ERR_SSL_VERSION_OR_CIPHER_MISMATCH when Route 53 fails over from EC2 to CloudFront static site

0

Hi, I am experiencing an SSL/TLS issue with my AWS setup involving Route 53, EC2, and CloudFront across different regions.

When my EC2 instance in Paris is running, traffic to something.example.fr is correctly directed to this instance, and everything works fine. I have configured Route 53 to failover to something2.example.fr (CloudFront static site in us-east-1) when the EC2 instance is down. When I stop the EC2 instance, Route 53 does attempt to failover, but users see an SSL/TLS error:

This site can't provide a secure connection something.example.fr uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH

How do I configure SSL/TLS correctly on my EC2 instance, CloudFront distribution, and Route 53 failover setup to resolve this ERR_SSL_VERSION_OR_CIPHER_MISMATCH error and ensure a seamless, secure failover from something.example.fr to something2.example.fr? Thank you

randa
preguntada hace 3 meses281 visualizaciones
3 Respuestas
1

Hi Randa,

Please try this solution it will be helpful for you,

To resolve the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error and ensure a seamless, secure failover from your EC2 instance to your CloudFront distribution, start by ensuring both the EC2 instance and CloudFront are using valid and correctly configured SSL certificates. Use AWS Certificate Manager (ACM) to obtain an SSL certificate and install it on your EC2 instance in Paris. Attach this certificate to your CloudFront distribution in the us-east-1 region. Make sure your CloudFront distribution includes something2.example.fr as an alternate domain name and is configured to use the latest SSL/TLS protocols and ciphers. Set up Route 53 with a primary record for something.example.fr pointing to your EC2 instance and a secondary record pointing to your CloudFront distribution, configured with a failover routing policy. Ensure your Route 53 health checks are properly configured to monitor the health of the EC2 instance. By aligning the SSL/TLS configurations across both the EC2 instance and CloudFront, you will enable seamless failover without encountering SSL/TLS errors.

Please look at AWS Documment you will get more information.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html

https://stackoverflow.com/questions/42844989/cloudfront-distribution-and-aws-issued-certificate-gives-ssl-error-no-cypher-ove

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/welcome-dns-service.html#welcome-dns-service-how-route-53-routes-traffic

EXPERTO
respondido hace 3 meses
  • Thanks for the response @Parthasaradi, but I've already tried that approach and it didn't work for my situation.

0
Respuesta aceptada

Hello,

To resolve the SSL/TLS issue, you need to ensure that both the primary and failover endpoints are properly configured with SSL/TLS certificates. If your using custom SSL certificates provided by third party providers in EC2 instance. You must import the certificate wildcard (*.example.fr) to AWS certificate manager and configure SSL/TLS certificate for Cloud Front, add alternate domain names for the distribution.

Route 53 DNS Records:

  1. Configure the primary record for something.example.fr to point to the EC2 instance.
  2. Set up a health check for the EC2 instance to determine its availability.
  3. Configure the failover record for something.example.fr to point to the CloudFront distribution.
  4. Ensure the health check is associated with the primary record so that failover occurs when the EC2 instance is down.

The alternate approach would be using Origin failover

You can make use of CloudFront origin failover to failover to secondary instance in another region when a primary origin is unavailable instead of Route 53 fail over routing: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html

Here's who you can setup EC2 as an origin to CloudFront, https://aws.amazon.com/cloudfront/getting-started/EC2/

This way you could probably have EC2 instance in two regions, Use origin groups to configure primary and secondary EC2 as an origin to the CloudFront and distribution can failover to secondary origin if the primary is unhealthy.

profile picture
EXPERTO
respondido hace 3 meses
  • Thank you for the reply @Sivaraman Selvam I can't set EC2 as an origin to CloudFront because I have an application configured with ELB and in Paris regions I have lambda function When the EC2 instance is running: The Lambda function sets the Route 53 record to route traffic to the ELB (Value/Route traffic to Load Balancer), allowing access to the application. When the EC2 instance is stopped: The Lambda function updates the Route 53 record to route traffic to the CloudFront distribution URL (Value/Route traffic to: CloudFront URL)

0

Just to confirm, there is no problem if I access something2.example.fr, right?

I think the reason is that you are accessing something2.example.fr as something.example.fr, so the domains you are accessing do not match.

If the CloudFront side can also be accessed as something.example.fr, then the my idea needs to be revised.

profile picture
EXPERTO
shibata
respondido hace 3 meses
  • Thank you for the reply @shibata Yes, accessing something2.example.fr directly does not pose any issues.
    I add the lambda function When the EC2 instance is running: The Lambda function sets the Route 53 record to route traffic to the ELB (Value/Route traffic to Load Balancer), allowing access to the application. When the EC2 instance is stopped: The Lambda function updates the Route 53 record to route traffic to the CloudFront distribution URL (Value/Route traffic to: CloudFront URL). This ensures that users see a static maintenance page hosted on CloudFront instead of encountering an error.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas