When I associate an AWS certificate with my Elastic Beanstalk app and visit the domain using https, I get 'This site can’t be reached, mydomain.com refused to connect.' I can visit the site using http.
I created a security certificate with AWS's ACM. I added my domain name, example.com, along with additional names that were sub domains to the certificate. In my app's environment 'Loading balancing' section I set this up:
I setup the SecurityGroup named awseb-e-abc123-stack-*
for my environment as follows:
There is another security group named awseb-e-abc123-stack-AWSEBLoadBalancerSecurityGroup-*
, which is as follows. It has the same name tag as the above group, which is the same as my environment name:
It seems, though, that the entries of the "AWSEBLoadBalancerSecurityGroup" security group does nothing, as removing all the entries still allows HTTP traffic to work.
In .elasticbeanstalk\securelistener.config
, I have the following
option_settings:
aws:elb:listener:443:
SSLCertificateId: <my certificate's ARN>
ListenerProtocol: HTTPS
InstancePort: 80
It seems, though, if I add a syntax error in this file, the deployment still succeeds.
Here is the output of curl -vL https://<my domain>
:
* Rebuilt URL to: https://<my domain>/
* Trying <my elastic IP>...
* connect to <my elastic IP> port 443 failed: Connection refused
* Failed to connect to <my domain> port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to <my domain> port 443: Connection refused
I used a separate domain name register to setup my domain name, and set up my domain's DNS A records IP address equal to my Elastic IP.
[edit]
I had mentioned above that changing the rules of the load balancer security group does nothing. This was because my EC2 instances's security group was pointing to the instance's security group, not the security group of the load balancer. When I pointed the EC2's security group to the load balancer's security group, the security group's rules are execercized. I verified this by removing all the rules from the load balancer security group, and seeing that no requests are accepted. However, if I add back the HTTP and HTTPS rules to the load balancer security group but remove all the rules from the instance security group, all HTTP requests are going through. This is NOT expected behavior because the load balancer is supposed to forward traffic to the instance. What seems to be happening is (1) the instance and load balancer security groups are not at all related to the instance and load balancer and (2) no traffic is going to the load balancer.
Is there anything else I'm missing?
[edit 2]
I misread gkrizek's comment. If I use the public DNS of the load balancer, I am able connect using either HTTP or HTTPS. I am able to connect to both versions using telnet. So instead of creating an A record that set testdomain.com to my Elastic IP, I created a sub.testdomain.com CNAME record set to the load balancer. Now I am able to browse to both http://sub.testdomain.com
and https://sub.testdoamin.com
. Two questions:
https://testdomain.com
(no sub domain). It seems like with this method, it is impossible to have https://testdomain.com
since I cannot create an A record with an domain name.You can use SSL certificates to secure web applications deployed on Elastic Beanstalk in a couple of ways: Attach SSL certificates to the application load balancer.
The issue is that you have to create a CNAME record with your domain and use the load balancer DNS name as the address. If you use the Elastic IP, the requests will not go to the load balancer.
To answer my last questions:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With