Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL Certificates On Elastic Beanstalk Default Setup

I'm in the process of moving from another cloud provider. Currently I'm just testing in the default environment that has a url looking like this:

http://example-env-1.us-east-1.elasticbeanstalk.com

I'm trying to get SSL/HTTPS working for this address. I then plan using a CNAME to redirect to this address and eventually move the nameservers over completely.

However, after setting everything else up successfully I get to the point of adding the certificates and it just says "failed":

enter image description here

And even though I have my actual "example.com" ssl certificate successfully issued nothing shows up in the load balancer certificate selection dropdown (and yes I have refreshed):

enter image description here

How do I enable SSL using the Certificate Manager?

like image 363
Amy Neville Avatar asked Apr 01 '16 08:04

Amy Neville


People also ask

Does AWS Elastic Beanstalk have a default security group?

Elastic Beanstalk creates a default security group for your load balancer. You can override this default behavior if you have an existing security group (also called a ManagedSecurityGroup) that you want to attach to your load balancer.

How do I add SSL to Elastic Beanstalk single instance?

Setting up SSL on a load balanced environment is straightforward using the AWS console. Create a certificate using ACM(AWS Certificate Manager) and attach it to your load balancer which should already have a domain pointed to it. But for the single instance environment, extra configuration is required for SSL to work.

What is default port of Elastic Beanstalk?

By default, Elastic Beanstalk configures the proxy to forward requests to your application on port 5000. You can override the default port by setting the PORT environment property to the port that your main application listens on.


1 Answers

That's because you are trying to request a cert for the elasticbeanstalk.com domain. You will not be able to get a cert for that domain as you are not the owner of it :). Nor can you setup https for the default elastic beanstalk domains they give you.

You should use ACM to get a certificate for your custom domain, the one you plan on making a CNAME record for.

Example:

If you were to own say the domain amyneville.com. You could create a cert through ACM for that domain.

If you use your custom domain, you do NOT need a to get a cert for the elasticbeanstalk.com domain.

A couple more things:

You cannot create a CNAME record on a TLD (amyneville.com). You can create the CNAME record for www.amyneville.com. So if you want to use the CNAME approach you will have to create a non-www redirect to www..

But better then a CNAME would be to use an A record and point it to the elastic beanstalk resource that was setup. So the load balancer that was created for you, use it's A record.

Last but not least, you cannot apply the ACM cert through the elastic beanstalk console. Instead you will have to use the AWS CLI tools. Here's a link on how to do it: https://stackoverflow.com/a/35173500/1445460

like image 72
Kirill Fuchs Avatar answered Sep 28 '22 04:09

Kirill Fuchs