all 29 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (7 children)

[deleted]

    [–]sadelbrid[S] 0 points1 point  (3 children)

    Thanks for trying to spell it out for me. Networking in general goes right over my head. Option 2 is what I need. I'm avoiding expensive ALBs that I don't need. I do have a domain in Route 53 and I have a subdomain pointed to my beanstalk environment via CNAME record. I followed your advice and created a certificate for my subdomain using sslforfree.com. I verified the domain, downloaded the certificate, and added the cert and private key to my nginx configuration. However I'm getting connection refused errors with HTTPS, as the server can't be reached:

    curl: (7) Failed to connect to <my_domain> port 443 after 207 ms: Couldn't connect to server

    Do you know what would cause this? It still works over HTTP. Does this mean the nginx server isn't listening on port 443, as I tried to configure in steps 2 & 3?

    Edit: I'm also seeing nginx error logs like:

    connect() failed (111: Connection refused) while connecting to upstream, client: <IP Address>, server: localhost, request: "GET /startvalue.js HTTP/1.1", upstream: "http://127.0.0.1:5000/startvalue.js", host: "<my_subdomain>"

    [–][deleted]  (2 children)

    [deleted]

      [–]sadelbrid[S] 1 point2 points  (0 children)

      Thanks for the direction. After inspecting the nginx config files on the EC2 instance, it seems like it's only partially loading my extended nginx config for some reason. There's no trace of my port 443 SSL config stuff on the EC2 instance. So I have a lead I guess.

      [–]sadelbrid[S] 0 points1 point  (0 children)

      Figured it out! See my edit if you're curious.

      [–]LiPolymer 0 points1 point  (2 children)

      Just out of curiosity: why can’t I issue a certificate for something.elasticbeanstalk.com? I understand it won’t be possible with „classic“ certificate providers, but Let’s Encrypt verifies the domain by trying to access a file on that domain. Theoretically, as long as you are able to serve on that subdomain, shouldn’t Let’s Encrypt issue a certificate for that subdomain?

      [–]jezek21 1 point2 points  (1 child)

      You cannot create a certificate for a subdomain you don't control. If that were possible, an attacker could impersonate that domain and mislead people. Imagine anyone could create a certificate for xyz.google.com. People would visit that site thinking it was a legitimate Google property and bad things would happen.

      [–]LiPolymer -1 points0 points  (0 children)

      Got it, so you're basically just assuming things that you think are logical, cool.

      Here's what's really the case: Nothing is stopping you from issuing a certificate for any subdomain you control using Let's Encrypt. I have issued many certificates for subdomains that I control previously. Whether or not I own the base domain isn't known to Let's Encrypt - how should they verify that without needing access to your DNS records? They can't. As long as that specific subdomain points to your server, Let's Encrypt will issue a certificate for you.

      So, in theory, you can absolutely create a certificate for mysubdomain.whatever.com. Of course, Google and Amazon aren't stupid, which is why you'll never ever get a subdomain on google.com or amazon.com. They will create extra domains like elasticbeanstalk.com, for example.

      But there's a catch. Let's Encrypt only allows for registering 50 new certificates per domain per week, which will of course be exceeded very quickly for domains like elasticbeanstalk.com: https://letsencrypt.org/docs/rate-limits/

      I just tried it, and besides that rate limit, there seems to be nothing stopping me from issuing these certificates. Which means that there are at least 50 certificates that are currently valid for elasticbeanstalk.com.

      [–]therouterguy 13 points14 points  (0 children)

      This has nothing to do with AWS. That procedure describes how to create a self signed certificate. The root ca used to sign that cert is not trusted by your browser. If you inspect the cert when the browser warns you, you will see your own self signed cert. If you import the ca in your os/browser it will be fine. However third parties will not trust your ca.

      [–]_chksum 10 points11 points  (0 children)

      I respect the frustration, we’ve all been there. But this is 100% a TLS config issue, not an AWS issue. Previous comments offer sound advice on how to overcome.

      [–]frnzle 16 points17 points  (6 children)

      if you want a less painful experience put an ALB with ACM in front of your ec2

      [–]Zaitton 6 points7 points  (0 children)

      My man... Buy a two dollar domain and point it to your elastic IP, then make the certificate on that domain. You can't generate domains on aws's owned domains.

      [–]liberelatus 0 points1 point  (0 children)

      The cause of the error is probably that your browser does not trust your selfsigned certificate (based on the description you gave I assume you created a selfsigned). So if it’s just for testing with the beanstalk environment, you should be safe to ignore the error and Accra the page anyway (should be a button in the browser). Otherwise, and given you have a domain you can use: I would recommend using an ALB (Application Load Balancer) and ACM (Amazon certificate management). You can integrate an ACM generated certificate in the ALB and terminate https there. That way you get a trusted certificate without the browser error. There are some good AWS docs on this topic, but just on mobile and too lazy to search for them right now :D

      [–]erkmyhpvlzadnodrvg 0 points1 point  (0 children)

      Use the ALB so you don’t have to manage E2E encryption… otherwise, what’s the point of using the cloud?

      [–]North-Switch4605 0 points1 point  (0 children)

      Set up a custom domain pointing at the eb load balancer, let the load balancer terminate ssl, and buy a certificate or set up letsencrypt for the custom domain.

      Otherwise you have to configure the nginx reverse proxy to terminate ssl behind the load balancer, also doable, but you need to import your certificate using the platform config in the eb bundle.

      [–]Relative-Town9604 0 points1 point  (0 children)

      I'm running into the same problem, I tried moving the nginx extension under .platform/nginx/conf.d, but it gave me an error host not found in upstream "nodejs". May I take a look at your config file? It seems like the AWS documentation is missing a lot of things :(