Really would appreciate help configuring either my load balancer, domain records, or the apache2 server to make this behave more professionally.
Overview
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html- Generate CSR
- Get a Comodo cert
- Cert must be PEM encoded
- Create Load Balancer
- Install CERT
- Modify Host Records
Generate a CSR
https://support.comodo.com/index.php?/Knowledgebase/Article/View/1/19/csr-generation-using-openssl-apache-wmod_ssl-nginx-os-x
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ openssl req -nodes -newkey rsa:2048 -keyout mysite_com.key -out mysite_com.csr | |
| Generating a 2048 bit RSA private key | |
| .........................+++ | |
| .................................................................+++ | |
| writing new private key to 'mysite_com.key' | |
| ----- | |
| You are about to be asked to enter information that will be incorporated | |
| into your certificate request. | |
| What you are about to enter is what is called a Distinguished Name or a DN. | |
| There are quite a few fields but you can leave some blank | |
| For some fields there will be a default value, | |
| If you enter '.', the field will be left blank. | |
| ----- | |
| Country Name (2 letter code) [XX]:US | |
| State or Province Name (full name) []:California | |
| Locality Name (eg, city) [Default City]:Oakland | |
| Organization Name (eg, company) [Default Company Ltd]:Mysite | |
| Organizational Unit Name (eg, section) []:IT | |
| Common Name (eg, your name or your server's hostname) []:mysite.com | |
| Email Address []:clay@mysite.com |
Two Files will be Created:
- mysite_com.csr
- mysite_com.key
Get Comodo Cert
- AddTrustExternalCARoot.crt
- COMODORSAAddTrustCA.crt
- COMODORSADomainValidationSecureServerCA.crt
- mysite_com.crt
Cert and Key Must be RSA PEM encoded
Failed to upload SSL certificate: java.lang.ClassCastException: org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to org.bouncycastle.openssl.PEMKeyPair
$ openssl rsa -in mysite_com.key -text > mysite_com_pem.key
Install CERT
Private Key:* Use a text editor and copy the contents of mysite_com_pem.key
Public Key Certificate:* Use a text editor and copy the contents of mysite_com.crt
Successfully created load balancer
Load balancer mysitecom-lb was successfully created.Note: It may take a few minutes for your instances to become active in the new load balancer.
www mysite-lb-1551430537.us-east-1.elb.amazonaws.com. Record Type: CName
Modify Host Records
@ https://www.mysite.com Record Type: URL Redirectwww mysite-lb-1551430537.us-east-1.elb.amazonaws.com. Record Type: CName
Problems with this approach
- https://www.mysite.com is properly certified and encrypted (not a problem)
- There is no cert for the named domain https://mysite.com, in fact DNS doesnt know how to resolve to ssl version of the naked domain at all.
- The non naked version of http://mysite.com does redirect to https://www.mysite.com, while it is good that it redirects to an encrypted version it would be better if it redirected to the SSL based naked domain of https://mysite.com
- http://www.mysite.com/ does not redirect, it should redirect to https://www.mysite.com/
