Pages

Friday, May 13, 2016

Configure AWS ELB with Self-Signed Certificate



Prerequisite – Generating Self Signed SSL Certificate

 

About SSL Certificates

Self-signed ssl certificates can be used to set up temporary ssl servers. You can use it for test and development servers’ website where security is not a big concern. For Professional/Production web sites, you usually buy such a certificate from Verisign, Thawte or any other ssl certificate vendor. SSL certificates use a chain of trust, where each certificate is signed (trusted) by a higher, more credible certificate. At the top of the chain of trust are the root certificates, owned by Verisign and others. These certificates are typically shipped with your operating system or web browser.

 

How Paid SSL Certificate works

When you visit a web site over HTTPS, your web browser will receive the ssl certificate for the web site. It will examine the contents of the certificate to see that is indeed valid for the domain name you are trying to visit. After that, it will verify the chain of trust. It will look at who has signed the certificate. If that certificate is a root-certificate, it will compare it against the ones shipped with the operating system. If it is a non-root certificate, it will follow the chain of trust up one more level

 

How Self-signed certificates works

When using a self-signed certificate, there is no chain of trust. The certificate has signed itself. The web browser will then issue a warning, telling you that the web site certificate cannot be verified. Therefore, you should not use self-signed certificates for professional use, as your visitors will not trust your web site to be safe.

 

Option1: Generate SSL Certificate from free sites 

 





Option2: Generate SSL using openssl utility

To generate a key:
openssl genrsa -out mulesoftfpro_.key 2048

To generate a certificate:
openssl req -new -x509 -key mulesoftfpro_.key -out mulesoftfpro_.cert -days 3650 -subj /CN=mulesoftfpro\*

AWS SSL Configuration

Step1:  Go to AWS console >> EC2>> Load Balancer >> Create load Balancer

  Specify below attributes
Attributes
Description
Define load balancer name
Specify any open string name of load balancer name e.g. “mulesoftfprolbssl”
Create LB Inside
Select the same network that you selected for your instances: EC2-Classic or a specific VPC.
Load balancer protocol
It’s must be https as we are trying to setup SSL
Load Balancer Port
It’s must be 443 as we are trying to setup SSL
Instance Protocol
e.g. ELB will forward incoming traffic to EC2 using http protocol
Instance Port
e.g. ELB will forward incoming traffic to EC2 using 8082 port. The application which I have designed to test health check of EC2 running on 8082 port
Select Subnet
The available subnets for the VPC for your load balancer are displayed under Available Subnets. Select subnets that are in the same Availability Zones as your instances



Step2:  Select Security group, you can either create a new Security group or use existing security group. I am going ahead with “default” security group as it allows all protocol and all port open for entry point at Load Balancer.


Step3: AWS provide multiple option to configure SSL certificate e.g. select existing from ACM or IAM or Upload new one. In this example I am uploading a new self-signed certificate
copy and paste private key and public self-signed certificate which we have generated in early steps
Note: Make sure you copy whole text start with “------Begin Certificate-----


Step4: Tune the health config parameters as per your requirement and specify the health check application URL which ELB use to perform health check


Step5:  Select all the EC2 instance which needs to be included.


Step6:
Optional - Tags help you to categorize your load balancers in different ways, for example, by purpose, owner, or environment.


Step7: Review and configuration and finish the wizard



Test “testlb” application


Step1:
First get the DNS name from LB Description page –


Step2:
Then DNS IP using nslookup command
e.g.


Step3:
Telnet both DNS IP and DNS name on port 443 to see if it’s connecting
Note: In my case though default security group allows All traffic from all source to all port was open but still load balancer was not reachable, once I deleted the default created rules inside this security group, re-added then its start working. Reason was unknown.


Step4:
Test the health check application e.g. “/testlb”. This is custom mulesoft application which I have designed to test load balancer.





3 comments:

  1. Finding the time and actual effort to create a superb article like this is great thing. I’ll learn many new stuff right here! Good luck for the next post buddy..
    AWS Training in Chennai

    ReplyDelete
  2. This is an awesome post.Really very informative and creative contents. These concept is a good way to enhance the knowledge.I like it and help me to development very well.Thank you for this brief explanation and very nice information.Well, got a good knowledge.
    AWS Training in Chennai

    ReplyDelete
  3. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
    Android Training in Chennai
    Ios Training in Chennai

    ReplyDelete