Ssl – AWS EC2 SSL Server certificate does not match the URL

amazon ec2amazon-web-servicessslssl-certificate

After uploading the certificate to iam, when I visit https://www.mywebsite.com I get this error

The identity of this website has not been verified.
  • Server's certificate does not match the URL.
  • Server's certificate is not trusted.

And if I click on certificate information, everything is wrong

www.example.com
Self-signed root certificate
Expires: Friday 27 September 2024 ........

If I query the certificate I've uploaded

aws iam get-server-certificate --server-certificate-name certificate_mycertificate

I get this

"ServerCertificateMetadata": {
        "ServerCertificateId": "XXX", 
        "ServerCertificateName": "certificate_mycertificate", 
        "Expiration": "2015-11-21T23:59:59Z", 
        "Path": "/", 
        "Arn": "arn:aws:iam::XXX:server-certificate/certificate_mycertificate", 
        "UploadDate": "2014-11-21T14:56:13Z"
}

Something is wrong, it's my first experience with SSL and I don't have too much experience with aws, any help will be much appreciated, at least where I have to start looking to solve this problem.

Additional details:

I've set up a virtual host in my local machine that points to the ip of our ec2, with the domain that is in the certificate, that's where I get the wrong certificate information.

In our ec2 there are no load balancer set up, the only thing I did is to generate a certificate, I sent it to the CA, activated the certificate and uploaded the certificate that I get back from the CA (the chain too).
We have 4 instances in our ec2.
Do I need to create a load balancer?

We developed a magento website that is one of the instances in our ec2, we don't have access to the domain because the old website is still live in another server not "owned" by us, we are in the end of the development and we have to set up everything for the actual go-live, so our magento website has as a domain something like ec2-23-23-12-45….. that's why I set up a virtual host on my local machine to check if ssl was working (my boss told me to do this step to verify the ssl)

It looks like is not a problem with the certificate, but a problem of config with ec2, or something different.

I get the same result with an SSL Certificate Checker:

SSL certificate

Common Name = www.example.com
Issuer = www.example.com
Serial Number = A209D18396BD4A44
SHA1 Thumbprint = 307D5DC2E2BBEAB3674558DCFE781DE8896965DF
Key Length = 1024 bit
Signature algorithm = SHA1 + RSA (good)
Secure Renegotiation: Supported

SSL Certificate expiration

The certificate expires September 27, 2024 (3597 days from today)

Thanks

Best Answer

Your EC2 instance is running a web-server, so, what you need is to install the certificate in that web-server. Upload a certificate to IAM only makes sense when you use CloudFront, ELB, etc. and you want this services under HTTPS.

One application of using certificates is to allow HTTPS access for Elastic Load Balancing. Actually, the server certificates can be used with CloudFront and AWS OpsWorks as well.

Amazon AWS – Understanding IAM Server Certificates

Related Solutions

Ssl – How to best set up SSL for use with multiple Amazon EC2 Server instances behind a load balancer

AWS Elastic Load Balancer supports SSL termination at the load balancer. This means you can install your SSL certificate on the load balancer itself. The load balancer will then talk unencrypted HTTP between the load balancer and your EC2 instance.

This way you only have to install the certificate on the ELB instead of every machine. Have your Apache/Nginx/Lighttpd/whatever use plain HTTP, not SSL. Let the load balancer handle all of the SSL.

Ssl – Transferring SSL certificate to new server

ssl_certificate_key should contain what's presently in server.key, ie they server's unencrypted private key.

ssl_certificate should contain the server's certificate and the certificate chain, as explained in the documentation, in that order. So, that's basically the output of cat 09********ss.crt gd_bundle.crt

A handy online tool to quickly check out what exactly each of these -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- blocks contain is https://www.sslshopper.com/certificate-decoder.html - if you have a machine with openssl installed available, you can of course use

openssl x509 -in certificate.crt -text -noout

With respect to the SSL/TLS configuration, I like this page in the Mozilla wiki. It explains most of the acronyms that you may encounter, and gives sound advice relative to sensible configurations. There's an accompanying online tool that will create reference setups for Apache, nginx, haproxy and the AWS LB, here. As an example, a full nginx config, featuring OCSP stapling and HSTS using the intermediate profile looks like this, but you need to understand that these profiles evolve and should thus be updated regularly.

server {
    listen 443 ssl;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

    ....
}

Once all that put in place and tested, head over to ssllabs and run a test. If you missed something, you'll see what still needs to be done.

Best Answer

Related Solutions

Ssl – How to best set up SSL for use with multiple Amazon EC2 Server instances behind a load balancer

Ssl – Transferring SSL certificate to new server

Related Topic