Do I have to buy a domain in order to run my app that is using an EC2 instance on AWS server in order to use HTTPS?

Question

I have an iOS app on TestFlight that is using a LAMP server running on an EC2 Instance on AWS. It has an elastic IP, and therefore has a Public DNS: ec2-xx-xx-xx-xx.us-east-2.compute.amazonaws.com

So currently from the app itself I run commands directly through the elastic IP like so:

let url = URL(string: "http://xx.xx.xx.xx/API/SignIn.php?username=\(username)");

Now this works great, however I want to start moving everything to HTTPS.

So I was hoping to go about it like so, using the public DNS:

let url = URL(string: "https://ec2-xx-xx-xx-xx.us-east-2.compute.amazonaws.com/API/SignIn.php?username=\(username)");

But this method keeps shouting at me:

"An SSL error has occurred and a secure connection to the server cannot be made"

So far what I've done is the openSSL process, I created a certificate and key, and I put it in the apache config file:

<VirtualHost _default_:443>
    ServerName ec2-xx-xx-xx-xx.us-east-2.compute.amazonaws.com
    ServerAlias www.ec2-xx-xx-xx-xx.us-east-2.compute.amazonaws.com
    DocumentRoot /var/www/htdocs

    SSLEngine on
    SSLCertificateFile /home/ubuntu/cert.pem
    SSLCertificateKeyFile /home/ubuntu/key.pem
</VirtualHost>

And of course I have the security groups set to HTTPS port 443.

The HTTPS is in fact accessible from say Safari, but obviously it is still not a trusted website.

I tried going through the CertBot free path - but they cannot allow an SSL certificate for AWS created domains (understandable, they aren't too reliable and change often).

I also tried going through AWS itself, created a certificate in the Certificate Manager (it was approved and Issued to me), but then when I tried to use it in the Load Balancer - but the certificate just doesn't show up there (maybe I'm doing it wrong, I tried many ways but it just doesn't seem to work)

I would really love to go about this without having to purchase a domain, but right now I don't see any other way. Does anyone know of another way?

Edit

Also I'd rather AVOID the part where I tell iOS to ignore the security, because I don't want Apple to reject my app:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
    <key>NSExceptionDomains</key>
    <dict>
        <key>example.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

Answer 1

Use

URLSessionDelegate

to trust the certificate if you are using URLSession to perfomr the request and implement the following func

func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
    print("delegate call")
    if challenge.protectionSpace.host == "ec2-xx-xx-xx-xx.us-east-2.compute.amazonaws.com" {
        completionHandler(.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!))
    } else {
        completionHandler(.performDefaultHandling, nil)
    }
}

to trust the certification since SSl Ocurred because the sing of the certificaction has a mistmatch. if your are using Alamofire to perform the request ten use version 4.7 because version 5 is not posible yet to truth a not valid certificate.