Sunday, January 04, 2015

AWS SSL Cert with Load Balancer Issues

I have been having all kinds of problems figuring out how to use SSL with AWS Load balancers in a way that keeps users from being redirected in weird ways that look like the site has problems or dropping them out of SSL. The only way I have found that lets you do SSL without being a complete expert is to install the cert on a load balancer and then proxy to port 80. This can have some unexpected outcomes *(see bottom section)

Really would appreciate help configuring either my load balancer, domain records, or the apache2 server to make this behave more professionally.

  1. Generate CSR
  2. Get a Comodo cert
  3. Cert must be PEM encoded
  4. Create Load Balancer
  5. Install CERT
  6. Modify Host Records

Generate a CSR

Two Files will be Created:
  • mysite_com.csr
  • mysite_com.key

Get Comodo Cert

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • mysite_com.crt

Cert and Key Must be RSA PEM encoded

Failed to upload SSL certificate: java.lang.ClassCastException: org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to org.bouncycastle.openssl.PEMKeyPair

openssl rsa -in mysite_com.key -text > mysite_com_pem.key

Install CERT

Private Key:* Use a text editor and copy the contents of mysite_com_pem.key
Public Key Certificate:* Use a text editor and copy the contents of mysite_com.crt

Successfully created load balancer
Load balancer mysitecom-lb was successfully created.Note: It may take a few minutes for your instances to become active in the new load balancer.

Modify Host Records

@ Record Type: URL Redirect
www Record Type: CName

Problems with this approach

  1. is properly certified and encrypted (not a problem)
  2. There is no cert for the named domain, in fact DNS doesnt know how to resolve to ssl version of the naked domain at all.
  3. The non naked version of does redirect to, while it is good that it redirects to an encrypted version it would be better if it redirected to the SSL based naked domain of
  4. does not redirect, it should redirect to