amazon-web-servicessslamazon-ec2httpselastic-load-balancer

aws ssl with load balancer - ec2 instance https requests seems not terminated by ELB


I am hosting a domain in aws and want to allow https requests to it. I have done the following steps.

  1. requested a certificate from ACM, validated the emails and it is issued.
  2. created a classic load balancer (LB) with http and https listeners that forward to the instance through http(80).
  3. attached the certificate to the LB and added the instance that runs the website.
  4. made sure the security groups attached to the instance and LB have http(80) and https(443) in the inbound rules.
  5. the only outbound rule is (All traffic - All - All - 0.0.0.0/0) for both LB and instance security groups.

I then waited for the instance to be "inService" and tested the LB by browsing to its DNS and it opened. also http ://mydomain.com opened but when I tried https ://mydomain.com I get a message that the browser can't reach the server.
After some search I added the following 2 records.

  1. A record with name "mydomain.com" and value "LB domain.com".
  2. CNAME record with name "www" and value "mydomain.com".

I tried again but got the same results as above. Finally I came to an answer that I should enable https in my instance server.

when I did this and browsed I got a "Secure Connection Failed" with Error code "SSL_ERROR_RX_RECORD_TOO_LONG".

it looks like the LB doesn't terminate the https requests to my domain.
Any idea what I have done wrong!

Update: I removed the A record I created but when I made a DNS lookup, I found an A record pointing to my elastic ip. and although I have a CNAME record, the DNS lookup showed that I have no CNAME records.


Solution

  • Ok, it was a silly mistake. the person who was working before me registered the domain name in godaddy and just pointed to the instance using A record on godaddy. so the records I added in route53 were meaningless. so I made a CNAME record in godaddy that resolves to the ELB DNS and every thing is working fine now.

    For those who may be stuck in similar problem, I will try to write some advice.
    First, when you choose to add a load balancer, then your instance shouldn't be directly accessed by clients. you should redirect users to the ELB and the ELB will do the rest. if you got your DNS from somewhere else rather than AWS, then follow the first paragraph in this answer. else if you have a working hosted zone for your domain in AWS then add an A record in Route53.
    After this step if https is still not working. you can check whether the requests to your domain reaches the ELB or not. you can do this using load balancer log Access or cloudwatch. they both give you the requests that reached your loadbalancer. cloudwatch is simpler to use but log Access gives you more details for the request.
    if requests don't reach then the record you added haven't propagated yet or you didn't add them in the right place (like I did).
    if the requests did reach the ELB but there is still a problem then you might have missed something in the setup. make sure you make the 5 steps mentioned in the question. this video will be very helpful in this case.
    Finally, it worth mentioning that if you use a certificate from ACM, you don't have to do any changes in the server running on your instance to make https work because in this case the ELB stands in front of your instance and it does all work for you. Of course you can make ssl between your ELB and instance but this is another story.