certificate error once the user gets redirected from foo.bar.com -> .compute.amazonaws.com, am I right?
In short: how do I deploy https on a EC2 instance at Amazon AWS with a dns at a third party domain name service?

To deal with the changing public ip address you've got two options, first and (for simple situations, best) go to the Elastic Ip Page, get an eip and associate it with your instance, this association and hence public IP will hang around even after start/stop. You can even move the eip over to a different machine if you need to. This option is very cheap (you only get charged for an eip if its not attached to a started server). You're then safe to point your dns at the eip. The alternative option is much more powerful and that is to use elb (load balancing) but it also involves a fair amount more work to setup.
I assume if you're asking about cn's you dont really want a "how to" on creating an ssl cert (please correct me if I'm wrong). For the cn you just use the domain name - it doesn't matter what ip address the name resolves to the cert is for the domain. If you have your own domain to point at your eip you dont need to care about the machines public hostname. A user will never see it.

Related

Is it possible to get an SSL certificate for a portforwarding VPN service?

In my example I am using https://portmap.io VPN service which is not exactly a pure VPN services but still uses VPN technology to break my ISP restrictions, allowing portforwarding to my own home server running in my android device.
So if I run 193.161.193.99:1200, my website gets browsed. The port 1200 is mapped to my local python server port running on port 1000. Port 1200 is given by the VPN provider.
However, if I try 193.161.193.99 without the port 1200. The portmap VPN official website gets called, cause that's the websites' IP. So basically each user of this VPN services has there own port to work with.
Question: I don't have any public IP totally in my own control to get an SSL certificate, which requires a file upload verification by the CA (CSR). So, it it anyhow possible to get an SSL certificate using 193.161.193.99:1200 ?
Note: Services like zerossl.com accepts to provide a certificate for ipv4 public addresses. So it not always essential to use a FQDN to get a cert.
Yes this is possible, you will need a domain pointing to the VPN/portmap IP and then obtain a SLL certificate from Let's Encrypt for that domain. This can be your own domain or one provided by a Dynamic DNS Service such as Duck DNS.
I'll describe how I have done it with Docker and Duck DNS in detail:
Sign in to Duck DNS, create a subdomain and point it to the VPN/portmap IP, note the token at the top of the page.
Deploy a docker container from LinuxServer.io's SWAG Image
Make sure to provide the required environment variables in your docker-compose.yml (or with docker run command):
- VALIDATION=duckdns
- DUCKDNSTOKEN={your token}
- URL={yourdomain}.duckdns.org
Note: If you want everything behind your VPN, there is a great docker container called gluetun which allows you to run the swag container behind your VPN
You will find your SSL certificates in the /config/etc/letsencrypt/live/{yourdomain}.duckdns.org folder of the SWAG container. Use those for the website/service that is running behind your forwarded port.
The certificates will get updated automatically 30 days before they expire. There is also a PKCS#12-file privkey.pfx, which is needed for services like emby. For more information on SWAG see the LinuxServer.io Docs. You may or may not need another container running that updates the Duck DNS IP periodically, I'm not sure if the SWAG container already does that.
All of this can of course be done without Docker and with your own domain. In this case you will need to map your domain or subdomain to the VPN IP in the DNS Record section of your domain provider. And then use certbot to create certificates for that domain. Docker just automates the renewal part.

How to use Let's Encrypt for my private server while ISP blocked port 80 and 443?

I am setting up a WebDAV server behind traefik using docker compose. Also,I want to add HTTPS support to it, so that keeping my data private. I bought a domain name and prefer to use Let's Encrypt, because it's free of charge.
But as far as I know, Let's Encrypt requires TLS, HTTP or DNS challenge. While last option seems only for big companies who owns the public DNS server, other two options need port 80 or 443. The problem is that these 2 port are all blocked by the ISP. So is there any workaround? How to make it work?
While last option seems only for big companies who owns the public DNS server
If you own the domain, you should have full control over the DNS records — free of charge, by going to the vendor you bought the domain from, and finding the section for the DNS controls. If you have your domain pointing your IP address, you've already used it, probably by adding an A or AAAA record. Let's Encrypt DNS challenge requires only a TXT record, which should be available on virtually every domain registrar's DNS controls.

