EDIT 3:
The answer is I'm an idiot and left a listener on port 443 that redirected manually to the environment url.
EDIT 2:
It appears that my DNS records are not set correctly which is causing the site to be marked unsafe despite the certificate being indeed valid. Possible solution (related symptom) can be found in another of my SO posts here
Basically I need to do the following (extracted from this video)
- create a hosted zone per parent domain NOT the subdomain: example.com NOT subdomain.example.com regardless of number of subdomains
- request NS records (not CNAME records) per subdomain be entered by my admin into the parent domain host e.g. GoDaddy, Namecheap etc...
- use alias records as before for each subdomain pointing to relevant EB environment.
EDIT:
It turns out that I have created a certificate for my custom domain but the browser will not trust it because the site is being served from an *.elasticbeanstalk.com domain.
No idea how to proceed as I cannot get an SSL for a domain I do not own.
I have an application that uses Auth0, running inside EB behind an application load balancer (ALB).
Auth0 requires to be run inside a secure environment, so I am terminating https at the load balancer and then re-terminating to send https through to the instance where it is terminated once again.
I've essentially followed this tutorial to achieve the use of a trusted SSL certificate, except I chose "email confirmation" and my global administrator approved the certificate. I've then added it to the ALB. Also there are no CNAME records in Route53 for these hosted zones.
It is also worth mentioning that the team have routed from Godaddy parent domain to our NS records in AWS, which is configured in a hosted zone using Route53. This is an alias record that succesfully routes through to my application. Routing works just fine and redirects through to the application successfully.
However, when I visit the site it still does not come up as secure. I've tested this across various machines to avoid any caching issues.
There is a self-signed certificate on the instance itself. Is this certificate being served up to the public or is it the ALB certificate? Seems fairly obvious that it's the instance certificate.
How then can I use the certificate in the ACM at the instance? According to AWS docs I can use a self-signed certificate without any issues.
ALB listeners:
Certificate in ACM (The ARN matches the above)
For the configuration files below I followed these links Configuring HTTPS for your Elastic Beanstalk environment
Configuring a secure listener using the Elastic Beanstalk console
Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment
Terminating HTTPS on EC2 instances running Node.js
Configuring your application to terminate HTTPS connections at the instance
I have the following .config files in .ebextensions directory of the application root folder:
Configuring your application to terminate HTTPS connections at the instance https-instance-securitygroup.config:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment .ebextensions/https-reencrypt-alb.config:
option_settings:
aws:elbv2:listener:443:
DefaultProcess: https
ListenerEnabled: 'true'
Protocol: HTTPS
aws:elasticbeanstalk:environment:process:https:
Port: '443'
Protocol: HTTPS
Terminating HTTPS on EC2 instances running Node.js .ebextensions/https-instance.config:
files:
/etc/nginx/conf.d/https.conf:
mode: "000644"
owner: root
group: root
content: |
# HTTPS server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# For enhanced health reporting support, uncomment this block:
#if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
# set $year $1;
# set $month $2;
# set $day $3;
# set $hour $4;
#}
#access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
#access_log /var/log/nginx/access.log main;
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
Storing private keys securely in Amazon S3
privatekey.config:
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["application-keys"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-ec2-eb-*****-role"
files:
# Private key (backend_app_server)
"/etc/pki/tls/certs/server.key":
mode: "000400"
owner: root
group: root
authentication: "S3Auth"
source: https://****.amazonaws.com/****.pem
