Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Application Load Balancer https listener unsecure

0

I use terraform to provision my infra structure. Here is how the certificate and ALB are created. Code to create SSL Cert:

resource "aws_acm_certificate" "api_subdomain_domain_certificate" {
  domain_name       = aws_route53_zone.api_sub_domain.name
  validation_method = "DNS"

  tags = local.common_tags
}
resource "aws_route53_record" "cert_validation" {
  for_each = {
    for dvo in aws_acm_certificate.api_subdomain_domain_certificate.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = aws_route53_zone.api_sub_domain.zone_id 
}

resource "aws_acm_certificate_validation" "ecs_domain_certificate_validation" {
  certificate_arn         = aws_acm_certificate.api_subdomain_domain_certificate.arn
  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}

Code to create alb and attach listeners:

resource "aws_lb" "ecs_cluster_alb" {
  name            = "${local.name}-alb"
  internal        = false
  security_groups = [aws_security_group.lb_security_group.id]
  # subnets         = [split(",", join(",", data.terraform_remote_state.infrastructure.outputs.public_subnets))]
  subnets         = [for s in data.aws_subnet.default_vpc_subnets : s.id] #dobt

  tags = local.common_tags
}
resource "aws_lb_listener" "ecs_alb_https_listener" {
  load_balancer_arn = aws_lb.ecs_cluster_alb.arn
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
  certificate_arn   = aws_acm_certificate.api_subdomain_domain_certificate.arn

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.ecs_default_target_group.arn
  }

  depends_on = [aws_lb_target_group.ecs_default_target_group]
}

This certificate gets provisioned successfully and when i try to access the website using poc-api.eXXXXXXX.com it shows https and works as expected. But when i try to access it via the Load Balancer DNS I get the warning as below:

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for poc-app-poc-XXXXXXXXXXX.ap-south-1.elb.amazonaws.com. The certificate is only valid for poc-api.eXXXXXXX.com.

My question is how can I get the Load Balancer DNS to also show https and work as when I access through Domain Name poc-api.eXXXXXXX.com.

Themen
Vernetzung & Bereitstellung von InhaltenSicherheit, Identität & Konformität
Tags
Amazon Route 53AWS ZertifikatsmanagerApplication Load BalancerDomain Name System (DNS)Terraform
Sprache
English
ravishranjan
gefragt vor einem Jahr363 Aufrufe
1 Antwort
2

Add a subject alternative name to the certificate.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate#subject_alternative_names

resource "aws_acm_certificate" "api_subdomain_domain_certificate" {
  domain_name       = aws_route53_zone.api_sub_domain.name
  validation_method = "DNS"
  subject_alternative_names = [ "poc-app-poc-XXXXXXXXXXX.ap-south-1.elb.amazonaws.com." ]
  tags = local.common_tags
}
profile pictureAWS
EXPERTE
iBehr
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt