Getting a letsEncrypt CA certificate for AWS Elastic IP

Question

Guide: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html

Problem:

I have to make an integration between exact-online and other websites. For this I have a java-backend running on a Amazon linux 2 EC2-server, with a controller method to listen to an exact-online webhook. I get info from the webhook and send it to the other websites using their api. So I don't have any actual webpage someone can visit, it's just an 'internal' program.

Now for the webhook my controller looks like this:

    @RequestMapping(value = "/WebHook", method = RequestMethod.POST)
    @ResponseBody
    public ResponseEntity<?> webhook(@RequestBody(required = false) ExactWebHookResponse exactWebHookResponse) {
        // handle exactWebHookResponse
        return new ResponseEntity<Object>(HttpStatus.OK);
    }

The webhook only communicates through 'https'-protocol. So my controller should be listening to webhook-requests made to https://{Elastic-IP}/WebHook.

To initialize SSL/TLS on the Amazon server I followed above mentioned guide; I installed Apache, configured my security group etc. Everything goes fine until I try to get a CA certificate using LetsEncrypt-Certbot. When I try to get a certificate for domain: {Elastic-IP} it tells me they don't give certificates to IP-addresses. So I tried using my public DNS: ec2-{Elastic-IP}.us-east-2.compute.amazonaws.com, but they don't give certificates to 'amazonaws.com' domains.

I'm not at all familiar with SSL/TLS and certificates, so what am I doing wrong here?

Answer 1

SSL/TLS certificates serve two purposes -- providing a signed public key used to negotiate encryption is only one of them. The other is proving server identity or control -- that the server you are connected to isn't an impostor.

Browsers, curl, and HTTP client libraries trust your certificate because it's cryptographically signed by a trusted certificate authority.

The certificate authority, in issuing a certificate, is essentially vouching for you and your server -- that they confirmed your authorization to request the certificate, before they issued it. If they issued a certificate for *.amazonaws.com or an AWS IP address, that would amount to them asserting that they believe and confirmed that you are Amazon... which you aren't.

So Let's Encrypt will not give you a certificate for anything that isn't demonstrably yours. The IP addresses are not yours, and neither are hostnames inside *.amazonaws.com. Amazon has a free certificate product (Amazon Certificate Manager) and they won't give you a certificate for these cases, either.

You need a domain name, if you want a cert from Let's Encrypt (or ACM or any other free or non-free certificate authority). The fact that the service isn't accessed by humans isn't really relevant. Register a new domain or assign a hostname from a domain you already own. Point it to your service, in DNS, and you will be able to obtain a cert.

Of course, if the service is fully internal to a single organization, you can set up a private certificate authority for anything you like -- whether an IP address or hostname -- and no external validation is needed in this case because nobody will trust your certificates except the machines in your organization that have elected to trust your private CA. But setting up a private CA is non-trivial.