The site works perfectly fine on HTTP, however, does not work on HTTPS.
I've followed all the steps on this page to create a self-signed certificate and add it to my Elastic Beanstalk environment.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
I'm also getting a successful certificate response back from IAM using the following command:
aws iam get-server-certificate --server-certificate-name
After updating Elastic Beanstalk with the certificate, I've also added add a rule to the security group that allows inbound traffic from 0.0.0.0/0 to port 443.
Finally, I've also validated that my load-balancer listener has HTTPS set up correctly.
In spite of all that, my calls to https is not resolving, while http is working perfectly fine.
Any other thoughts on this? Any help would be much appreciated.
Please let me know if you need any more information. Desperately looking for some insight/help into this.
Anyway, not being able to resolve this issue with my site/code, I tried to set up HTTPS on the sample site provided on Elastic Beanstalk. Interestingly enough, even that is not working.
I want to provide an update that I was finally able to resolve the issue.
The root-cause was because I missed to set up an Inbound Rule for the Security Group of the Load Balancer.
For whatever reason, when I read the documentation, I understood that the Inbound Rule needed to be set up for the Security Group of the Instance (and not the Load Balancer). Only after I started tracing the Load Balancer did I realize that I should perhaps try setting up the Rule for the Security Group of the Load Balancer. So, the problem is resolved. Below is the setting I used.
HTTPS 443 HTTP 80 <name of the certificate>
I'd have to say that the documentation could be a bit more clear to clearly identify the change required to the Security Group of the Load Balancer (and not the Instance).
Amazon recently released AWS Certificate Manager :
Go to https://console.aws.amazon.com/acm/home
Add your domain and validate it by email
After the certificate is issued, deploy it to your Elastic Load Balancers following the steps (and easily setup your security groups)
It's event better for a performance point of view:
Because ELB supports SSL offload, deploying a certificate to a load
balancer (rather than to the EC2 instances behind it) will reduce the
amount of encryption and decryption work that the instances need to
handle.
follow the doc for more information:
https://aws.amazon.com/fr/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
I can't believe this...but it goes to show how bad the AWS console is...I had to scroll down and click "Apply" on an invisible button when it shows "Pending create" after add making me think it's working...facepalm.
Hello i was had like this and i follow this steps and works to me:
Generate certificate
the first thing is request a Request certificate on AWS Certificate Manager (ACM)
take a look on this video to create a new one https://youtu.be/bWPTq8z1vFY
Configurations of the Elastic Beanstalk
on the configuration -> load balancer
create a new listener:
in this step i get this :
Creat a new record on route 53
so i use route53 to host my site
go to route 53 ->select your host zone and create a new record
choose the option of alias to select your route traffic in your case Elastic Beanstalk, your region and the name of your application
this works if you use route 53 and EB but in other host providers i thing i woiuld work too.
Related
I set up SSL Proxy Load Balancing using official guide. I have completed every step, but when I visit my domain, I am getting a 404 Not Found response. I am trying to set up SSL on my website, hosted in Google Cloud VM and is accessible via IP of the VM.
Also, in the Create instances section of that guide, step-6 is unclear to me. Am I supposed to add ssl-lb as a network tag?
Of course, if you are creating a firewall rule for the SSL load balancer by specifying Target tas then you must have to create instance with specified tag.
If you look at the section Create a firewall rule for the SSL load balancer step 6 you will understand.
You need to create the instance With the tag ssl-lb which the firewall rule will use later. You are supposed to add ssl-lb as a target tag while creating the Firewall rule.
VPC Networks —> Firewall —>While creating firewall rule to allow traffic from load balance to instance you need to create a firewall rule by entering the allow-ssl-lb-and-health add the select network as default and here you have to set target tags as ssl-lb .
You can also add ssl-lb as a network tag by using the Gcloud command line.
I have a website, example.com, that has a subdomain called play.example.com which hosts a multiplayer game on it.
Separately, I have an Elastic Beanstalk environment that hosts the game server (NodeJs backend), separate from the client build itself.
play.example.com connects to the game server over https, but is met with the error: ERR_CERT_COMMON_NAME_INVALID.
Steps I have taken:
1) Created an SSL certificate for *.example.com using AWS Certificate Manager
2) Added a listener to my load balancer that listens on port 443
3) Created an alias, type A IPv4 with the name play.example.com to the EB url
I understand the the error means that there is a name mismatch between the URL and the certificate, but isn't that what the alias is supposed to fix?
