4

I've created an ALB using Boto3 and want to configure that load balancer work on HTTPS (self-signed). In order to do that, I have to generate an SSL certificate with open-ssl:

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout key.pem -out cert.pem

Then, I've imported the certificate into AWS ACM with no problems: enter image description here

When configuring the ALB listener, I don't see the certificate in the list:

enter image description here

What could be the problem? I've imported the certificate and configured the LB in the same region.

I've regenerated the certificates with RSA 2048, still got the same result. Moreover, it does not appear to be in the list-certificates: enter image description here

---------------------- UPDATE ----------------------

Followed the above guide and it worked.

https://medium.com/@francisyzy/create-aws-elb-with-self-signed-ssl-cert-cd1c352331f

Strangely, I've succeeded in uploading the certificate into IAM using the command above:

AWS CLI:

aws iam upload-server-certificate --server-certificate-name CERT_NAME --certificate-body file://public.pem --private-key file://private.pem

Boto3:

ssl_certificate = iam_client.upload_server_certificate(
    Path = 'PATH_STRING',
    ServerCertificateName = 'CERT_NAME',
    CertificateBody = cert_body,
    PrivateKey = private_key)
Yuval Podoksik
  • 508
  • 2
  • 7
  • 23

3 Answers3

4

Followed the above guide and it worked.

https://medium.com/@francisyzy/create-aws-elb-with-self-signed-ssl-cert-cd1c352331f

Strangely, I've succeeded in uploading the certificate into IAM using the command above:

AWS CLI:

aws iam upload-server-certificate --server-certificate-name CERT_NAME --certificate-body file://public.pem --private-key file://private.pem

Boto3:

ssl_certificate = iam_client.upload_server_certificate(
    Path = 'PATH_STRING',
    ServerCertificateName = 'CERT_NAME',
    CertificateBody = cert_body,
    PrivateKey = private_key)
Yuval Podoksik
  • 508
  • 2
  • 7
  • 23
  • FYI IAM used for SSL certificates is not recommended for being used except in conditions where ACM is not supported for the region: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html. – Chris Williams Jun 28 '20 at 19:02
2

Rather than using a self signed SSL with ACM, why not just have ACM generate the SSL for you. It won't cost anything and will work with all AWS resources.

Additionally AWS will manage auto rotation of it so you won't ever need to worry about rotating it again, plus you can guarantee that it will be recognised as secure in most browsers.

Here's a link for generating the SSL via ACM. This is the preferred way for managing SSL within AWS.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • 2
    I want my ALB to work with HTTPS. When generating the SSL through AWS ACM I should fill the domain name (in the "Add domain names" part). Should I use the ALB DNS? – Yuval Podoksik Jun 28 '20 at 16:54
  • 1
    This should be the name of the domain you're using (assuming you control the domain). So if you own example.com and that resolves to your alb, the domain name would be example.com – Chris Williams Jun 28 '20 at 16:55
  • I may be wrong, but I think ACM will only generate a cert for you if the hostzed zone is public, not private. – grayaii Nov 23 '22 at 12:19
  • Yes, you would need to prove you own the domain to generate the ACM certificate. A public hosted zone is one way of doing this (as a public record need to be validated by AWS) – Chris Williams Nov 23 '22 at 17:48
0

It looks like you used a key algorithm to generate your cert that isn't supported by Amazon ELB.

Regenerate the cert with RSA 2048 instead of 4096 and you should be good to go.

https://aws.amazon.com/premiumsupport/knowledge-center/elb-ssl-tls-certificate-https/

Chris Pollard
  • 1,625
  • 8
  • 11