I have a EC2 instance that act as a web server, it hosts various sites and some of them have ssl certificates, lets say one of them is secure.abc.com and has certificate for https://secure.abc.com
After I added an elastic load balancer, assuming it's public dns 'myelb.amazon.com' and I changed the cname record in my DNS to make 'secure' to point to 'myelb.amazon.com', the certificate becomes invalid.
How do I fix this?
My second question is if I have more than one site that has ssl certificates, will a single load balancer work?
In order to fix this issue, you need multi domain SSl certificate to protect your multiple domains includes your DNS domain name also..!
A single certificate for your domain names is the solution for your issue!
And for second question, answer is yes, if you have website with SSL certificate then your load balancer work for it, even it works for multiple host name or ip address too.
I hope this doc should help you out
Stupid me, there is an option to select "TCP" instead of "HTTP"/"HTTPS" which will make the ELB work at the TCP/IP level
Related
I am pretty new with the domain configuration part. I want to know that can I generate SSL only for my subdomain I didn't want to add the root domain with CLOUDFLARE because my root domain already has SSL certificate. Is it possible to do that? I have purchased my domain from the GODADDY. I will add the generated SSL certificate to IIS.
Please help me out !!
Edit: I don't want to add my root domain to CLOUDFLARE because if I will do it I have to change my NAMESERVER for the same and my root domain already has SSL.
I believe what you're looking for is the CNAME setup on Cloudflare. This is the alternative method of Name Server setup. However, this setup requires a Business plan. With CNAME setup, you can have just a certain subdomains to be used with Cloudflare. With proxy turned on the subdomain, you'd get the usual Universal SSL certification from Cloudflare.
I am working with Load Balancing to have https to my static website and I have my domain in GoDaddy
I created a LoadBalancer with
Backend configuration: To my Cloud storage buckets & enabled CDN.
Frontend configuration: Https having static IP I have enabled
Google-managed SSL certificate with my domain example.com which is in GoDaddy.
Do I need to do any configuration in GoDaddy like pointing, After 10-20 min I get FAILED_NOT_VISIBLE in domain status
I am new and don't know how to link.
In google docs I can see DNS records for your domain must reference the IP address of your load balancer's target proxy, Can someone help me to understand.
https://cloud.google.com/load-balancing/docs/ssl-certificates?hl=en_US&_ga=2.190405227.-1195839345.1570257391#certificate-resource-status
Finally I fixed it, We need to point the Static IP to DNS in my case I have in GoDaddy, It took some time to point DNS and then it took time for my Google-managed SSL certificate to turn green.
Once it's done I hade an issue with err_ssl_version_or_cipher_mismatch for this we need to add Policy to tell LB to use TLS 1.2 but in my case it automatically resolved in 10 min.
We can Point DNS in two ways one by directly adding Static IP to A record in GoDaddy other is by creating a Cloud DNS in GCP and point Nameserver in Godaddy.
We must establish a link to confirm our DNS with Static IP of LB so that the SSL turns Green after confirming Domain status.
Can I have EV SSL for my main domain (say www.example.com) and Wilcard SSL for my subdomains (say eb1.example.com, eb2.example2 etc)?
If yes, then can you please let me know how to configure it?
If not, then please suggest me alternate methods.
All the subdomains and the domain will be hosted on Amazon and will have one IP.
Yes, you can purchase an EV SSL Certificate for your main domain and wildcard SSL certificate for the sub domain names.
Please ensure that the Main domain has a dedicated IP Address and it is not shared with the sub domains.
You can have use multiple certificates at the same time which overlap in the subjects like in your case. To have multiple certificates for the same IP address the serve and client must support SNI. Most modern server and browsers do. But older browser like IE8 on XP do not and support within non-browser application is mixed.
I have a domain which we'll call www.mydomain.com for reference. I have a subdomain at m.mydomain.com for people who want to view the website via their mobile devices. My users are logging into this site so I wanted to protect their credentials if possible. Because of this, I purchased an SSL certificate.
