I've asked my provider for a SSL certificate. They said the CSR must be generated from a host having the ip address which blongs to the certificate. Otherwise it will not be vaild later.
As far as I know one can only assign a CNAME to a load balancer and it is not possible to generate the CSR on the load balancer. Apart from that the lb ip might change. So do you get your valid certificates?
Regards,
Jim
You don't have to generate the CSR on the load balancer. You only have to generate it with a name consisting of the required domain name. You can do that anywhere.
Jim, I had the very same question as you. This is my first foray into the realm of multi-server deployments with SSL.
I found this: http://www.martfox.com/customer/knowledgebase/140/Why-a-SSL-Requires-Dedicated-IP.html
It looks like it is commonly said that you must have a static IP address to run ssl, but it really looks like you don't need a Static IP as much as an IP that you are the only one using at the time. The IP address is not needed when signing a certificate, or creating a signing request. It is not attached to your keys in any way, so you change Static IP addresses or even move hosting providers without reissuing your SSL cert.
It appears that the limitation is because VHOSTS and other server aliasing methods don't have access to the HTTP request string before they have to connect the SSL layer, so they aren't able to route it like they do unauthenticated requests.
Related
I have a Flask API which has no database but just a json file that stores the data. At the moment I have put it on an EC2 and opened a port so someone can put in the IP address and port and have access to the API that way. The problem with this is that I get a mixed content error since the site it uses is HTTPS and the API is HTTP. I want to put the API behind HTTPS on a proper platform but I'm not sure where to start.
Is there a platform that I can host the API python file and the json file behind an HTTPS?
All of them? EC2 allows HTTPS (per #tawfikboujeh's comment). I don't actually know a hosting platform that would allow HTTP but not HTTPS.
There are some options in how you accomplish this:
Use a self-signed certificate. This will give you HTTPS but all the modern browsers will give a nasty warning to all your visitors.
Purchase a signed certification for you IP address from a CA. Just hope you don't have to change your IP address.
Purchase a domain and use Let's Encrypt to generate a signed certificate for you.
Option 3 would be the most robust solution, but it does carry the cost of a domain (maybe $10/year).
Google App Engine is perfect for this. SSL cert is free, and you would be in their free tier.
https://cloud.google.com/free
I am tryin to create a Google Managed SSL Certificate for my compute engine instance. However, I am required to enter a domain. The issue is, I do not have a domain associated with my instance, I only have its external ip address.
How can I use the ip address of my instance for the certificate, or how do I associate it with a domain?
You might be confusing what Google is asking for.
In order to create an SSL certificate, you must own / manage /control a domain name.
Next, in order to use the SSL certificate that Google created (or by other means such as Let's Encrypt), you map the Google Service, such as a load balancer, to a backend such as Google Compute Engine VM instances.
If your goal is to create an SSL certificate using an IP address - you cannot. SSL certificates require a domain name. There are exceptions to this, such as using a machine name to create a self signed certificate, but this does not apply to your situation.
Another important item. Once you create a Google Managed SSL certificate, you cannot use it on your VM instance. You can only use it for Google managed services such as Load Balancer. The Load Balancer will then sit in front of your VM instance.
If your goal is to create an SSL certificate that you can install on your VM instance, look into Let's Encrypt. Let's Encrypt is simple to work with and their certificates are free. You will still need to own a domain name, but you will be able to control where it is installed.
Once you install a Let's Encrypt SSL certificate, you modify the DNS servers that your domain registrar setup to point your domain name to an IP address.
Microsoft docs say to use something like clustername.eastus.cloudapp.azure.com, but what about custom DNS for the cluster?
Will the certificate properly validate or should the custom DNS (i.e. clustername.domain.com) be used?
The dns provided by the docs is just an example, I don't think you will be able to register a certificate against a domain you don't own like .azure.com.
In this case, you will register a certificate against a domain you own, and you either:
Register a CNAME record on your damain to redirect to the cluster domain clustername.eastus.cloudapp.azure.com or
Configure the DNS A Record to point to you cluster Load Balancer IP
In the demo, the Commom Name is just used to identify the certificate installed in the node(vm) certificate store.
The following links describes the use of certificates in more details:
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-via-portal
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security-update-certs-azure
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-windows-cluster-x509-security
My main site https://example.com has an SSL cert, no problem.
Now, I have developped a related application, that is hosted on a completely different server, and under : app.example.com. It has a dedicated IP.
The app uses websockets and needs SSL to function properly acros all devices. But I'm having trouble finding out how to register a new certificate for a subdomain... What's the strategy here? Should I have a wildcard cert on the main server, and somehow redirect from there? In that case, the app server wouldn't have access to the cert, and I wouldn't be able to create my secure socket connection, right?
The certificate has to be installed where the server which provides content using this certificate. This means
That the certificate for the subdomain has to be used on all servers which serve the subdomain, i.e. your websocket server.
And nowhere else, i.e. it is not needed at the main domain just to provide a redirect from the main domain away.
You are free to use any certificate which matches the subdomain, that is it can be a wildcard certificate but can also be specific for only this domain.
You can go for a wild card certificate and bind it to all the URL's who share the same domain. But keep in mind, the wildcard certificates (irrespective of any brands) supports unlimited first level sub domains .
Wild card certificates can be installed on any server where the FQDN is hosted. In situations where the the sub domains are hosted on multiple servers, the wildcard certificate will work for all of them.
An upvoted SO answer claims:
[SSL] breaks name based virtual hosting. With SSL, it's one site - one IP address.
Is that true? Does shared hosting that offers SSL certificates lease whole IP ranges?
With SSL, the server is always authenticated before application data is sent. The "Host" header of the HTTP request is application data. So, in general, you can't use HTTPS with virtual hosting.
However, if one party controls all of the sites that are hosted virtually, a single certificate can be created that lists all of the virtual host names in the "subject alternative name" extension. To emphasize, since there is only one key pair, a single private key is used to authenticate all of the hosts. This key should be controlled by a single owner.
Alternatively, Sripathi Krishnan pointed out that there is a TLS extension (currently specified in RFC 6066) that allows the browser to hint to the server which server certificate to present before the first handshake is completed. However, this extension is not universally supported.
If you look at A2Hosting SSL services, they require you to have a dedicated IP address besides shared hosting and that's it.
So yes, as long as you maintain a dedicated IP address you can obtain an ssl certificate.
http://www.a2hosting.com/services/ssl-hosting