英文:
AWS elastic load balancer SSL certificate
问题
我们有一个面向互联网的经典负载均衡器,其DNS为my-elb-1234.region.elb.amazonaws.com
,但我们不用它来路由/负载均衡到我们的EC2实例。此外,此ELB中只有一个EC2实例。在这个EC2实例中,我们只运行一个Nginx服务器。我们实际上不使用ELB的DNS作为访问/入口点到我们的服务器。我们有一个Route53托管区域our-proccess.domain
,托管了EC2实例中的Nginx服务器中的域名/服务器。这已经持续了多年,最近被我们的安全团队发现。
我知道我们没有以任何方式正确或有效地使用这个ELB资源。
是否有办法为ELB的DNS my-elb-1234.region.elb.amazonaws.com
获取一个签名的SSL证书?我们尝试过使用ACM,但当在域中包含my-elb-1234.region.elb.amazonaws.com
时失败了,我认为这是因为amazonaws.com是域的一部分,而ACM禁止了它。我们还尝试了certbot
,我们用它为our-process.domain
生成SSL,但我认为它仍然被禁止,因为amazonaws.com域。我们还尝试在our-process.domain
托管区域中创建一个CNAME记录,将流量路由到my-elb-1234.region.elb.amazonaws.com
,但使用sslshopper.com进行检查时失败了,因为证书中没有与名称(my-elb-1234.region.elb.amazonaws.com)匹配的通用名称。
英文:
We have this internet-facing classic load balancer with the dns my-elb-1234.region.elb.amazonaws.com
but we do not use this for any routing/balancing to our ec2 instances. Also, there is only one ec2 instance in this ELB. In this ec2 instance we only have a nginx server running on it. We do not really use the ELB's DNS as an access/entry point to our server. We have this route53 hosted zone our-proccess.domain
that hosts the domains/servers in the nginx server in the ec2 instance in the ELB. This has been going on for years now and just recently found out by our security team
I know we are not doing/using this ELB resource the right way or in any way.
Is there a way to have the ELB's DNS my-elb-1234.region.elb.amazonaws.com
to have a signed SSL certificate? We've tried using ACM but it just failed when having the my-elb-1234.region.elb.amazonaws.com
in the domain, I think this is because of the amazonaws.com is part of the domain and it is forbidden in ACM. we also tried certbot
, which we used to generate the SSL for our-process.domain
but i think it still forbids because of the amazonaws.com domain. we also tried having a cname record in the our-process.domain
hosted zone routing to the my-elb-1234.region.elb.amazonaws.com
but using sslshopper.com to check and it fails as there are no common names in the certificate that match the name(my-elb-1234.region.elb.amazonaws.com).
答案1
得分: 1
- 如果我理解正确的话,您需要在ACM中使用您自己的域名
process.domain
创建一个证书。 - 在
process.domain
中为您的CLB创建一个CNAME记录,例如myoldapp.process.domain
,将其映射到您的负载均衡器(LB)。 - 从您的CLB中,在监听器中配置HTTPS监听器,以使用您在步骤1中为
process.domain
创建的证书。
这应该没问题。当请求到达LB并包含myoldapp.process.domain
时,LB上的证书已配置为process.domain
,SSL终止应该会在LB级别正确进行。
英文:
- You will have to create a certificate in ACM with your own domain
process.domain
if I got it right. - Create a cname record for you CLB in process.domain like
myoldapp.process.domain
mapping to your LB. - From your CLB, in the listeners, configure the https listener to use the certificate you created for process.domain in step 1.
That should be ok. When a request is coming with myoldapp.process.domain
and reach the LB, and the cert on it is configured process.domain
; the ssl termination should happen properly with this setup on the LB level.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论