Why does my AWS Elastic Balance Loader reject SSL connections?

2

Recently, I started to get into the security topic, more specifically SSL (HTTPS). Searching on Google, I noticed that Amazon Web Services (AWS) offers free SSL certificates for EC2 Load Balancers.

In the meantime, I spent a whole day trying to make the setup and following the official and unofficial tutorials, nothing worked.

I have a domain registered in GoDaddy, let's assume www.mydomain.com. My website is hosted on Amazon Web Services (AWS). I have access to edit both DNS records and any AWS configuration. I read a bit about LetsEncrypt, another free version of SSL, but my website is ASP.NET (C #) and runs on IIS Windows, not Linux.

With all of this in mind, here's what I tried to do:


 1. Obtain SSL Certificate from AWS Certificate Manager

I chose the option to check via DNS, which means I added a CNAME record in GoDaddy.

Ifyoulookcloselyattheimagesabove,theCNAMErecordvaluesareatthecenteroftheAWSpage.ThesevalueshavebeenaddedinGoDaddy.

  • Edit Load Balancer Listeners:

  • Edit Security Groups
  • NOTE:BothInboundandOutbundhavebeenconfiguredwiththeaboveinformation.IalsodefinedthesegroupsforbothLoadBalancerandmyinstance.

  • Edit Route 53 Hosted Zones
  • ThetypeArecordpointstotheIPofmyinstance.

    TheNSrecordwasgeneratedbyAmazon(IaddedGoDaddy'snameserversaswell)

    TheSOArecordwasgeneratedbyAmazonandhasnotbeenmodified.

    TheCNAMEhasbeenaddedbyme.Again,itcontainstheSSLcertificatevalues.

  • CURL Test
  • The CURL test returns: "Failed to connect to www.website.com port 443: Connection timed out."

    I do not know where I went wrong, or why it's not working. Every help is welcome! Thank you for your attention.

        
    asked by anonymous 19.12.2017 / 14:00

    2 answers

    0

    Finally, I found the solution to the problem.

    The context in which I was:

    Host : AWS, Domain Provider : GoDaddy

    Instance in Elastic Beanstalk running ASP.NET site connected to Load Balancer.

    SSL selected to be used in the Load Balancer Listener.

    HTTP 80 - HTTP 80

    HTTPS 443 - HTTP 80

    Security policies for both Load Balancer and Elastic Beanstalk by enabling port 443 (HTTPS).

    SSL certificate obtained by AWS through the Certification Manager. In the page of the same, the certificate was "Issued" and "In Use", that is, in use and certified by Amazon.

    In the provider domain (GoDaddy), the Amazon SSL CNAME was registered.

    The solution:

    I deleted the type A record pointing to an IP. The IP in question was the instance of Elastic Beanstalk, which by default does not connect via HTTPS with Load Balancer.

    I added a new CNAME record, but this time pointing to Load Balancer. You can find the Load Balancer link in EC2 > Load Balancer. Below the screen, there is a "DNS NAME" option.

    After a few minutes, the site should work by forcing link

    Additional Problems:

    At this time, my website only loaded with SSL when forcing https. To solve this, Amazon has an excellent tutorial:

    Redirecting HTTP to HTTPS

        
    20.12.2017 / 16:24
    0

    As the message indicates that it could not connect, nor is it an ssl error, but apparently the instance is not responding on port 80. It may be that the serial is not running, or being blocked by the operating system firewall. You will probably see that the instance, if it is registered in the load balancer, will not be in the "In Service" status. For more details, check the load balancer logs.

        
    20.12.2017 / 14:08