[英]AWS EC2: HTTPS access error – browsers don’t see the certificate used for configuring SSL in Elastic Load Balancer
I configured SSL offload on Elastic Load Balancer using a certificate from AWS Certificate Manager.我使用来自 AWS Certificate Manager 的证书在 Elastic Load Balancer 上配置了 SSL 卸载。
The HTTPS listener is configured as follows: the default action is forwarding to Group Instances HTTPS, and the default SSL certificate is (as Edit Listener indicates) the correct one issued by ACM for a domain name I registered using AWS. HTTPS 侦听器配置如下:默认操作是转发到组实例 HTTPS,默认的 SSL 证书(如编辑侦听器所示)是 ACM 为我使用 AWS 注册的域名颁发的正确证书。
In Route 53 Hosted Zones, I created an A-type record with my Public IPv4 address (which is an Elastic IP) as a value.在 Route 53 Hosted Zones 中,我创建了一条 A 型记录,并将我的公共 IPv4 地址(这是一个弹性 IP)作为值。
However, when I try to connect to my domain via https, I get the error message ERR_CERT_AUTHORITY_INVALID, and Chrome's Developer tools > Security > View Certificate displays但是,当我尝试通过 https 连接到我的域时,我收到错误消息 ERR_CERT_AUTHORITY_INVALID,Chrome 的开发者工具 > 安全 > 查看证书显示
Issued to: ip-172-31-90-31.ec2.internal
Issued by: ip-172-31-90-31.ec2.internal,
that is my Private IPv4 DNS in both cases -- instead of my domain name (for Issued to) and Amazon (for Issued by).在这两种情况下都是我的私有 IPv4 DNS——而不是我的域名(用于颁发给)和亚马逊(用于颁发给)。
I also tried pointing the A record to the ALB instead of my public IPv4 (as suggested at https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html ).我还尝试将 A 记录指向 ALB 而不是我的公共 IPv4(如https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html所建议)。 Unfortunately, after that browsers couldn't connect to the domain at all (the error message: <domain_name> took too long to respond).不幸的是,在那之后浏览器根本无法连接到该域(错误消息:<domain_name> 响应时间过长)。
I am wondering what could cause that.我想知道是什么原因造成的。 Could it result from some misconfiguration of my Apache server?会不会是我的 Apache 服务器配置错误造成的? If so, how could I fix that?如果是这样,我该如何解决?
You can't get a valid public SSL certificate for ip-172-31-90-31.ec2.internal
.您无法获得ip-172-31-90-31.ec2.internal
的有效公共 SSL 证书。 This is not your domain, but it belongs to AWS.这不是您的域,但它属于 AWS。 You have to obtained/buy your own domain, eg myapp.org
for which you can get a free SSL certificate from AWS ACM.您必须获得/购买自己的域,例如myapp.org
,您可以从 AWS ACM 获得免费的 SSL 证书。
When you configure SSL offload at ALB, you should point your A record to the ALB instead of your IPv4.当您在 ALB 配置 SSL 卸载时,您应该将 A 记录指向 ALB 而不是 IPv4。
Please follow this guide and check if it works: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html请按照本指南检查它是否有效: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.