1

I'm building Web app with AWS. I had a problem with AWS Load balancer.
I want every traffic transfer to 443 port, so I created Load balancer with a public certificate from ACM.
Site work ok when I have a certificate from Let'S encrypt in vhost, but when I remove Let's encrypt certificate, It got ERR_SSL_PROTOCOL_ERROR.
So I don't understand about ACM public certificate, and how can I fix this problem.

Adiii
  • 54,482
  • 7
  • 145
  • 148
AkiHizashi
  • 125
  • 2
  • 11
  • 1
    I think you might be terminating SSL at the instance. That means , loadbalancer to instance traffic is configured to be https. If that's the case you should configure the certificate in your app. If you don't want that you need to select the protocol to http between the loadbalancer and your instance – Arun Kamalanathan Dec 07 '19 at 08:58
  • Can you check that – Arun Kamalanathan Dec 07 '19 at 09:00
  • Sorry, but can you tell me how can I do that? – AkiHizashi Dec 07 '19 at 09:27
  • 1
    From ALB to the EC2, you connect by using the target group. In your case, I think you use the `https` protocol. To use ACM, it should be `http`. – Lamanus Dec 07 '19 at 09:36
  • I changed Route 53 setting, domain and sub domain point to Load balancer and removed Let's encrypt certificate. Now when I access page It show Amazon Certificate. But I got 502 bad gateway error. I look apache log and it show something like this: \x16\x03\x01" 400 226 "-" "-" – AkiHizashi Dec 07 '19 at 09:37
  • @Adiii, Lamanus: My EC2 have 80 and 443 port. I use 443 port on target group only – AkiHizashi Dec 07 '19 at 09:43
  • 1
    You are definitely sending SSL traffic to app – Arun Kamalanathan Dec 07 '19 at 09:44
  • 1
    Check this loadbalancer config https://media.amazonwebservices.com/blog/ELB_1.png – Arun Kamalanathan Dec 07 '19 at 09:47
  • 1
    See the second row, https port 443 is sent to the instance via port 80. That's what you should do – Arun Kamalanathan Dec 07 '19 at 09:48
  • 1
    use port 80 in the target group and remove ssl setting from vhost, and is the DSN name in browser and DNS name in ACM were same? – Adiii Dec 07 '19 at 09:53
  • @ArunmainthanKamalanathan my control panel is diffirent with yours. I'm just using Application Load balancer – AkiHizashi Dec 07 '19 at 09:55
  • 1
    Correct, but your will see similar stuffs in your target group settings – Arun Kamalanathan Dec 07 '19 at 10:02
  • @ArunmainthanKamalanathan I changed to 80 port but nothing changed https://photos.app.goo.gl/1Dopeg5HswQFJXZc9 – AkiHizashi Dec 07 '19 at 10:09
  • got it see the meeesage says, no healthy instance. your health checks are failing. can you check the healthcheck screen, send me a screen if you dont understand – Arun Kamalanathan Dec 07 '19 at 10:38
  • does your apache vhost accepts port 80 – Arun Kamalanathan Dec 07 '19 at 10:40
  • posted an answer for the benefit of others (and me) – Arun Kamalanathan Dec 07 '19 at 10:46
  • 1
    You do not need to set your server to support `https` because the ALB and ACM deal with it. Your server should be `http` server which means http target group, not `https`. For `https` target group, you can use CLB with backend certificate authentication but it is not the case that you want. – Lamanus Dec 07 '19 at 11:14

2 Answers2

0

You can choose to terminate the SSL at the load balancer. if you do so, you don't need to configure SSL at the application level.

https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/

Arun Kamalanathan
  • 8,107
  • 4
  • 23
  • 39
  • I think my Instance is health, because It worked well untill I changed point domain from Elastic IP to Load balancer. Now when I access to main and every subdomain, they have valid SSL certificate from Amazon, don't need any more Let's encrypt. I can see traffic came, althought site got 502 error and apache log show "\x16\x03\x01" 400 226 "-" "-" – AkiHizashi Dec 07 '19 at 11:05
  • I'm still searching and fighting with it ^^ – AkiHizashi Dec 07 '19 at 12:00
  • 1
    Your instances are healthy, i don't deny that. The target group thinks that your instances are unhealthy because the health check is failing. The instances with failed health check, will not drained or removed from serving the requests. – Arun Kamalanathan Dec 07 '19 at 12:14
  • 1
    Check the health check page, you should have either `protocol: http , port: 80` or `protocol: TCP, port 80`. if you choose `protocol: http`. you need to specify a health check url if you have any, otherwise you can choose your index file for e.g `/index.html` – Arun Kamalanathan Dec 07 '19 at 12:16
  • I got a problem, now my every page return apache example page. Do you have any advise to fix it? – AkiHizashi Dec 07 '19 at 13:31
  • are your virtual hosts targeting port 443 or 80, if 443 , change them to 80. can you psot your vhosts code. – Arun Kamalanathan Dec 07 '19 at 13:33
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/203809/discussion-between-arunmainthan-kamalanathan-and-akihizashi). – Arun Kamalanathan Dec 07 '19 at 13:54
  • I changed every one to port 80 and can access them. homepage was returned true with https, but css, js and when click another site's url, it was returned http. – AkiHizashi Dec 07 '19 at 13:58
0

Finally I fixed it. Like as Every body said, it's have problem at target group. I was wrong at target group port. I created new target group with port 80 and it worked. Thank you every body so much

AkiHizashi
  • 125
  • 2
  • 11