AWS SSL - How do I get this working?

0

My SSL expired for eyespy.org and we have an SSL in our Certificate Manager issues but not in use. I am having trouble switching this on. I also brought over an SSL from Namecheap that is good for another month into Certificate Manager but we would like to utilize the AWS if possible. Screenshots attached. How can I get the expired one swapped out?

Certificate Manager View

SSL Checker 1

SSL Checker 2

1 Answer
0

To use the AWS-issued certificate without needing to have a publicly trusted certificate on your instance, you should set up an Application Load Balancer (ALB) with an HTTPS listener to receive TLS connections from your users, terminate the TLS connection using the AWS-issued certificate, and send the traffic to your EC2 instance either unencrypted over HTTP or using HTTPS and a self-signed or expired certificate. Between the ALB and your server, any certificate will do, even an expired or self-signed one.

Instructions for creating an ALB start here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancer-getting-started.html

And a high-level design diagram showing the building blocks of an ALB configuration is here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html

You'll be needing approximately the following:

  1. To create a security group to allow inbound access over tcp/443 and tcp/80 to the load balancer from 0.0.0.0/0 and allowing all traffic outbound (as is the default)
  2. Create an ALB in your VPC in appropriate subnets with an Internet Gateway as the default gateway
  3. Create an HTTPS listener on the ALB set to listen to port 443 and to use the AWS-issued certificate (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html)
  4. Set the default rule of the listener to return a fixed HTTP 404 response with no content
  5. Create an additional listener rule to accept your valid site names (eyespy.help, eyespy.org, www.eyespy.org) for the "Host" HTTP header and send them to a target group (which you can create at this point) that points to your EC2 instance on port 443 for HTTPS or port 80 for HTTP, depending on your preference for traffic between the ALB and the EC2 instance inside your VPC
  6. Optionally, create a listener for HTTP on port 80 and set it also to return 404 by default (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-listener.html)
  7. Create an additional listener rule for the HTTP listener that also accepts your site names and redirects the user to the corresponding hostname but with HTTPS and on port 443

The reason for configuring the default listener rules on the ALB to return an HTTP 404 as a fixed response is that most casual attempts to find vulnerable systems on the internet scan the internet at large simply by IP address and don't know or care which DNS names are behind them. No valid user would access the site without knowing its name, so dropping requests arriving without a valid name does no harm but filters out huge numbers of unnecessary, largely malicious requests.

EXPERT
Leo K
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions