How do I upload SSL certificates for my Classic Load Balancer to prevent clients from receiving “untrusted certificate” errors?

4 minute read
0

A client SSL/TLS connection to my Classic Load Balancer fails with an “untrusted certificate” error message. I also encounter errors when I try to upload SSL/TLS certificates to my Classic Load Balancer.

Short description

A client SSL/TLS connection to a Classic Load Balancer can fail with error messages similar to the following ones:

  • "The security certificate presented by this website was not issued by a trusted certificate authority."
  • "example.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown."
  • "example.com uses an invalid security certificate. The certificate is not trusted because it is self signed."

If you use HTTPS/SSL listeners for your Classic Load Balancer, then you must install an SSL certificate. After you install an SSL certificate, your Classic Load Balancer can terminate SSL/TLS client connections.

There's a validity period for the SSL certificate. You must replace the certificate before its validity period ends. To replace the certificate, create and upload a new certificate.

If you don't upload an intermediate certificate chain for your load balancer to use, then the web client might fail to validate your certificate. Use the openssl s_client command to identify whether the intermediate certificate chain is uploaded to the AWS Identity and Access Management (IAM) service. The s_client command implements a generic SSL/TLS client that uses SSL/TLS to connect to a remote host. Run the following command to connect to a remote host:

openssl s_client -showcerts -connect www.domain.com:443

If the command returns "Verify return code: 21 (unable to verify the first certificate)", then the intermediate certificate chain is missing. If the command returns "Verify return code: 0 (ok)", then the certificate upload is successful. When you upload SSL certificates, the following reasons can cause errors:

  • You upload certificate files or copy and paste certificates that contain extra white space.
  • You upload certificate files or copy and paste certificates that don't start with  -----BEGIN CERTIFICATE-----  and end with -----END CERTIFICATE-----.
  • The public key isn't valid.
  • The private key isn't valid.
  • There are issues with the cipher suite or key.

Resolution

To resolve untrusted certificate errors, upload an SSL certificate for your load balancer. Replace the certificate before its validity period ends.

With AWS Certificate Manager (ACM), you can create, import, and manage SSL/TLS certificates. IAM supports importing and deploying server certificates. ACM is the preferred tool to provision, manage, and deploy your server certificates.

To troubleshoot errors that you encounter when you upload SSL certificates, follow these guidelines:

  • Complete the prerequisites for importing certificates.
  • If you use IAM to upload the certificate, then follow the steps to upload a server certificate (AWS API).
  • If you use ACM to import the certificate, then follow the steps to import a certificate.
  • Confirm that the certificate doesn't contain extra white space.
  • Confirm that the certificate starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.
  • If the error message indicates that the public key certificate isn't valid, then either the public key certificate or the certificate chain isn't valid. If the certificate uploads successfully without the certificate chain, then the certificate chain isn't valid. Otherwise, the public key certificate isn't valid.

If the public key certificate isn't valid, then complete the following steps:

  • Confirm that the public key certificate is in the X.509 PEM format.
  • For examples of valid certificate formats, see Troubleshooting.

If the certificate chain isn't valid, then complete the following steps:

  • Confirm that the certificate chain doesn't contain your public key certificate.
  • Confirm that the certificate chain uses the correct order. The certificate chain must include all intermediate certificates from your Certificate Authority (CA) that lead to the root certificate. The certificate chain starts with the certificate that your CA generates and ends with your CA's root certificate. Typically, a CA provides both intermediate and root certificates in a bundled file with the proper chained order. Use the intermediate certificates that your CA provides. Don't include any intermediate certificates that aren't involved in the trust path chain.
  • If the error indicates that the private key certificate isn't valid, then the private key certificate isn't in the correct format. Or, the private key certificate is encrypted. Be sure that the private key certificate follows the format of the private key example in Troubleshooting. Also, confirm that the private key certificate isn't password protected.

Related information

Importing certificates into AWS Certificate Manager

Certificate and key format for importing

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago