1

I bought a domain named studileih.de, then I deployed my Angular frontend on firebase: https://studileih-ceb70.web.app/ and redirected from my domain studileih.de to the firebase URL.

Then I deployed my Spring Boot backend to AWS Elastic Beanstalk on: http://studileih1.eu-central-1.elasticbeanstalk.com/

-> Problem: Since the frontend on firebase used https and the backend on AWS used http I got a Mixed content error. The frontend wasn't able to load any of the backend data.

So I tried to solve this by creating a SSL certificate for my backend in the AWS Certificate Manager (ACM) and adding this to my Elasting Beanstalk Load Balancer. This worked and I could now at least make a connection from my frontend to my backend.

But now I get this error whenever a request to my backend gets sent:

error message

When I click on "Accept the Risk and Continue" once, it works fine and all my backend data gets loaded. But I can't ask my users to do that.

(You can try this out by following: https://studileih1.eu-central-1.elasticbeanstalk.com/products and clicking "Advanced" -> "Accept the Risk and Continue" (if you dare ^^) after you've done that, click on studileih.de and it will now load with the backend data.)

I know the problem exists because when creating the SSL certificate, I entered studileih.de as the domain that the certificate is for. I think I have to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com instead. But when I try to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com:

enter image description here

I get this error from ACM:

enter image description here

How do I create a SSL Certificate for the Elastic Beanstalk URL?

p.s. I also tried to issue a certificate for my firebase URL https://studileih-ceb70.web.app/ but this one already uses Https by default. Also I couldnt find out how to DNS/Email validate the ACM request in the firebase console. But I think I need a certificate for the Elastic Beanstalk backend at studileih1.eu-central-1.elasticbeanstalk.com, not for the firebase frontend, right?

p.p.s. I don't really need to use https, so a solution would be to make firebase use http instead of https, but I couldn't find anything on how to do that.

UPDATE:

I added a subdomain called api.studileih.de (the immediate access is blocked by spring security, as you're not logged in to my site, but you can test it with api.studileih.de/products, because this API is accessibly without login). Then I redirected that subdomain to my AWS Load Balancer as suggested by Mark B by adding a CNAME to the subdomain:

my subdomain

(it's not possible to change to english there, sorry)

this is my Load Balancer:

my AWS load balancer

I tried to put the DNS-Name as A-Record into my subdomain, but it was only possible to enter a IP4 adress there, so I entered it as CNAME instead. I also tried to find out the IP Adress of the Load Balancer, but Load Balancer don't have a static IP Adress.

This approach with the subdomain and the CNAME unfortunately didn't work, so I'm still looking for a solution...

(Here's the menu for setting a A-Record. You can only enter IP Adresses there:)

A-Record menu at strato.de

Boommeister
  • 1,591
  • 2
  • 15
  • 54

1 Answers1

3

I know the problem exists because when creating the SSL certificate, I entered studileih.de as the domain that the certificate is for. I think I have to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com instead.

You can only create an SSL certificate for a domain you own. You need to point a subdoomain of studileih.de, like api.studileih.de, at the Elastic Beanstalk load balancer, and then attach an SSL certificate to that load balancer that matches that subdomain.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Thank you already, this solved the issue in Firefox (on desktop). I have now a closed lock next to the URL and when I click on it, it says "Connection secure". On chrome and edge it shows "Not secure" instead of a lock and the https of the url is crossed out. – Boommeister Sep 07 '20 at 16:30
  • But at least it loads the backend data without the need to "Accept the risk" anymore. But on opera and on mobile (firefox and chrome) it still shows me an error: NET::ERR_CERT_COMMON_NAME_INVALID Additionally it says: "This server couldn't prove that it is studileih1.eu-central-1.elasticbeanstalk.com. It's security certificate comes from studileih.de." (translated from german) – Boommeister Sep 07 '20 at 16:34
  • https://www.ssllabs.com/ssltest/analyze.html?d=studileih.de shows 2 certificates for studileih.de (I didn't delete the first one), but both are flagged as "Certificate not valid for domain name" – Boommeister Sep 07 '20 at 16:40
  • In the new added certificate, I added both `studileih.de` and `api.studileih.de`. `api.studileih.de`is pointing to the CNAME of the load balancer. But the domain `studileih1.eu-central-1.elasticbeanstalk.com` doesn't appear anywhere in the certificate. Maybe that's the problem? But the load balancer belongs to the elastic beanstalk/EC2 server that is behind `studileih1.eu-central-1.elasticbeanstalk.com`, and I tried to add `studileih1.eu-central-1.elasticbeanstalk.com` to the certificate request before, but that always made the request fail (as described in my post). – Boommeister Sep 07 '20 at 16:47
  • That's the full error message from my Firefox-US version: Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for studileih1.eu-central-1.elasticbeanstalk.com. The certificate is only valid for the following names: api.studileih.de, studileih.de Error code: SSL_ERROR_BAD_CERT_DOMAIN – Boommeister Sep 07 '20 at 17:00
  • It's showing as valid for me on Chrome. I think you needed to wait for a cache to clear or something. – Mark B Sep 07 '20 at 19:13
  • You must have added an exception for this site. I tried it on a different laptop and it doesn't work there either. If you go to https://studileih1.eu-central-1.elasticbeanstalk.com/products you can remove the exception for that site (at least in firefox) In Chrome I had to delete the browser cookies and history, then it didn't work again. – Boommeister Sep 09 '20 at 07:58
  • If you have time and you're still willing to help, please take a look at the update that I wrote at the end of the original question. If not, still thank you ;) – Boommeister Sep 09 '20 at 08:41
  • It's never going to work if you open studileih1.eu-central-1.elasticbeanstalk.com/products in your browser, because that's not the domain name in the SSL certificate. You have to point a CNAME record to your Elastic Beanstalk environment, and then use that in the browser. – Mark B Sep 09 '20 at 12:42
  • Ahh, ok you're right! http://api.studileih.de/products works, even when I remove the exception in my browser. But studileih.de still doesn't work. For clearification: studileih.de redirects to my firebase frontend https://studileih-ceb70.web.app/ and additionally has the subdomain api.studileih.de whichs CNAME points to my Load Balancer which redirects to my Beanstalk environment which runs my backend application (studileih1.eu-central-1.elasticbeanstalk.com/products). Is this how it's supposed to be? – Boommeister Sep 09 '20 at 13:00
  • Ah damn, now I got it, my frontend has to actually call https://api.studileih.de/products inside the code instead of studileih1.eu-central-1.elasticbeanstalk.com/products. – Boommeister Sep 09 '20 at 13:05