Sunday, January 04, 2015

AWS SSL Cert with Load Balancer Issues

I have been having all kinds of problems figuring out how to use SSL with AWS Load balancers in a way that keeps users from being redirected in weird ways that look like the site has problems or dropping them out of SSL. The only way I have found that lets you do SSL without being a complete expert is to install the cert on a load balancer and then proxy to port 80. This can have some unexpected outcomes *(see bottom section)

Really would appreciate help configuring either my load balancer, domain records, or the apache2 server to make this behave more professionally.

Overview

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html
  1. Generate CSR
  2. Get a Comodo cert
  3. Cert must be PEM encoded
  4. Create Load Balancer
  5. Install CERT
  6. Modify Host Records


Generate a CSR

https://support.comodo.com/index.php?/Knowledgebase/Article/View/1/19/csr-generation-using-openssl-apache-wmod_ssl-nginx-os-x




Two Files will be Created:
  • mysite_com.csr
  • mysite_com.key


Get Comodo Cert

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • mysite_com.crt


Cert and Key Must be RSA PEM encoded

Failed to upload SSL certificate: java.lang.ClassCastException: org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to org.bouncycastle.openssl.PEMKeyPair

openssl rsa -in mysite_com.key -text > mysite_com_pem.key


Install CERT


Private Key:* Use a text editor and copy the contents of mysite_com_pem.key
Public Key Certificate:* Use a text editor and copy the contents of mysite_com.crt

Successfully created load balancer
Load balancer mysitecom-lb was successfully created.Note: It may take a few minutes for your instances to become active in the new load balancer.

Modify Host Records

@ https://www.mysite.com Record Type: URL Redirect
www mysite-lb-1551430537.us-east-1.elb.amazonaws.com. Record Type: CName


Problems with this approach

  1. https://www.mysite.com is properly certified and encrypted (not a problem)
  2. There is no cert for the named domain https://mysite.com, in fact DNS doesnt know how to resolve to ssl version of the naked domain at all.
  3. The non naked version of http://mysite.com does redirect to https://www.mysite.com, while it is good that it redirects to an encrypted version it would be better if it redirected to the SSL based naked domain of https://mysite.com
  4. http://www.mysite.com/ does not redirect, it should redirect to https://www.mysite.com/