HTTPS access error – browsers don’t see the certificate used for configuring SSL in Elastic Load Balancer

0

Hi,

I configured SSL offload on Elastic Load Balancer using a certificate from AWS Certificate Manager.

The HTTPS listener is configured as follows: the default action is forwarding to Group Instances HTTPS, and the default SSL certificate is (as Edit Listener indicates) the correct one issued by ACM for a domain name I registered using AWS.

In Route 53 Hosted Zones, I created an A-type record with my Public IPv4 address (which is an Elastic IP) as a value.

However, when I try to connect to my domain via https, I get the error message ERR_CERT_AUTHORITY_INVALID, and Chrome’s Developer tools > Security > View Certificate displays

   Issued to:    ip-172-31-90-31.ec2.internal

   Issued by:    ip-172-31-90-31.ec2.internal,

that is my Private IPv4 DNS in both cases -- instead of my domain name (for Issued to) and Amazon (for Issued by).

I also tried pointing the A record to the ALB instead of my public IPv4 (as suggested at https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html). Unfortunately, after that browsers couldn't connect to the domain at all (the error message: <domain_name> took too long to respond).

I am wondering what could cause that. Could it result from some misconfiguration of my Apache server? If so, how could I fix that?

Thanks

1 Answer
2
Accepted Answer

The second set of instructions you have is what you'd want to use.

If you're in Route 53 you would use an A record that is an Alias to target the ALB in your environment. Make sure the security groups on your ALB are setup correctly as that may be what's preventing you from connecting to your application once you have it directed there.

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html

If you're using something like Wordpress on the site behind the ALB you may have to turn on SSL support to get it work correctly and be all encrypted. But otherwise you should be good to go for the most part. If it's straight Apache there is a potential you may have to implement a re-write rule for SSL.

profile pictureAWS
EXPERT
Rob_H
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions