-1

I've an AWS LoadBalancer in front of two servers running SailsJS with PM2. The LB works very well and routes the incoming HTTP requests to the server, which is perfect.

Now, I need to add support for HTTPS, so I followed this guide: AWS Create a Classic Load Balancer with an HTTPS Listener, using a self-generated SSL certificate, and used this configuration for the ports 

LB Port 80 - Instance 80 
LB Port 443 - Instance 80

And the security group has these ports opened:

22, 
80, 
443

So, if I understood correctly, the LB will receive the HTTPS request on port 443 and will forward it to port 80 of the instance. My instance, of course, is listening on port 80.

The problem is, this don't work! I can make HTTP requests to the LB and all is routed perfectly to the Sails instance and the response is perfect. But if I use exactly the same URL but with HTTPS, then it doesn't work and I get a "ERR_SSL_PROTOCOL_ERROR".

What am I doing wrong, what am I missing?

Thank you!

EDIT 1 This is what I get if I try curl -v https://example.com

* Trying xx.xx.xx.xx...
* Connected to example.com (xx.xx.xx.xx) port 443 (#0)
* Unknown SSL protocol error in connection to example.com:-9838
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to mydomain.com:-9838

EDIT 2

Found another thread which suggested a different way of creating the certificate. So I tried it, but now AWS don't even accept the private key and the certificate

Server Certificate not found for the key:    arn:aws:iam::111111111:server-certificate/CertificateMyName

EDIT 3

OK, so found more info on why I couldn't load the certificates to AWS and after trying some times, I managed to load it and use it.

After these, it appears to be working (with the warnings that is not a valid cert and bla, bla, bla, which is expected)

* Trying XXX.XXX.XXX.XXX...
* Connected to example.com (XXX.XXX.XXX.XXX) port 443 (#0)
* SSL certificate problem: Invalid certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: Invalid certificate chain

So it appears to be working, and it appears, as @MarkB suggested that the certificate was wrong. Using the info found on EDIT 2, I created a new one, and upload it (with the info of EDIT 3) and it appears to be working.

I'll perform more tests to make 100% sure that this works and will report back soon.

Community
  • 1
  • 1
Raul Nussbaum
  • 79
  • 1
  • 10
  • What happenes when you type this https:/ / in browser? – Piyush Patil Sep 08 '16 at 19:43
  • @error2007s I get the ERR_SSL_PROTOCOL_ERROR and "This site can’t provide a secure connection" – Raul Nussbaum Sep 08 '16 at 19:50
  • 2
    From that error it looks like you configured listener with HTTP on port 443. – Dusan Bajic Sep 08 '16 at 20:01
  • @DusanBajic Not really, the LB configuration listeners are "Load Balancer Protocol/Port: HTTP,80; Instance Protocol/Port: HTTP, 80" and the second row is "Load Balancer Protocol/Port: HTTPS, 443; Instance Protocol/Port: HTTP, 80" – Raul Nussbaum Sep 08 '16 at 20:55
  • 1
    Can you test from command line with `curl -v https://www.example.com`, it might give us more descriptive SSL error – Dusan Bajic Sep 08 '16 at 20:58
  • Are you using a certificate obtained from the AWS ACM service? – Mark B Sep 08 '16 at 21:24
  • @DusanBajic Thanks, results from curl are in the main question now, under EDIT 1. What do you think of that? – Raul Nussbaum Sep 08 '16 at 22:41
  • @MarkB Nope, I generated one myself with these commands: `openssl genrsa -out key.pem ---- openssl req -new -key key.pem -out csr.pem --- openssl x509 -req -days 9999 -in csr.pem -signkey key.pem -out cert.pem` (I separated the commands with '---' here, but were executed one by one) – Raul Nussbaum Sep 08 '16 at 22:43
  • Why not use an ACM certificate so that you will at least know that the error isn't with the way you generated the certificate? – Mark B Sep 08 '16 at 22:49
  • @MarkB As I understand, I need a fully qualified domain for this? I only want to add HTTPS to some services I'm running on AWS, but have no domain for them. – Raul Nussbaum Sep 08 '16 at 23:13
  • No wonder you are having issues. I suggest buying a domain. – Mark B Sep 08 '16 at 23:51
  • @MarkB Apparently the certificate was wrong (or something was not pasted right), because I regenerate the certificate with another way (EDIT 2) and it worked (after some changes using the info on EDIT 3). For now it appears to work, I'll continue my tests and will answer my question if all works. Thank you for suggesting that maybe the certificate was the actual problem, that put me in the right direction. – Raul Nussbaum Sep 09 '16 at 00:05

1 Answers1

0

Ok, so the problem was a wrongly generated certificate. I used the first method I found and it wasn't working, so just use these:

openssl genrsa -out client-key.pem 2048
openssl req -new -key client-key.pem -out client.csr
openssl x509 -req -in client.csr -signkey client-key.pem -out client-cert.pem

Even after that, AWS told me:

Server Certificate not found for the key:    arn:aws:iam::111111111:server-certificate/CertificateMyName

But the last error is wrong, even with the error the certificate WAS added to the ACM, and I used it in my HTTPS 443 listener, tested again the services and all was working. So just create the certificate with the instructions above, import it in ACM and if it gives you an error like above, just ignore it, your cert will be on place and ready to use.

Hope this helps others!

Raul Nussbaum
  • 79
  • 1
  • 10