Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I set up SSL to my ec2 instance via a load balancer?

0

I have a certificate issued by Amazon Certificate Manager, I set up a load balance and selected the certificate I was issue, and then pointed it to the ec2 instance I am running, and added a listener for port 443, checked that the security group has input rules set up for that post/protocol.

Then I got the IP for the load balancer and pointed my domain to that. Now I am able to to my domain on port 80, but when I do https://mydomain.com it just sits there and never connects. I'm not sure where to go from here?

  • Gary Mclean EXPERT
    2 years ago

    Can you share the DNS name of your load balancer and domain? Sounds like you havent got https setup some where or your ALB isnt allowing port 443 Or your connecting direct to the EC2

  • SideFX
    2 years ago

    My load balancer DNS is Main-Load-Balancer-621906210.us-east-2.elb.amazonaws.com, I pointed my domain to 18.189.254.253 which I got from an nslookup on the load balancer DNS.

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Certificate ManagerElastic Load Balancing
Language
English
asked 2 years ago582 views
4 Answers
0

Hello.

Has the certificate issued by ACL been verified?
If verification has not been completed, please follow the steps in the document below.
https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html

Also, could you please share what kind of error occurs when connecting with the curl command as shown below?

curl https://example.com -v
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
  • SideFX
    2 years ago
    • Host cygnusx.com:443 was resolved.
    • IPv6: (none)
    • IPv4: 18.220.224.215
    • Trying 18.220.224.215:443...
    • connect to 18.220.224.215 port 443 from 0.0.0.0 port 54887 failed: Connection refused
    • Failed to connect to cygnusx.com port 443 after 2623 ms: Couldn't connect to server
    • Closing connection curl: (7) Failed to connect to cygnusx.com port 443 after 2623 ms: Couldn't connect to server
  • SideFX
    2 years ago

    The certificate has been issued, I don't see anything in the certificate manager that says verified, is that in another location?

  • Riku_Kobayashi EXPERT
    2 years ago

    There is no problem if the status column shows "Success" as shown in the image below. Also, as @Gary Mclean says, you're getting a timeout error, so check if the security group's inbound rules allow HTTPS over IPv4. a

0

The IP addresses of your ALB are 18.116.132.9 18.189.254.253

I can connect to the ALB via HTTPS and it has a valid certificate attached to it but your right, Https isnt connecting to the Back end.

I do get a HTTP408 error which indicates a timeout

The HTTP 408 Request Timeout error is a client error that indicates the server has terminated a connection because a request from the client took too long. This can happen for a number of reasons, including: A slow server response time, Network connectivity issues, and An old or incorrect URL.

Please check ACLs, Security Groups and target groups are reporting healthy https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#add-https-listener

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
  • SideFX
    2 years ago

    The guide you posted doesn't correlate to what I see in AWS. I can get to load balancing, load balancer, select the load balancer, but there is no listeners and rules tab. I can click on add a listener but there is no "Default Actions" here.

  • SideFX
    2 years ago

    That status does say success.

0

Your domain cygnusx.com resolves to an EC2 instance, not the load balancer (do a lookup on it, then a reverse lookup on the IP):

$ nslookup cygnusx.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	cygnusx.com
Address: 18.220.224.215

$ nslookup 18.220.224.215
215.224.220.18.in-addr.arpa	name = ec2-18-220-224-215.us-east-2.compute.amazonaws.com.

Authoritative answers can be found from:

$

www.cygnusx.com is the same as cygnusx.com.

These need to point at the load balancer, not the EC2 instance behind it (and point it to the name instead of one of the IPs).

$ nslookup Main-Load-Balancer-621906210.us-east-2.elb.amazonaws.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	Main-Load-Balancer-621906210.us-east-2.elb.amazonaws.com
Address: 18.189.254.253
Name:	Main-Load-Balancer-621906210.us-east-2.elb.amazonaws.com
Address: 18.116.132.9
$

So now a browser trying to hit cygnusx.com should hit a load balancer presenting the ACM cert for cygnusx.com.

Make sure the security group on the load balancer accepts inbound TCP ports 80 & 443 from 0.0.0.0/0, and then outbound port 80 only to the back-end EC2 instance (assuming you want the load balancer to do the SSL offloading for you). Make sure the back-end EC2 instance security group has got inbound TCP port 80 open from the load balancer's private IPs, and the web server (Apache or nginx or whatever) is setup to only listen for HTTP on port 80.

To setup HTTP to HTTPS redirect on the load balancer, the steps are here https://repost.aws/knowledge-center/elb-redirect-http-to-https-using-alb

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
  • SideFX
    2 years ago

    I had it set up on my hosts file. I wanted to make sure my site didn't get taken down, but I've just updated the live DNS server with the local information since the http connection will still work in the meantime and it will help troubleshooting this issue.

0

Also wanted to add I changed the DNS in my local hosts file so that life DNS isn't currently updated.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content