stackoom
  简体   繁体   中英

WSS Socket on EC2 instance with Load Balancer and Certificate Manager

 原文  2020-12-11 17:02:20       amazon-web-services/ sockets/ ssl-certificate/ amazon-elb/ aws-certificate-manager

Question

I'm trying to set up a solution which includes an EC2 instance with Apache running NodeJS. I've already successfully created a working webserver-instance with a public SSL-certificate from Certifate Manager accessed on port 80 and 443. This server should be able to connect to my other instance but for some reason I keep running into dead-ends and I suspect the solution is not possible...

I've built a working setup using Let's Encrypt certificates but I would love to keep as much as possible in AWS.

Issue: In the LE-solution, I can access the local.pem-files on my server. I can include the local paths to the LE-certificates in the server-setup-file like this:

...

var options = {
    key: fs.readFileSync("/etc/letsencrypt/live/example.com/privkey.pem"),
    cert: fs.readFileSync("/etc/letsencrypt/live/example.com/fullchain.pem")
};

var https   = require('https').Server(options, app);

...

but when I'm using AWS Certificate Manager's public certificates, I'm not sure how to get around this?

My solution (not working): I'm no SSL-wizard, so I might be trying to do something impossible here. I've tried to create a local certificate using OpenSSL but keep the Load Balancer and Certificate Manager certificate on the domain.

...

var options = {
    key: fs.readFileSync("/home/ec2-user/server-key.pem"),
    cert: fs.readFileSync("/home/ec2-user/server-cert.pem"),
};

var https   = require('https').Server(options, app);

...

This solutions returns following error message when I try to connect to the node/socket server with url: https://live.example.com:3000 :

WebSocket connection to 'wss://live.example.com:3000/socket.io/?EIO=4&transport=websocket' failed: Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID

So I guess that my solution with both Certificate Manager certificate on the domain and the OpenSSL certificate on the server isn't possible or is the problem to be found elsewhere?

Please let me know:-)

1 answers

solution1
 1 ACCPTED  2020-12-15 20:38:57

As mentioned in comments, certificates created through AWS Certificate Manager can only be used for certain AWS services such as Elastic Load Balancers, not self-managed web servers. What you can do is use a Certificate Manager cert and put it on a load balancer, with your Apache/Node server sitting behind the load balancer in a target group. All connections over the public internet would be HTTPS, but the connection between the load balancer and your app server (going over AWS's internal network) would be plain HTTP.

从客户端到 Elastic Load Balancer 的 HTTPS 连接以及从负载均衡器到 EC2 实例的 HTTP 连接示意图

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SSL certificate on ec2 instance using load balancer EC2 Load Balancer Instance Protocol and Port EC2 instance with AWS certificate manager Install Wildcard Certificate onto AWS EC2 Load Balancer AWS EC2 with Elastic Load balancer not sending SSL Certificate AWS EC2 Load Balancer - Specific is instance simply “not available”? How to use EC2 instance after detaching load balancer? Configuring internal network load balancer with EC2 instance in private VPC Detect domain used to access EC2 instance behind Load Balancer AWS Load Balancer to EC2 instance firewall rules
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM