0

We have this internet-facing classic load balancer with the dns my-elb-1234.region.elb.amazonaws.com but we do not use this for any routing/balancing to our ec2 instances. Also, there is only one ec2 instance in this ELB. In this ec2 instance we only have a nginx server running on it. We do not really use the ELB's DNS as an access/entry point to our server. We have this route53 hosted zone our-proccess.domain that hosts the domains/servers in the nginx server in the ec2 instance in the ELB. This has been going on for years now and just recently found out by our security team

I know we are not doing/using this ELB resource the right way or in any way.

Is there a way to have the ELB's DNS my-elb-1234.region.elb.amazonaws.com to have a signed SSL certificate? We've tried using ACM but it just failed when having the my-elb-1234.region.elb.amazonaws.com in the domain, I think this is because of the amazonaws.com is part of the domain and it is forbidden in ACM. we also tried certbot, which we used to generate the SSL for our-process.domain but i think it still forbids because of the amazonaws.com domain. we also tried having a cname record in the our-process.domain hosted zone routing to the my-elb-1234.region.elb.amazonaws.com but using sslshopper.com to check and it fails as there are no common names in the certificate that match the name(my-elb-1234.region.elb.amazonaws.com).

Dense04
  • 45
  • 7

1 Answers1

1
  • You will have to create a certificate in ACM with your own domain process.domain if I got it right.
  • Create a cname record for you CLB in process.domain like myoldapp.process.domain mapping to your LB.
  • From your CLB, in the listeners, configure the https listener to use the certificate you created for process.domain in step 1.

That should be ok. When a request is coming with myoldapp.process.domain and reach the LB, and the cert on it is configured process.domain; the ssl termination should happen properly with this setup on the LB level.

Abraam Magued
  • 618
  • 3
  • 14
  • We have a valid SSL certificate for our processs.domain generated by cerbot and imported it in ACM. However, when configuring the CLB listener to use the certificate, it fails on sslshopper.com with the error 'None of the common names in the certificate match the entered name,' which is the CLB's DNS. We added a CNAME record in our domain to route/map to our ELB, and that works fine. Our security team is requesting a valid SSL certificate for the ELB's DNS. I don't think it makes sense, but I need some references to support my concerns before discussing it with our security team. – Dense04 Jun 05 '23 at 11:12
  • You can only issue certs for domains you own; That is why when you create a new cert in ACM for example, or anywhere for cert providers, it asks you to add some dns entries to show you are the owner of the domain. You can't create a cert for .elb.amazonaws.com domain afaik. – Abraam Magued Jun 05 '23 at 11:15