1
  1. I have an EC2 instance with Amazon Linux running an Apache web server.

  2. I have an ACM SSL certificate issued. (I want to use it for a sub domain so I have set it up using *.mydomain.com and it has been issued)

  3. I have setup an applicaiton load balancer with listners on port 80 and 443 open. I have attached the SSL Certificate to it.

  4. I have setup my target group that contains my EC2 instance. I have setup forwarding on port 80 as per AWS documentation.

As far as I undertand, the only thing left for me to do is to point my domain which is hosted through GoDaddy at my Load Balancer. I found a tutorial that said to create an A record set to Alias and add the DNS Namefor my Load Balancer as the value. When I do this, it tells me that I cannot have the A record because I have already got one setup but that is for my sub domain. I am doing this through Route 53.

When I give the A record a different name; for example, lb.test.example.com it does not connect to HTTP on the domain test.example.com. When I type in lb.test.example.com, I get the browser winging that the site is not secure and then a Bad Gateway error.

What am I missing here?

Chris
  • 151
  • 2
  • 8

1 Answers1

0

A regular wildcard certificate for *.mydomain.com will not be valid for subdomains of subdomains (e.g. *.test.mydomain.com). For that you would need something called a Unified Communications, or Multi-Domain, certificate. And no, you cannot, of course, point the same subdomain at separate services without unintended consequences.

Also, just to get the terms right: An "Alias" DNS record is not an A record, but a CNAME record. Otherwise you're correct in that creating an alias for the subdomain pointing at the name of the load balancer is a way of achieving what you want to do.

An additional thing to look at - I'm frankly unsure how that is done specifically in EC2 - is that you probably want to create some kind of rule to ensure clients who connect over regular http get forwarded to the https version of the site automatically. One way is to provide the client with an HTTP redirect (HTTP 301) answer pointing at the intended target. It may be that EC2 does that automagically (though I doubt it), but you should confirm whether that's the case.

Mikael H
  • 4,868
  • 2
  • 8
  • 15
  • cloudfront adds the ability to do the http->https redirect (see eg https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html) – danimal Sep 11 '19 at 10:20
  • I was planning to use Graves’s to perform the http to https redirect. The main issue I am having is try to physically access https://test.example.com does not work. The browser acts like there is nothing running on https but as far as I understand it, you are not supposed to physically configure ‘virtual hosts’ on the EC2 is you are using an ACM supplied SSL. – Chris Sep 11 '19 at 11:26