AWS here. I have an application load balancer (ALB) currently configured with an HTTP (port 80) listener. The ALB has a DNS Name of, say, http://my-alb.us-east-1.elb.amazonws.com
, which I refer to as the "load-balancer URL". Sitting behind the ALB is an autoscaling group. The autoscaling group is configured to manage EC2 instances that will be hosting RESTful API web services. These web services are listening on port 8089. So the traffic between the ALB and the EC2 instances is over HTTP/8089. Everything is working beautifully.
I would now like to change things so that the ALB is serving HTTPS over port 443. I want TLS terminated at the balancer, so the ALB <--> EC2 traffic can still be HTTP/8089. But anything that talks to the balancer has to be over HTTPS.
When I go to create an HTTPS listener on the ALB, it needs me to select a validated certificate from ACM. So I went into ACM and requested an SSL certificate for, say, dev.myapp.example.com
.
I then went into my DNS provider (GoDaddy) and added the CNAME name and value associated with this certificate to my DNS settings. The cert now shows as Issued (no longer Pending) and when I run a dig
command on the CNAME name (dig short <CNAME_NAME_HERE>
) I get back the value. So it looks like I configured DNS correctly.
I am now able to create the HTTPS listener on the balancer and select the ACM certificate that I just validated. So far so good!
So currently I have both my old HTTP listener as well as the new HTTPS listener on the balancer. Once I get HTTPS working I will delete/remove the HTTP listener.
When I try to run a curl
against my balancer over HTTP it works perfectly fine:
curl --location --request POST 'http://my-alb.us-east-1.elb.amazonws.com/login' --header 'Content-Type: application/json' --data-raw '<JSON_HERE>'
{"token": "<JWT_TOKEN>"}
Awesome, so I can login to my EC2 instances through the balancer over HTTP and get back a valid JWT.
But when I try to use HTTPS I get an error:
curl --location --request POST 'https://my-alb.us-east-1.elb.amazonws.com/login' --header 'Content-Type: application/json' --data-raw '<JSON_HERE>'
curl: (60) SSL: no alternative certificate subject name matches target host name 'my-alb.us-east-1.elb.amazonaws.com'
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Can anyone figure out where I'm going awry, and spot what the fix is? Thanks!
CodePudding user response:
You have to give curl
your custom domain, like curl --location --request POST 'https://dev.myapp.example.com/login'
You are currently still giving it the elb.amazonws.com
DNS name that does not match your SSL certificate. That's why it is telling you your SSL certificate does not match the DNS name.