AWS certificate “not safe” even though all data is served over HTTPS

Question

I am building a webapp for my school and it needs a login functionality. Therefore I want working HTTPS to protect the password. Currently the page is loaded with HTTPS from my domain but when I send a request to AWS I'm getting the not secure error, even though all AWS requests are served over HTTPS. The data is successfully sent and received but not securely it seems.

I've been banging my head against the wall with this for a couple of days now. I have a slight hunch that this error comes from not using the same certificate on the frontend and the backend, but I cant seem to understand how this is supposed to work.

I expect data to be received without chrome going from "Secure" to "Not secure".

My page is led.s0rensen.no. (Sorry about it being in norwegian) When you initially load the page it's secure, but when you press "Styret", "Samarbeidspartnere" or "Logg inn" it sends a request to AWS and instantly switches to "Not secure". In the "Samarbeidspartnere" route all the data is displayed as it should but the status still changes to "Not secure"

I would really appreciate some help with this, and above all maybe I can finally understand how these certificates work. Thank you!

Answer 1

There are two problems currently.

1. You're using https://ledtest-dev.eu-west-3.elasticbeanstalk.com/api/isLoggedIn for the login forms, you can't get certificate for for elasticbeanstalk.com so you need to have something like login.s0rensen.no ( CNAME to ledtest-dev.eu-west-3.elasticbeanstalk.com) in your code and have a certificate for login.s0rensen.no from ACM or Lets encrypt etc.

2. Above problem is also causing CORS problem because the cors origin ledtest-dev.eu-west-3.elasticbeanstalk.com isn't serving CORS header in option request. Once you change it to login.s0rensen.no, this should also solve cors problem and cert problem.

Also, check your code so see if you don't have any css,js etc with http reference.

Answer 2

I check your site https://led.s0rensen.no./ and issue is not with AWS/Chrome but with SSL certificate itself and its missing root certificate.

SSL certificate comes in 3 parts

1. Root Certificate : CA certificate
2. Intermediate Certificate
3. Actual certificate : Certificate with domain name.

while adding certificate you need to create bundle of all three certificate and then apply it.

I understand you are using node.js and for node.js below link provide details about how to add bundle certificate.

https://cheapsslsecurity.com/blog/how-to-install-ssl-certificate-on-node-js/

If you don't have root certificate then you may either purchase one from any CA provider Below provide a list of CA SSL certificate providers.

https://www.sslshopper.com/certificate-authority-reviews.html

else you can use aws domain by Hosting site via route53 but it will come with aws domain only.

Answer 3

The problem:

I managed to make a certificate on AWS but my requests from led.s0rensen.no to AWS (*.elasticbeanstalk.com) were not considered safe because of the two different domain names. So the certificate on s0rensen.no couldn't vouch for AWS.

The solution:

I set up another subdomain for all my API needs and pointed this to AWS. So now my requests are going from my frontend (led.s0rensen.no) to a pointer (ledapi.s0rensen.no). Since these are on the same domain and my certificate now is for *.s0rensen.no they can work on the same certificate and the nice green lock stays intact.