Why does my AWS Elastic Balance Loader reject SSL connections?

Asked

Viewed 280 times

2

Recently, I started to enter security, specifically SSL (HTTPS). Searching Google, I noticed that Amazon Web Services (AWS) offers free SSL certificates for EC2 Load Balancers.

However, I spent a whole day trying to perform the setup and following the official and unofficial tutorials, nothing went right.

I have a registered domain on Godaddy, let’s assume www.meudominio.com. My website is hosted on Amazon Web Services (AWS). I have access to edit both DNS records and any AWS configuration. I read a little about Letsencrypt, another free version of SSL, but my website is ASP.NET (C#) and runs on IIS Windows, not Linux.

With all this in mind, below goes what I tried to do:


1. Obtain SSL certificate from AWS Certificate Manager

I chose the option to check via DNS, which means I have acquired a CNAME record on Godaddy.

Página AWS Certificate Manager

Página Registros de Domínio Go Daddy

If you look closely at the images above, the values of the CNAME record are in the center of the AWS page. These values have been added to Godaddy.

  1. Edit Load Balancer Listeners:

Load Balancer Listeners


  1. Edit Security Groups

Load Balancer e Instance Security Groups

NOTE: Both Inbound and Outbund have been configured with the above information. I also defined these groups for both Load Balancer and my instance.

  1. Edit Route 53 Hosted Zones

Route 53 Hosted Zone

The type A type record points to the IP of my instance.

The NS record was generated by Amazon (I have acquired Godaddy’s name Servers as well).

The SOA record was generated by Amazon and has not been modified.

CNAME was approved by me. Again, it contains the values of the SSL certificate.

  1. CURL Test

The test with CURL returns: "Failed to connect to www.website.com port 443: Connection timed out."

I don’t know where I went wrong, or why it’s not working. Any help is welcome! Thank you for your attention.

  • At which step did you associate the certificate with your load Alancer? During load creation there is the "Configure Security Settings" step where you can select the certificate created in ACM.

  • no step 2. From the image, you can see that there is an SSL certificate associated with Load Balancer

  • Vish, I didn’t see it in the picture, I’m glad it worked out!

2 answers

0

As the message indicates that it could not connect, nor is it a ssl error, but apparently the instance is not responding at port 80. It may be that the seriço is not running, or being blocked by the firewall of the operating system. You will probably see that the instance, if it is registered in the load Alancer, will not be with the status "In Service". For more details, check load logs.

  • I think you meant that the instance does not answer on port 443, the SSL standard. However, as I said, everything was in operation, except access via HTTPS, and the site loaded in HTTP (port 80).

0


Finally, I found the solution to the problem.

The context I was in:

Host: AWS , Domain Provider: External (Godaddy)

Instance in Elastic Beanstalk running ASP.NET site connected with Load Balancer.

SSL selected to be used in the Load Balancer Listener.

HTTP 80 - HTTP 80

HTTPS 443 - HTTP 80

Load Balancer and Elastic Beanstalk security policies enabling port 443 (HTTPS).

SSL certificate obtained by AWS itself through Certification Manager. On the page of the same, the certificate was found "Issued" and "In Use", that is, in use and certified by Amazon.

In the provider domain (Godaddy), the Amazon SSL CNAME was registered.

The solution:

I deleted the type A log that pointed to an IP address. The IP in question was the instance of Elastic Beanstalk, which by default does not connect via HTTPS with Load Balancer.

I added a new CNAME record, but this time pointing to the Load Balancer. You can find the Load Balancer link in EC2 > Load Balancer. Below the screen, there is an option "DNS NAME".

After a few minutes, the site should work by forcing https://www.meusite.com

Additional Problems:

Right now, my website only carried SSL when forcing https. To resolve this, Amazon has an excellent tutorial:

Redirecting HTTP to HTTPS

Browser other questions tagged

You are not signed in. Login or sign up in order to post.