Thanks for any suggestions.
Okay, I've spent about a week now trying to fix these issues myself, and unfortunately Stackoverflow is full of people asking this question and nobody's giving answers.
Here's how I solved it, some of this might work for you too. It ended up being primarily configuration issues.
Your SSL cert is appropriate - I ended up hardcoding my subdomain ops.example.com but your wildcard shouldn't be an issue.
I read somewhere that AWS requires any DNS records to be of type CNAME, so I set up a basic CNAME record to redirect ops to my-site.my-aws-region-1.elasticbeanstalk.com
Then, what ended up being the linchpin to the whole thing was that in order to make HTTPS work, your load balancer has to be Listening for HTTPS on 443 and route to the instance via HTTP on 80.
Amazon was trying to tell me this, but because I was a noob and because their tutorials are some of the worst tutorials I've read in my entire career, they actually don't expose any of your secure ports to the internet. Which is actually fine because your traffic is encrypted all the way up to the load balancer, and then after that, even though it's not HTTPS anymore, it's all already on amazon's servers anyway so it's not any less secure.
Hope something in here helps!
I have a domain purchased at 1and1 and set up at AWS EC2 with SSL and Apache server.
Even the domain pointing to the correct IP (using nslookup I can see it), it works from some places and not from others.
For example, here from my workplace, I see this page (the domain does not reach the EC2 server):
I launched a Windows EC2 at AWS to make a test and from there, everything is correct (the page loads and SSL is valid):
From my client's computer, it has another behavior. It reaches the EC2 server, but is says the SSL is invalid:
Has anyone faced the same problem?
The first thing you need to do is get an Elastic IP, the instance IP can change during reboot etc but elastic IP are static IP’s so you should make sure you create one of them and assign it your running instance.
Create Hosted Zone and Record Sets
Documentation is here - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html
Create a recordset and add values
Add the Amazon NameSpaceServers in Control panel of Domain Provider
Import the SSl certificate to AWS Certificate manager (Optional). Documentation is here https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html#import-certificate-api
Self signed certificate will not work.
Deploy the SSl certificate into Apache server and configure the traffic for https.
Open the AWS in-bond traffic port documentation is here - https://aws.amazon.com/premiumsupport/knowledge-center/connect-http-https-ec2/
I'm trying to use my aws certificate with elastic load balancer on my EC2 instance which has Apache. I followed this tutorial http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-getting-started.html#configure-health-check to create my classic load balancer.After that creation everything looks right in my load balancer console . But when i try to browse my website with https instead of http chrome says connection is not secure. When i look inside of certificate from browser i see that certificate published by localhost.
So is there any additional configuration that i have to do like in my httpd-ssl.conf file or something else? By the way all this services are in the same region.(Frankfurt)
Thanks George!!! Route DNS to ELB is the key point. Since you sent that comment i had been working on it. Now i got it! Here is the link of routing DNS to ELB;
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html
First question, so if I get this wrong somehow be kind.
We are using Route 53 with Amazon and have our primary front end servers behind an ELB. Our app also routes all requests through HTTPS. We are utilizing an offsite status page via statuspage.io.
What I am trying to accomplish is if the primary site goes down I'd like to have R53 redirect both the SSL and non-SSL traffic to our status page.
I originally had tried setting up a static page in S3 but still had issues with HTTPS requests made on our site.
Has anyone done this successfully? I imagine it has to be possible, but its definitely outside my realm of expertise.
Thank you very much for your time and help.
You are right, S3 website doesn't support HTTPS. However, CloudFront does[1]. What you can do is failover to CloudFront and have your origin be your S3 website or your statuspage.io.
Steps:
Create a distribution and set the CNAMEs to match your DNS entries.
Upload and associate your SSL cert with your distribution
Update failover target to be your CloudFront distribution and set it as an alias.
[1] http://aws.amazon.com/about-aws/whats-new/2014/03/05/amazon-cloudront-announces-sni-custom-ssl/
Route53 is managing the DNS which is not what you want to do (even if you'd change the DNS it would take TTL to sync). What you should do is use a combination of auto-scaling policies and health-checks. These health-checks will be performed by the ELB every 30 seconds and if two consecutive checks will fail it'll mark the instance as out-of-service and will stop directing traffic to it (the ELB is directing traffic to your instances in a round-robin manner).
Having more than one instance and using auto-scaling rules is the key: it will enable AWS to terminate the unhealthy instance and spin up a new instance instead (in the same ASG with the same AMI etc).