7

enter image description hereI created a front-end hosted at www.example.com through netlify. The front-end makes API calls to a load balancer address hosted on AWS. Through Netlify, I set up an A record, so that server.example.com points to the load balancer. In Amazon Certificate Manager, I got certificate imported successfully for example.com and server.example.com by creating CNAME records in Netlify.

However, when I visit server.example.com in the browser, it properly loads my Express Server, but it says Not Secure in the browser despite being served over https. It says the certificate is invalid.

I'm wondering how to get the certificate to be valid at server.example.com - any help would be much appreciated, as I've struggled with this for two days now.

Thanks!

a94
  • 564
  • 1
  • 7
  • 16
  • 1
    Open developer tools in chrome and click on the security tab. Inspect the certificate and see why chrome show certificate invalid – Yan Apr 05 '20 at 21:58
  • Or give us the real domain name in question so we can take a look. – Michael - sqlbot Apr 05 '20 at 22:48
  • can you confirm that you are accessing your server via https://server.example.com and not `http` – Arun Kamalanathan Apr 05 '20 at 23:15
  • @Yan I've updated the question with screenshots - it says the certificate is "missing" but right below that, it has a button to "view certificate", and when I click view certificate, it shows me that the certificate is valid. – a94 Apr 06 '20 at 01:26
  • @Michael-sqlbot, sure, thank you!! drawafterdark.com / server.drawafterdark.com – a94 Apr 06 '20 at 01:26
  • @ArunK - I'm typing https into the url, is this what you mean? – a94 Apr 06 '20 at 01:27
  • yes. Have you selected the ceritificate for listener of the load balancer. – Arun Kamalanathan Apr 06 '20 at 01:36
  • Also you can choose to terminate the SSL at the load balancer. The load balancer will receive the traffic over SSL, then send the traffic over non-ssl to the express. thats what I do most of the times. – Arun Kamalanathan Apr 06 '20 at 01:44

1 Answers1

10

The issue is that the certificate CN (common name) is drawafterdark.com and you are using it with server.drawafterdark.com. The certificate is valid but client (Chrome) will show that certificate is not valid because hostname doesn't match the CN. You either have to get the certificate for server.drawafterdark.com or wildcard certficate *.drawafterdark.com

You can also add server.drawafterdark.com to the SAN subject alternative name. Then it will we be validate it for both server.drawafterdark.com and drawafterdark.com

Yan
  • 3,533
  • 4
  • 24
  • 45
  • You're amazing! I didn't realize I needed to associate the subdomain's SSL separately with the load balancer. Thanks a ton!! – a94 Apr 06 '20 at 04:48
  • 2
    Great! For certificate to be accepted by the client it has to trust the signing authority and hostname has to match the CN and/or alternate DNS or use of wildcard. You just have to generate the key/cert and import set it up in the LB config. Happy Coding! – Yan Apr 06 '20 at 12:28
  • 2
    Also browsers disregard the CN part nowadays. What counts is the SAN extension. – Patrick Mevzek Apr 06 '20 at 19:11