Search code examples
amazon-web-servicesssldnsamazon-elastic-beanstalkelastic-load-balancer

Why is Elastic Beanstalk Load Balancer refusing to estabilish a SSL connection?

Recently, I started searching about security procedures and came across SSL. Actually, I already knew about SSL, but I found to be too expensive at the time. Luckily, yesterday I found out that Amazon gives SSL certificates for free! However, I have spent a whole day trying to set it up but it didn't work.

I have a domain registered at GoDaddy, let's assume its www.mydomain.com. My website is hosted, however, on Amazon Web Services (AWS). I also have access to edit the GoDaddy's DNS records and full access to my AWS account. I have seen LetsEncrypt, but my website runs in ASP.NET (IIS Windows) and currently they only support Linux OS.

Here's what I've tried to do:

  1. Get a SSL Certificate from AWS Certificate Manager

    I have chosen to setup via DNS, which means I had to add a CNAME record to GoDaddy domain records.

    AWS Certification Manager Page

    Go Daddy Domain Records Page

    If you look above carefully on the two images, the CNAME record on AWS is on the center of the page. I've added a record as CNAME containing the values.

  2. Add HTTPS to Load Balancer Listeners:

    Load Balancer Listeners

  3. Allowed HTTPS on Security Groups

    Security Groups

    NOTE: Both Inbound and Outbund rules are just like above. I have also set the Load Balancer and my Running Instance to use this security group.

  4. Added records to Route 53 Hosted Zones

    Route 53 Hosted Zone Records

    The A type record points to my instance IP.

    The NS record was generated by Amazon (I added GoDaddy's Name servers as well).

    The SOA record was generated by Amazon and I didnt touch it.

    The CNAME was added by me, It's again the SSL protocol.

I don't know what else to do or if I have a wrong setup.

Solution

  • If I'm not mistaken, you have an EC2 instance behind an ELB (Classic/Application/NLB), requested an ACM certificate which has been issued successfully for *.mydomain.com, created HTTPS listener to use the SSL certificate but getting connection time out on port 443.

    The issue is the DNS record of mydomain.com still points to the EC2 instance's IP, which might not be listening on port 443 (and the ELB is not being used at all).

    So, to resolve this, you have to use the ELB's DNS name and use it as CNAME in your DNS record (not sure whether in Route 53 or GoDaddy because I don't know which is authoritative NS).

    Also, you might consider requesting a new certificate with mydomain.com and *.mydomain.com and update the listener because ACM cert with *.mydomain.com does not protect mydomain.com.