AWS EC2: HTTPS access error – browsers don’t see the certificate used for configuring SSL in Elastic-CodePudding

I configured SSL offload on Elastic Load Balancer using a certificate from AWS Certificate Manager.

The HTTPS listener is configured as follows: the default action is forwarding to Group Instances HTTPS, and the default SSL certificate is (as Edit Listener indicates) the correct one issued by ACM for a domain name I registered using AWS.

In Route 53 Hosted Zones, I created an A-type record with my Public IPv4 address (which is an Elastic IP) as a value; the SSL certificate was issued for this IP.

However, when I try to connect to my domain via https, I get the error message ERR_CERT_AUTHORITY_INVALID, and Chrome’s Developer tools > Security > View Certificate displays

  Issued to:    ip-172-31-90-31.ec2.internal

  Issued by:    ip-172-31-90-31.ec2.internal,

that is my Private IPv4 DNS in both cases -- instead of my domain name (for Issued to) and Amazon (for Issued by).

I also tried pointing the A record to the ALB instead of my public IPv4 (as suggested at https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html). Unfortunately, after that browsers couldn't connect to the domain at all (the error message: <domain_name> took too long to respond).

I am wondering what could cause that. Could it result from some misconfiguration of my Apache server? If so, how could I fix that?

CodePudding user response：

When you configure SSL offload at ALB, you should point your A record to the ALB instead of your IPv4.

Please follow this guide and check if it works: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html

CodePudding user response：

You can't get a valid public SSL certificate for ip-172-31-90-31.ec2.internal. This is not your domain, but it belongs to AWS. You have to obtained/buy your own domain, e.g. myapp.org for which you can get a free SSL certificate from AWS ACM.