Using an ACM Certificate to Secure my Apps Running on EC2 Instances

0

I have EC2 Servers running various applications. These servers are running LAMP using UBUNTU. I understand that ACM certificates cannot be applied directly to the EC2 instance. However, it seems I could use CloudFront, an Application Load Balancer, or an Amazon API Gateway to provide an SSL secure interface to my applications. Which is the best solution? Do you have a procedure to accomplish this?

I have tried both CloudFront and a Load Balancer, but I seem to get stuck at various points. My servers are in us-east-2 (ohio) but AWS insists that my certificate must be in us-east-1. My current attempt using CloudFront returns "Hmmm… can't reach this page" suggesting that the link between CloudFront and my EC2 instances isn't being made.

I would appreciate any thoughts. While my specific configuration may be less common, it seems like the general issues should be farly common.

2 Answers
1

If your main requirement is to enable SSL, you can forgo the Cloudfront distribution entirely.

Simple provision an application load balancer with an AWS-provided certificate within the same region as your EC2 instance then create a CNAME record point to the application load balancer's public domain.

profile picture
Bisina
answered 9 months ago
  • Thank you and very helpful. I had determined that it was likely that CloudFront was unnecessary, but I greatly appreciate your confirmation. I think I am getting hung up with specifying the target group and having the certificate in in us-east-1 when my EC2 instances are in us-east-2. I will take another crack at it.

    Unfortunately, my DNS is IONOS but I think I have this part figured out. However, will I need a certificate at the DNS for might sites to be deemed secure, or will the certificate on the load balancer suffice?

  • You do not need a certificate at the DNS provider. The certificate assigned to the load balancer will sure your connections to the EC2 instances. DNS only routes the traffic to the relevant endpoint and SSL termination happens at this endpoint in this instance it would be the application load balancer.

  • Thanks again. At this point I remain stuck on the requirement that my ACM Certificate must be in us-east-1 and my EC2 instances and load balancer are (or need to be) in us-east-2. If I create my load balancer in the us-east-2 (Ohio) I can't reach my certificate in us-east-1. If I create my load balancer in us-east-1 (Virginia), I can't reach the EC2 instances us-east-2. What am I missing?

  • You can simply request a new certificate in us-east-2 so all your resources would be in the same region. The us-east-1 requirement for an ACM certificate is only when you need to configure CloudFront.

  • Yes, thanks again for your response. I have successfully initiated a load balancer, attached my certificates, and attached my EC2 instances. My domain names now point to the AWS load balancer instance and this works properly in the sense that my web pages are served. However, my domains are still shown as not secure when I access them with http://example.com, example.com, or www.example .com (I am using example.com in place of my actual domain names). When I use https://example.com, I get a Web page with the message that "The connection for this site is not secure." My domain is being forwarded to the load balancer. In the https listener I am forwarding traffic to my EC2 instance. Do I need to set up authentication in the listner? If so how is the accomplished. There is a lot about OIDC but it is not clear what might be required. Is there another parameter that must be tweaked?

0

A web application using CloudFront, ALB, and EC2 is a fairly common configuration.

The ACM certificate to be set up for CloudFront must be issued in us-east-1 as described in this document.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-aws-region

The following documents may be helpful in troubleshooting CloudFront and ALB access.
https://repost.aws/knowledge-center/custom-origin-cloudfront-fails

profile picture
EXPERT
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions