By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CA Signed third party SSL Certificate for Tomcat on EC2

0

I have a Tomcat server on EC2, with an application loadbalancer, and needs to be encrypted. The Tomcat server caters to an application that opens up on my custom domain, say www.mydomain.com/somebusiness. I had installed an ACM provided certificate on the ELB, but the traffic from port 443 to the Tomcat server cannot served by the AWS certificate. Which means I needed another certificate separately for Tomcat. I tried using a self generated cert but kept getting "Your connection is not private, attackers might be trying to steal your information from ...". Which made me go for a CA signed certificate, hoping it would solve the problem. The real problem started here for me. My certificate is issued for www.mydomain.com and I installed the certificate on the load balancer, which still has a DNS name https://blappity.loadbalancer.amazon.aws.com. Technically my certificate now rejects this because of the domain name mismatch. Bottom line, I cannot provide a custom DNS name for my load balancer, for unavoidable reasons, which eliminates the Route 53 option for me. What would be the best way forward for me to align the custom domain with the ELB at this point? P.S: I do have a CNAME mapping for the loadbalancer in my DNS database

Topics
ComputeNetworking & Content DeliveryInternet of Things (IoT)
Tags
Amazon EC2Amazon Route 53Transport Layer Security (TLS)Application Load Balancer
Language
English
SriniMurthy
asked 8 months ago247 views
2 Answers
0

So long as your self signed cert is installed on tomcat and you connect to you ALB via HTTPs then this will work.

If you have your own CA SSL cert imported into ACM and applied to the ALB the subject of the cert needs to match the dns name of the requests.

Route53/DNS makes no difference to which certificate you use.

How and where were you seeing your connection private error? To me it sounds like your going direct to the ec2 than via the alb when you see this error.

profile picture
EXPERT
Gary Mclean
answered 8 months ago
  • SriniMurthy
    8 months ago

    Thanks Gary. I am hitting the ELB for sure, and the ELB has CNAME entries in my provider as I mentioned earlier. There is a "Not Secure" alert right by the protocol window on the browser, and the warning when I go to the URL is "Your connection to this site is not secure", and I have to click the advanced link to proceed at my risk. The funny thing is, I got this warning when I installed my self signed certificate on Tomcat, and looking around the web I understood self signed certs are not considered safe. So I went ahead and purchased a CA signed cert and installed that, and ensured my Tomcat config accepted the AJP->Port 8443 flow. I am still seeing the same error, but I can assure you I am hitting the ELB and not EC2

  • Gary Mclean EXPERT
    8 months ago

    That’s not aws causing that then. That’s certificate related. What DNS name are you connecting too? AWS do not care about self signed certs on Targets.

  • Gary Mclean EXPERT
    8 months ago

    Are you using a NLB or ALB?

0

I am using an ALB. Here is the thing, the CA provider support folks are saying "www.mydomain.com" on which the certificate is issued, does not match the ALB DNS "https://mydomaincloudlb-XXXXXXX.us-east-1.elb.amazonaws.com/mydomain/blah" so the TLS handshake isn't happening. While I am trying to tell them the CNAME mapping for this DNS maps to "www.mydomain.com".

SriniMurthy
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content