4

I set up EC2 Ubuntu instance, assigned an elastic IP, got example.com (domain) to the ec2 instance via Route53. Added an SSL certificate using ACM (certificate manager) which says 'issued'.

However, https://example.com raises ERR_SSL_PROTOCL_ERROR. http://example.com is working.

The security group has HTTPS port open.

What's wrong here? Why this is not working? Any clues? curl https://localhost -k shows local port 443 refused.

elle
  • 103
  • 1
  • 1
  • 8

2 Answers2

3

You can't deploy a public ACM certificate directly to an instance. The "issued" state, just means it's ready to be applied somewhere. It needs to be applied to a service that supports ACM like an ELB, API Gateway, or a CloudFront distribution, which can be used to offload SSL processing. See the faqs for an overview of how they can be used.

For a certificate directly on the instance, you can use letsencrypt to issue free, trusted certs.

Also, this assumes that you've configured the web server to listen on 443.

semipermeable
  • 91
  • 4
  • I have tried to install LetsEncrypt, but somehow it was not working. Is there any good youtube or step-by-step guide for ec2 ubuntu 16.04? - Getting a bit hectic in setting up an SSL. Thanks in advance. – elle Mar 29 '19 at 06:17
  • I wish there would have been LetsEncrypt click button somewhere for the instance for a quick setup for EC2 instances if this makes sense to devops. – elle Mar 29 '19 at 06:21
  • 1
    If you go [here](https://certbot.eff.org/), you can choose your web server and your OS from the drop down lists, and it will give you pretty straight forward set of instructions. – semipermeable Mar 29 '19 at 14:08
  • Also, ideally you'd use an ELB in front of this instance and install the ACM cert there. Use an autoscaling group and set it to 1 if you don't need more than that at the moment. Use something like S3 for any assets or shared storage, and an RDS instance or DynamoDB for any database needs. That gets you the ability to self-heal (to a degree) if something should happen to the instance itself, and you aren't dependent on a specific underlying instance. Basically, try to make the app as stateless as possible. The setup is more complicated, but the payoff tends to be worth it. – semipermeable Mar 29 '19 at 14:32
1

ACM can only be used with AWS resources such as Elastic Load Balancer, Amazon CloudFront distributions and APIs on Amazon API Gateway. Make sure that you are using one the above services to serve your website content.

ACM cannot be directly used with EC2 instance, you either need Elastic Load Balancer or CloudFront distribution to used it.

Aress Support
  • 1,315
  • 5
  • 12
  • At last, I got it encrypted. But a java server port 9998 is not being accessible. The security group is set for all traffic so the port is open. Is there another step to link encrypted nginx to java docker server? – elle Apr 01 '19 at 03:37