Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS SSL certificate with Elastic Beanstalk: HTTPS site not reachable

When I associate an AWS certificate with my Elastic Beanstalk app and visit the domain using https, I get 'This site can’t be reached, mydomain.com refused to connect.' I can visit the site using http.

I created a security certificate with AWS's ACM. I added my domain name, example.com, along with additional names that were sub domains to the certificate. In my app's environment 'Loading balancing' section I set this up:

enter image description here

I setup the SecurityGroup named awseb-e-abc123-stack-* for my environment as follows: enter image description here

There is another security group named awseb-e-abc123-stack-AWSEBLoadBalancerSecurityGroup-*, which is as follows. It has the same name tag as the above group, which is the same as my environment name:

enter image description here

It seems, though, that the entries of the "AWSEBLoadBalancerSecurityGroup" security group does nothing, as removing all the entries still allows HTTP traffic to work.

In .elasticbeanstalk\securelistener.config, I have the following

option_settings:
  aws:elb:listener:443:
    SSLCertificateId: <my certificate's ARN>
    ListenerProtocol: HTTPS
    InstancePort: 80

It seems, though, if I add a syntax error in this file, the deployment still succeeds.

Here is the output of curl -vL https://<my domain>:

* Rebuilt URL to: https://<my domain>/
*   Trying <my elastic IP>...
* connect to <my elastic IP> port 443 failed: Connection refused
* Failed to connect to <my domain> port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to <my domain> port 443: Connection refused

I used a separate domain name register to setup my domain name, and set up my domain's DNS A records IP address equal to my Elastic IP.

[edit]

I had mentioned above that changing the rules of the load balancer security group does nothing. This was because my EC2 instances's security group was pointing to the instance's security group, not the security group of the load balancer. When I pointed the EC2's security group to the load balancer's security group, the security group's rules are execercized. I verified this by removing all the rules from the load balancer security group, and seeing that no requests are accepted. However, if I add back the HTTP and HTTPS rules to the load balancer security group but remove all the rules from the instance security group, all HTTP requests are going through. This is NOT expected behavior because the load balancer is supposed to forward traffic to the instance. What seems to be happening is (1) the instance and load balancer security groups are not at all related to the instance and load balancer and (2) no traffic is going to the load balancer.

Is there anything else I'm missing?

[edit 2]

I misread gkrizek's comment. If I use the public DNS of the load balancer, I am able connect using either HTTP or HTTPS. I am able to connect to both versions using telnet. So instead of creating an A record that set testdomain.com to my Elastic IP, I created a sub.testdomain.com CNAME record set to the load balancer. Now I am able to browse to both http://sub.testdomain.com and https://sub.testdoamin.com. Two questions:

  • Is it OK to use the load balancer's public DNS in the CNAME record? I can't use the *.elasticbeanstalk.com URL because it could change, so I'm wondering if the same situation applies here
  • How can I secure https://testdomain.com (no sub domain). It seems like with this method, it is impossible to have https://testdomain.com since I cannot create an A record with an domain name.
like image 753
user2233706 Avatar asked Jul 09 '17 20:07

user2233706


People also ask

Does Elastic Beanstalk use SSL?

You can use SSL certificates to secure web applications deployed on Elastic Beanstalk in a couple of ways: Attach SSL certificates to the application load balancer.


1 Answers

The issue is that you have to create a CNAME record with your domain and use the load balancer DNS name as the address. If you use the Elastic IP, the requests will not go to the load balancer.

To answer my last questions:

  • AWS says this is OK
  • You cannot directly do this because AWS does not allow you to assign an Elastic IP to a load balancer. What you can do is have a URL record that redirects testdomain.com to https://www.testdomain.com
like image 149
user2233706 Avatar answered Sep 20 '22 20:09

user2233706