By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

HTTPS without a custom domain?

0

Hi All,

I spent a half day by digging the internet and aws docs, but I didnt find answer for my question. Is it possible to create secure connection between load balancer and an external server with a self-signed certificate without custom domain?
If it is possible, can you tell me how?

Topics
Compute
Tags
AWS Elastic Beanstalk
Language
English
Franyek
asked 7 years ago2874 views
4 Answers
0

Very coincidentally this is exactly what I've been experimenting with today. I've been trying out various ACM (Amazon Certificate Manager) created certs with it. ACM will not allow creating an AWS domain (such as one ending in *.elasticbeanstalk.com) so I did have to use a custom domain I have registered with Route53.

Once I used a custom domain for the cert (using both customname.com and *.customname.com as a second name), created the Route53 CNAME to my EB environment and added to the cert to the ELB then ssl worked fine.

I do not know if certs requested other than with ACM will do what you want but I thought it might be helpful to pass it along.

Edited by: DougToppin on Feb 20, 2017 11:10 AM

DougToppin
answered 7 years ago
0

Are you asking about having an ELB check a non-hosted server and serve traffic to it? If that's the case then no.

thisisthetechie-OLD
answered 7 years ago
0

Part of HTTPS is encryption, the other part is identity verification. What you're asking for is impossible since it is required that you can verify you own/operate the domain in question, otherwise there is no certificate authority that will sign a certificate for you, and hence no chain leading to a root on any devices connecting, giving an "invalid domain name" type error.

You can suppress the error on the client (which in this case is ELB, where you can't), but you will never have a publicly valid certificate if it's self-signed.

nickdnk
answered 7 years ago
0

The self-signed certificate provides encryption but browsers may show certificate warnings since it's not signed by a trusted CA. You will obtain this in this way:

  • Create an SSL/TLS certificate using the openssl command or a similar tool and upload it to IAM.
  • Create an HTTPS listener on the load balancer and specify the IAM certificate.
  • Configure the external server with the same certificate so it can be validated by the load balancer.
  • Open the necessary security group ports (443 in this case) to allow traffic between the load balancer and external server.
  • Test the connection using OpenSSL s_client or a browser to verify encryption is working properly with the self-signed certificate. No domain name is required as the certificate will be validated based on the contents.
profile picture
EXPERT
Giovanni Lauria
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content