I'm not an SSL certificate guru, so I may be misunderstanding something. I thought that I could have a single SSL certificate for my domain. However, when I attempt to access https://m.mydomain.com I get redirected to https://www.mydomain.com instead of seeing the content that is at http://m.mydomain.com. In other words, here is a list of my configurations and results pulled from IIS 7:
Site Name Binding Type Host Name Port IP Address Result via Browser
--------- ------------ --------- ---- ---------- -----------------------------------
MySite http 80 ww.xx.yyy.zz http://www.mydomain.com works fine
MySite https 443 ww.xx.yyy.zz https://www.mydomain.com works fine
MyMobileSite http m.mydomain.com 80 ww.xx.yyy.zz http://m.mydomain.com works
My first hunch was to add a new binding of type https to MyMobileSite on port 443. However, in the process, I noticed that I'm prompted to select an SSL certificate. I'm concerned that if I select the SSL certificate associated with MySite, it will break that binding. Once again, I do not fully understand SSL certificates. Can I use the same SSL certificate across multiple IIS Sites and multiple binding as long as they share the same domain? Can I go ahead and create the binding like I was thinking? My main concern is that I break something and being unable to reverse it.
Thank you!
no the fact is that certificates are used to verify that your not using someone else's ip (spoofing) i suggest using linux and self signed ssl certificates but if your using windows thats fine too just use ssl on all your domains as long as there on same (external) IP,
hope this helps.
PS SSL is just a way of making sure security encrypted protocols are in effect between server and client.
I always recommend having both :443 and :80 for everyone to choose how they connect except if you are running sensitive data streams for money transfers etc, then defiantly make sure it uses secure (443 port) and never port 80 (unsecured connection).
It all depends on the type of certificate you purchased. Usually your lower costs cretificates are tied directly to one domain/sub domain name. However there are certificates that you can buy for instance the
http://www.verisign.com/ssl/buy-ssl-certificates/subject-alternative-name-certificates/index.html
Depending upon your organizations policy on purchasing, i would almost just suggest buying a seperate one for the Mobile site
I have a question, I fear the answer.
I have:
a top level domain name (free from Tokelau, a territory of New Zealand, .tk, where else?),
a free 2 year ssl certificate from startSSL.com,
a free hosting package.
Now I jumped through every hoop startSSL wanted (admittedly wasn't too difficult), to get me my 2 year ssl certificate, and now I fear I have encountered a final barrier to success that might still stall my plans. I dreamt of a corner certificate stating "Secured by startSSL". I got the code snippet and everythings, and have pasted it into my website.
Problem. my host is not so keen on a free package to allow me to ssl.
As far as I know you need access to some config files to allow this to happen?
or can you just like with .htaccess and .htpassword files do the setting on your webhost?
Also you need a static IP. Are there any workarounds?
Or am I dreaming? Anyone with advice?
SSL Requires some files and configuration changes, pointing to the files.
Also, the static IP is required because with an encrypted request, there's no way to know to what host the request is intended without decryption. The use of a static IP address gives that request a destination.
To clarify: when using virtual hosts, multiple hosts will share the same IP address, so when a request comes in, the first two lines are:
GET /path/to/resource HTTP/1.1
Host: www.example.com
Apache (or any web server), looks at the 'Host' field to determine how to route the request. If the request is encrypted, there's no way to determine how to route the request, and you need to know what certificate to use in order to decrypt it.
Forget it. If your host doesn't have SSL configured, you have no chance to add it without their help
There are two problems with your proposed set-up.
Free hosts generally don't provide a control panel interface to allow installation of SSL Certificates (at least I've never seen it) as this requires either their help on the back-end or VPS / Dedicated Server access from the front-end.
Static IP address is a must for SSL certificate installation.
From webserver perspective, SSL cert is about a port and an IP address, even when being used with Name-based virtual hosts.
SSL is about the IP the matching the cert and domain in the URL/request(to verify the cert).
You would have to give a second SSL cert different port or different IP address on the webserver.
Alternatively, you can also get multi-domain and wildcard certs that allow different hostnames or domains to match the cert with different client request URLs, but the cert is still the only thing on that port/IP of the webserver.
Just my $.02