K
Q

added SSL does not work for AWS Load Balancer using ACM

7/2/2018

I have a AWS LoadBalancer which created using Kube, Kops and AWS. protocl type for the ELB is tcp. this work fine for http requests, means I can access my site with http://testing.example.com. Now I tried to add SSL for this ELB using ACM (Certificate manager). I added my Domain details example.com and *.example.com by requesting a public Certificate. it created successfully and domain validation is also success.

Then I tried to add this ssl to my ELB like below.

  • went to my ELB and selected the ELB.
  • Then went to Listeners tab and Added SSL to it like below.

enter image description here

and ELB description is like below.

enter image description here

I cannot access the https://testing.example.com, it hangs for few minutes and nothing happens. what is going on here. hope your help with this.

-- Marlon Brando
amazon-web-services
elastic-load-balancer
kubernetes
ssl
ssl-certificate

Similar Questions

kubernetes master 6443 connection refused from other hosts
Upgrade Rancher 2 workload from CLI
map passed to empty Values variable by --set with helm --upgrade will be ignored
Name does not resolve in kubernetes with docker

2 Answers

7/2/2018

If your backend application (that sits behind the ELB) only listens on HTTP port 30987 then you need some layer of TLS termination before your app server. More food for thought on this approach: https://security.stackexchange.com/questions/30403/should-ssl-be-terminated-at-a-load-balancer

Or you need to tweak your backend app server to also listen on an HTTPS / TLS context, in a different port (which you must map in your ELB configuration).

BTW, I would also suggest to switch to and ALB or an NLB. More info: https://medium.com/cognitoiq/how-cognitoiq-are-using-application-load-balancers-to-cut-elastic-load-balancing-cost-by-90-78d4e980624b

Once you finish the setup of whatever suggestion you picked, run curl -k -I https://testing.example.com/ to check whether of not you are getting blocked by the ELB.

-- the_marcelo_r
Source: StackOverflow
7/2/2018

In the Listener configuration, you are forwarding the default HTTP port 80 to port 30987 on the back-end server. So this tells me that the back-end server is listening for HTTP requests on port 30987.

You then added an SSL listener on the default port 443 but you are forwarding that to port 443 on the back-end server. Do you have something on your back-end listening on port 443 in addition to 30987?

The most likely fix for this is to change the SSL listener on the load balancer to forward to port 30987 on the back-end by setting that as the "Instance Port" setting.

-- Mark B
Source: StackOverflow