Why does my domain and ssl is not working correctly from every place?

I have a domain purchased at 1and1 and set up at AWS EC2 with SSL and Apache server.
Even the domain pointing to the correct IP (using nslookup I can see it), it works from some places and not from others.
For example, here from my workplace, I see this page (the domain does not reach the EC2 server):
I launched a Windows EC2 at AWS to make a test and from there, everything is correct (the page loads and SSL is valid):
From my client's computer, it has another behavior. It reaches the EC2 server, but is says the SSL is invalid:
Has anyone faced the same problem?
The first thing you need to do is get an Elastic IP, the instance IP can change during reboot etc but elastic IP are static IP’s so you should make sure you create one of them and assign it your running instance.
Create Hosted Zone and Record Sets
Documentation is here - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html
Create a recordset and add values
Add the Amazon NameSpaceServers in Control panel of Domain Provider
Import the SSl certificate to AWS Certificate manager (Optional). Documentation is here https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html#import-certificate-api
Self signed certificate will not work.
Deploy the SSl certificate into Apache server and configure the traffic for https.
Open the AWS in-bond traffic port documentation is here - https://aws.amazon.com/premiumsupport/knowledge-center/connect-http-https-ec2/

ssl certificate for aws

I have a https web app running on my aws ec2 instance.
https://ec2-52-91-100-69.compute-1.amazonaws.com/
I need to get a ssl certificate for the same so that the scary warnings do not appear.
How can I do this? I tried to buy a ssl from clickssl.com but their helpdesk emailed me with the following:
"You completed enrollment process for domain name
ec2-52-91-100-69.compute-1.amazonaws.com.
I believe you cannot get SSL for this domain name because root domain
name amazonaws.com is Amazon property."
If this is the case is there no way to get a ssl certificate for my application? I dont believe thats the case.
Any help will be appreciated.
First you need to register a domain through a registrar (e.g. GoDaddy or Amazon Route 53). Next you assign an Elastic IP to your EC2 instance and use your registrar's DNS tool to make your domain point to the Elastic IP address. Then you can request an SSL certificate for your own domain.
You do need to register a domain, or use a subdomain of a domain you already have registered. You do NOT need to use an Elastic IP - they are limited and eventually (if you use multiple domains in your AWS account) you will run out. Instead, you can use a CNAME to point to the AWS name (e.g., ec2-52-91-100-69.compute-1.amazonaws.com).
Once you have that set, use Let's Encrypt to get a free widely accepted certificate. There are plenty of tutorials on the installation process - try:
https://ivopetkov.com/b/let-s-encrypt-on-ec2/
Just noticed the original question is OLD - which means (among other things) that Let's Encrypt wasn't even an option at the time. But for anyone who stumbles across this question now, it is a great solution.

How to make Amazon EC2 not cause SSL invalid error in browser

I use SSL certificate for a web site I set up in Amazon EC2 Machine Instance. The SSL certificate is for one domain name, which is not public DNS for the Amazon Machine Instance. The browser always complains the mismatch in the domain name because it compares the domain name of the SSL certificate to the Amazon public DNS.
How can I set up not to cause this problem?
I tried both domain name forwarding and A Record setting.
Maybe it's because I'm not so familiar with Amazon EC2 and I haven't configured domain name correctly.
Any help will be greatly appreciated.
The browser compares the domain name that you've typed in the address bar with the domain name in the certificate. If they're different then there's an error: that's by design.
The way to "fix" this is to buy a certificate for whatever domain name you type into the browser to get to the EC2 instance: mywebsite.com, not ec2-x-y-z.compute-1.amazonaws.com or whatever...
After that the instance has an IP you can setup a domain name with it if you want. The easiest way is you can use through a DNS service like EveryDNS. Just provide your domain name registrar with EveryDNS’s domain name servers, create an EveryDNS account, add your domain and create an A record with your newly associated EC2 instance IP address.
after that you have to get a certificate for that domain name.If you do these steps and still having problems pls let me know.
also you can read here for further details.
and i faced same problem before you can check the amazon forums for the exact answer