Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Route53 for AWS Elastic Search Domain gives certificate error

I have create a AWS elastic search domain in Virginia and got a Endpoint url.

enter image description here

Now I wanted to configure the Route53 behavior around it, so that a caller can use the same url, even though there is some change in elastic search or in case of a disaster recovery.

So,

Virginia Route 53 -- 1 Points to -- Virgina Elastic Search Domain URL Oregon Route 53 -- 2 Points to -- Oregon Elastic Search Domain URL Main Route 53 -- 3 Points to -- Route 53 1 or 2

I have already create these and also created and uploaded SSL certificate with correct SAN entries. But when I execute,

curl https://mainroute53/health
curl https://virginiaroute53/health
curl https://oregonroute53/health

I am getting this error,

curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

But when I am calling the Elastic Search URL directly its working. So I understand this is a issue with the way I am using the certificate. Any help appreciated.

like image 726
rockyPeoplesChamp Avatar asked Jan 08 '18 19:01

rockyPeoplesChamp


People also ask

Why can't I access my website that uses Route 53 DNS services?

Check the domain name registrar's NS records Get the name servers for a public hosted zone. Search for your website's domain name using your preferred WHOIS utility (domain registration lookup tool). Verify if the NS for your domain in the WHOIS output matches the same NS records in your Route 53 public hosted zone.

Does Amazon Route 53 support NS records?

Amazon Route 53 supports the DNS record types that are listed in this section. Each record type also includes an example of how to format the Value element when you are accessing Route 53 using the API.


2 Answers

One way you can access Elasticsearch using your custom domain name is to use an API Gateway as an HTPP proxy. But then you have to deal with the authentication part since the Cognito cookies for ES will be pointing to the original domain (*.es.amazonaws.com).

In my experience this is doable and you should be able to use API Gateway (plus Custom Domain Names and Route 53) to achieve what you want (having a custom domain name over ES). It's just that it requires some Cognito knowledge and most likely, some coding (to handle the cookie problem).

like image 63
Mehran Avatar answered Nov 13 '22 07:11

Mehran


You can probably work around this by setting up a proxy server in front of the Elasticsearch domain, although it's kind of silly since there appears to also be an ELB inside the Elasticsearch domain. Ah well.

The domain Amazon ES creates for you includes the nodes in the Elasticsearch cluster and resources from several AWS services. When Amazon ES creates your domain, it launches instances into a service-controlled VPC. Those instances are fronted by Elastic Load Balancing (ELB), and the endpoint for the load balancer is published through Route 53. Requests to the domain pass through the ELB load balancer, which routes them to the domain’s EC2 instances.

https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service/

like image 45
Ibrahim Avatar answered Nov 13 '22 09:11

Ibrahim