0

I just moved a site from one domain to another. It's still on the same servers behind an AWS Elastic Load Balancer. I also changed the certificate on the load balancer to one for the new domain.

The problem is that all existing links out there are to https://www.old-domain.com -- so when they hit the load balancer, the SSL handshake fails, so it doesn't redirect (b/c the certificate is no for http://newdomain.com)

I'm trying to figure out my options for how to redirect the https links from the old domain. It looks like the best options are either:

  • Get a Subject Alternate Names (SANs), put all the domains on there, and redirect the old domains in the NGINX conf. But, this is expensive!

  • Renew the certificate for the https://old-domain.com and have that on a separate IP and redirect there. But that means another EC2 instance, right? Meh.

  • This posts seems to talk about another solution, but I haven't made enough sense of it yet: Scaling Multiple SSL Domains on Multiple EC2 instances in AWS ELB

Suggestions on the best way to do this?

I appreciate it!

Community
  • 1
99miles
  • 361
  • 3
  • 6
  • 16

3 Answers3

2

This may help you. AWS Certificate Manager. https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

You can create an SSL with multiple host names (SANs), or with a wildcard.

You may also enjoy the pricing... (FREE)

Jon Zobrist
  • 36
  • 2
  • Oh man, that's amazing. The bummer is that's only in the East region now, and the stack I'm dealing with is in the West. Argh. – 99miles Jan 25 '16 at 07:08
  • @99miles According to Amazon, this will be rolled out to all regions in the (near) future. Don't have an ETA, but maybe you could ask them directly. – gxx Jan 25 '16 at 08:51
  • @99miles you can use this now, in any region, for redirects -- CloudFront is run (administratively) out of us-east-1, so you can already use this globally -- set up an empty S3 bucket that redirects to the new site, then CloudFront pointing at that bucket's web site endpoint, then create a cert for the old domain, attach, and point DNS for old-domain to CloudFront, which uses ACM cert, sends to S3, which redirects. #boom – Michael - sqlbot Jan 25 '16 at 10:19
0

You could take the old domain out of the ELB and point it directly to nginx, with a new server block. That can use the old https certificate, and send back a 301 redirect that will go through the ELB. This is fairly trivial to achieve as well, a new server block with one location in nginx, so long as your server has a public IP and is directly accessible.

Tim
  • 30,383
  • 6
  • 47
  • 77
  • What do you mean, "take the old domain out of the ELB"? ELB currently knows nothing about that old domain. And that old domain can't get past the SSL handshake that happens at the ELB level, to get to the nginx server block, without the user getting the ssl warning. – 99miles Jan 27 '16 at 06:23
  • The general idea I'm getting at is you can either have the ELB have certificates for both domains, or have the old domain hit Nginx directly with the old certificate and have it forward to the new domain. I'm slightly confused as you've said "ELB currently knows nothing about that old domain" and "all existing links out there are to (old domain) so when they hit the load balancer" - to me it reads like you've said the old domain both is and isn't in the ELB. – Tim Jan 27 '16 at 08:17
  • 1) The load balancer doesn't care what the domains are, so they don't need to be specified anywhere. 2) The load balancer has a certificate for the second brand, so will not let other domains through without a successful SSL handshake, or user consent in their browser 3) Load balancers cannot have multiple certificates from what I can tell. – 99miles Jan 28 '16 at 22:33
  • And that's why I said don't use the ELB for the old domain, go straight to an nginx server doing redirection. – Tim Jan 28 '16 at 22:44
  • I don't want have to run a separate EC2 instance to just do a redirect. – 99miles Jan 29 '16 at 23:31
  • You don't have to run a separate server, you just have another server defined in nginx - the same one that's behind the ELB. I could make this really clear and simple using a diagram if that would help. – Tim Jan 29 '16 at 23:43
  • There's no way to get the request through ELB if the certificate doesn't match the domain, without the user getting the warning in the browser about the connection being insecure. – 99miles Jan 31 '16 at 00:40
0

You can also maintain second ELB that points to the same set of backend servers. I do this for a number of domains.

You can even set up health checks on the different ELBs that check whether or the old or new domain is down, vs the instances themselves.

The downside to the second ELB is that it will cost you $20 to $30 to month to run.

Community
  • 1
Mark Stosberg
  • 3,771
  • 23
  • 27