29

The site works perfectly fine on HTTP, however, does not work on HTTPS. I've followed all the steps on this page to create a self-signed certificate and add it to my Elastic Beanstalk environment. http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html

I'm also getting a successful certificate response back from IAM using the following command: aws iam get-server-certificate --server-certificate-name

After updating Elastic Beanstalk with the certificate, I've also added add a rule to the security group that allows inbound traffic from 0.0.0.0/0 to port 443. Finally, I've also validated that my load-balancer listener has HTTPS set up correctly.

In spite of all that, my calls to https is not resolving, while http is working perfectly fine. Any other thoughts on this? Any help would be much appreciated.

Please let me know if you need any more information. Desperately looking for some insight/help into this.

Anyway, not being able to resolve this issue with my site/code, I tried to set up HTTPS on the sample site provided on Elastic Beanstalk. Interestingly enough, even that is not working.

Neo
  • 811
  • 1
  • 7
  • 9
  • 1
    This question appears to be off-topic because it is not about programming. See [What topics can I ask about here](https://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Server Fault](http://serverfault.com/), [Webmaster Stack Exchange](http://webmasters.stackexchange.com/) or [Web Apps Stack Exchange](http://webapps.stackexchange.com/) would be a better place to ask. – jww Jul 05 '14 at 23:09
  • That is a good point... though initially my doubts were more on settings I had used in my Grails application, by the time I had posted, most of clues were pointing towards server settings, thus I omitted the Grails related questions in the posting, most-likely making the question off-topic for this forum. Thanks for pointing that out. – Neo Jul 06 '14 at 04:00

4 Answers4

51

I want to provide an update that I was finally able to resolve the issue. The root-cause was because I missed to set up an Inbound Rule for the Security Group of the Load Balancer.

For whatever reason, when I read the documentation, I understood that the Inbound Rule needed to be set up for the Security Group of the Instance (and not the Load Balancer). Only after I started tracing the Load Balancer did I realize that I should perhaps try setting up the Rule for the Security Group of the Load Balancer. So, the problem is resolved. Below is the setting I used.

HTTPS           443     HTTP        80      <name of the certificate>

I'd have to say that the documentation could be a bit more clear to clearly identify the change required to the Security Group of the Load Balancer (and not the Instance).

Neo
  • 811
  • 1
  • 7
  • 9
  • 15
    Thumbs up @Neo very helpful!! But well, i wouldn't say it's your fault. I would say, Amazon Docs are cryptic! They could do waaaaay better... It's so confusing and missleading... I wish they would re-do their documentation website. – kroe Dec 21 '14 at 04:49
  • 1
    That was a good point @Benjamin... I just did accepted the answer :) – Neo May 05 '15 at 15:50
  • do you have an answer for this http://stackoverflow.com/questions/42801974/configure-https-aws-elastic-beanstalk-application – Jabaa Mar 15 '17 at 05:50
  • What is 'name of the certificate?' After I created the certificate, the name is blank for me for my certificate under Certificate Manager. – user2233706 Jul 11 '17 at 02:55
  • @Neo could you please take a look at https://stackoverflow.com/questions/46022599/unable-to-setup-ssl-for-website and tell me what am I missing with my settings – gazubi Sep 03 '17 at 10:42
  • @user2233706 Sorry to necropost. Did you find a solution for this? My certificate name is also blank. – msbarnard Apr 30 '18 at 17:28
  • @msbarnard I recently created a new certificate and this still happens to me, but that hasn't prevented me from assigning the certificate to the load balancer. The name of the certificate that shows up when I modify the load balancer is my domain name. – user2233706 Apr 30 '18 at 18:38
  • 1
    still helpful in 2018! – Lelo Aug 31 '18 at 17:44
  • To be clear, the solution set the listener port to 443 with listener protocol HTTPS and instance port 80 with instance protocol HTTP. – Jack Jan 12 '19 at 18:57
  • @Neo you are genius. You saved my day ;-) Thanks a lot. At first, I set Listener port/protocol and Instance port/protocol to 443/HTTPS. Then I realised that it has to be only the Listener. The INstance stays at 80/HTTP. – Strabek Dec 21 '19 at 22:13
  • Thanks @Neo this was the silver bullet, and no where to be found in the EB docs. For others' reference: my process for a dev/staging instance 1.) create self signed certs and upload to IAM [doc](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl.html) 2.) Change load balancer listener to https and select cert from IAM 3.) Find the LOAD balancer security group inbound http rule to https (I used the EC2 control panels for the last 2 steps). – Timmay Dec 11 '20 at 23:22
  • Just wanted to thank you and state this solved my problem! this works because the load balancer is resolving the HTTPS connection, not the instances. I had both my instance port and my load balancer port as HTTPS 443, but the instance should be HTTP 80 since it is not resolving HTTPS directly. – Alexander Mar 06 '22 at 15:44
3

Amazon recently released AWS Certificate Manager :

  • Go to https://console.aws.amazon.com/acm/home
  • Add your domain and validate it by email
  • After the certificate is issued, deploy it to your Elastic Load Balancers following the steps (and easily setup your security groups)

It's event better for a performance point of view:

Because ELB supports SSL offload, deploying a certificate to a load balancer (rather than to the EC2 instances behind it) will reduce the amount of encryption and decryption work that the instances need to handle.

follow the doc for more information:

https://aws.amazon.com/fr/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

Wade Matveyenko
  • 4,290
  • 1
  • 23
  • 27
Sebastien Horin
  • 10,803
  • 4
  • 52
  • 54
  • 2
    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/low-quality-posts/11021873) – Vojtech Vrbka Jan 25 '16 at 17:52
  • "AWS Certificate Manager (ACM) is available now in the US East (Northern Virginia) region, with additional regions in the works" – Sebastien Horin Jan 26 '16 at 00:38
  • 1
    Adding to it - For this to work properly, you have to setup a CNAME from your own domain, bcos the certificate is issued to your domain, and hence the browsers will show warning if you use elastic beanstalk URL. – Abdul Vajid Jul 15 '16 at 13:31
3

I can't believe this...but it goes to show how bad the AWS console is...I had to scroll down and click "Apply" on an invisible button when it shows "Pending create" after add making me think it's working...facepalm.

Timmerz
  • 6,090
  • 5
  • 36
  • 49
  • This is fax - never use the AWS Console it's da worst. I just did the same thing – dvr Jan 08 '22 at 02:41
1

Hello i was had like this and i follow this steps and works to me:

Generate certificate

the first thing is request a Request certificate on AWS Certificate Manager (ACM)

take a look on this video to create a new one https://youtu.be/bWPTq8z1vFY

Configurations of the Elastic Beanstalk

on the configuration -> load balancer create a new listener: enter image description here

in this step i get this : enter image description here

Creat a new record on route 53 so i use route53 to host my site

go to route 53 ->select your host zone and create a new record enter image description here

choose the option of alias to select your route traffic in your case Elastic Beanstalk, your region and the name of your application

this works if you use route 53 and EB but in other host providers i thing i woiuld work too.

Bunny bit
  • 43
  • 8