0

My domain and subdomain are currently setup on GoDaddy and I have a web portal running on tomcat on an AWS EC2 Windows instance. I have configured tomcat to run on HTTPS port 443. I set the forwarding rules with masking to point my subdomain to my EC2 instance -

  • domain - www.example.co.uk
  • subdomain - portal.example.co.uk forwards to https://some ip:443

I created a keystore and CSR for my tomcat installation and bought a basic SSL Certificate for portal.example.co.uk and imported it into my tomcat keystore.

When I go to portal.example.co.uk it appears to be http as opposed to https.

I guess this is a 2 fold question...

If a subdomain forwards to an HTTPS address, should that request then show as HTTPS?

When trying to secure a subdomain, can you do this by installing a certificate on the EC2 instance or do I need to do it from GoDaddy?

When I spoke to GoDaddy about it, they said in order to do what im trying to achieve, I would need to pay £200+ for a wildcard certificate.

Jenny D
  • 27,358
  • 21
  • 74
  • 110
codemonkey
  • 1
  • 2

2 Answers2

1

Just pointing the subdomain to an HTTPS address doesn't make the site run on HTTPS.

Instead you need to do the following

  1. Generate a CSR (Certificate Signing Request) from TomCat
  2. Purchase a WildCard Certificate (to cover the domain and subdomains) from GoDaddy or anyone else or generate your own using OpenSSL (there might be a problem with some browsers not recognising the root certificate)
  3. Generate a Certficate using the CSR
  4. Upload the Certificate to Tomcat
  5. Change the Site configuration in tomcat to load this certficate and switch when a request for HTTPS ismade from a browser
  6. Redirect all HTTP requests to HTTPS requests in your site configuration
sridhar pandurangiah
  • 743
  • 2
  • 11
  • 28
  • Thanks for your response. If I am only interested in securing my subdomain, do I still need a wildcard certificate? I have a certificate on tomcat at the moment with the domain set to e.g. portal.example.co.uk – codemonkey Nov 17 '17 at 12:00
  • No, you don't need a wildcard... but you have to get rid of the "forwarding and masking" nonsense and create a standard DNS record. – Michael - sqlbot Nov 17 '17 at 13:11
  • Great thanks I have deleted the forward and created an new 'A' record. Guessing I'll need to wait a bit for the change to propagate. – codemonkey Nov 17 '17 at 13:41
  • It doesnt appear to be possible with GoDaddy. It only lets you specify an ip address and doesnt allow for port. I am currently getting a timeout why i access e.g. portal.example.co.uk, however if I access portal.example.co.uk:8443 then it works and shows as Secure -https://uk.godaddy.com/community/Managing-Domains/Domain-to-IP-at-Specific-Port/td-p/52018 – codemonkey Nov 17 '17 at 14:14
  • I'll try and add a redirect on tomcat – codemonkey Nov 17 '17 at 14:16
  • Thats it working!! Thanks very much for your help, much appreciated! – codemonkey Nov 17 '17 at 14:29
0

You can migrate your Domain to Route 53 (this is optional)

Using AWS Certificate manager, which is free, request a certificate for portal.example.co.uk and place it on an Elastic Load Balancer (ELB).

Point portal.example.co.uk to the ELB (using a CNAME if using Godaddy or an alias in route 53) and Setup Tomcat to redirect the site to https.

Between the client and ELB will be encrypted but between the ELB and tomcat server will http, which can be locked via security groups so only the ELB can access the tomcat servers.

strongjz
  • 822
  • 4
  • 7