使用 SSL 和路由 53 配置在 Elastic Beanstalk 上部署 Springboot 并在 cloudFront 上部署 Angular。
配置:
-
我在 AWS 的 Route 53 上有一个域,还从 AWS cm 创建了公共证书。
-
我在带有负载均衡器 (LB) 的 Elastic beanstalk 上安装了 Spring boot。 LB 在 80 和 443 处有侦听器。443 配置了我从 aws Cert Manager 创建的 SSL。我的 LB 安全组还配置了 https 的入站规则。我已经部署了我的 jar,它在以下 URL 上提供服务: http://waprodservice-env-1.eba-kzqan9yr.us-east-1.elasticbeanstalk.com/
-
我的 Angular 应用程序有 s3 存储桶静态网络托管 http://waapp.s3-website.ap-south -1.amazonaws.com 。我还使用我创建的 SSL 配置了云前端(与 EB 中使用的相同)。我还在路线 53 中创建了一条 A 记录。到目前为止,一切都很好,我可以访问我的域,并且可以从我的域名看到我的 Angular 应用程序 www.example.com 带有已安装证书的锁定符号。
问题:
在使用 ng build --prod 构建我的角度应用程序时,我已将 env-prod 文件中的基本 url 更改为 http://waprodservice-env-1.eba-kzqan9yr.us-east-1.elasticbeanstalk.com/ 我的 Spring Boot 正在服务。当我访问我的 www.example.com (前端)时,在 API 调用之后,我收到 ERR_CERT_COMMON_NAME_INVALID 消息,如下所示回复。我知道我的证书通用名称不匹配,我尝试打开证书,并且能够在前端和后端 URL 中看到通用名称为 example.com,颁发者为 amazon.com。我不知道有什么不匹配。当我访问后端 EB url 时,它在浏览器上显示不安全。但是,当我从 EB 访问某个特定的公共端点时,它甚至可以从 https 链接获取我需要的数据。 ->https://waprodservice-env-1.eba-kzqan9yr.us-east-1.elasticbeanstalk.com/public/astrologer 。
仅供参考,我通过提供文档中提到的 *.myexample.com、myexample.com 等值来创建证书。
缺少哪些配置?没有其他 StackOverflow 帖子有帮助。尝试了其中的大多数。
Deploying Springboot on Elastic Beanstalk and angular on cloudFront with SSL and route 53 configs.
Configurations :
-
I have a domain at Route 53 from AWS, also have created a public certificate from AWS cm.
-
I have Spring boot on Elastic beanstalk with load balancer (LB). LB has listeners at 80 and 443. 443 is configured with the SSL I created from aws Cert Manager. My LB security groups also have the inbound rules configured for https. I have deployed my jar and it is serving at this URL: http://waprodservice-env-1.eba-kzqan9yr.us-east-1.elasticbeanstalk.com/
-
I have s3 bucket with my angular app with static web hosting at http://waapp.s3-website.ap-south-1.amazonaws.com . I have also configured the cloud front with the SSL that I created (Same as used in EB). I have also created a A record in route 53. All is well till now, I can access my domain and I can see my angular app from my domain name www.example.com with cert installed lock symbol.
PROBLEM:
While building my angular app with ng build --prod, I have changed the base url in env-prod file to http://waprodservice-env-1.eba-kzqan9yr.us-east-1.elasticbeanstalk.com/ where my spring boot is serving. When I visit my www.example.com (front end), after API call, I am getting ERR_CERT_COMMON_NAME_INVALID message as response. I know that my cert common name is not matching, I tried opening the certificate and was able to see the common name as example.com and issuer is amazon.com in both frontend and backend URLs. I don't know what s mismatching. When I visit backend EB url, it shows not secure on browser. But when I access some particular public end point from EB, it gives get that data I need even from https link. ->https://waprodservice-env-1.eba-kzqan9yr.us-east-1.elasticbeanstalk.com/public/astrologer .
FYI, I have created the certificate by giving values like *.myexample.com, myexample.com etc as mentioned in the docs.
What configurations are missing ? No other StackOverflow posts are helping. Tried most of them.
发布评论
评论(2)
您应该为与您的 ACM 证书匹配的 Elastic Beanstalk 环境设置自定义域名。按照您的示例,设置类似 api.myexample.com 的内容
为此,您只需在环境负载均衡器配置上添加一个指向默认进程的 https 侦听器,然后将 ACM 证书附加到侦听器(它们应该位于同一区域)
然后添加一条 A 记录,将 api.example.com 路由到 Elastic Beanstalk 环境,
这应该可以解决您的 ERR_CERT_COMMON_NAME_INVALID 问题
PS您还应该在负载均衡器中设置从端口 80 到 443 的重定向
You should set a custom domain name to the Elastic Beanstalk environment that matches your ACM certificate. Following your example, set something like api.myexample.com
To do that you just need to add an https listener on the Environment Load Balancer configuration pointing to your default process, then attach the ACM Certificate to the listener (they should be in the same region)
Then add an A Record to route api.example.com to the Elastic Beanstalk Environment
That should fix your issue with the ERR_CERT_COMMON_NAME_INVALID
P.S you should also set a redirection in the load balancer from port 80 to 443
非常感谢@ARBERMEJO。
所以,这就是答案。将我的 Angular 构建上传到 s3 后,我使用该 s3 URL 创建了一个 CloudFront,如许多 YouTube 视频中所示。然后,对于后端 EB,对于配置,请检查上面的内容,最后一部分是,我必须在我的域的托管区域中创建 A 记录。检查图像。 在此处输入图像描述
我必须在第二行中添加 api.mydomain.com(仅在记录名称中键入 API)并将流量路由到负载均衡器(如图所示)。
神奇的部分是:您应该从您的 Angular 产品中调用 https://api.mydomain.com构建基本 URL。很多教程中都没有提到这一点。
如果您从前端调用 EB 链接,在我的例子中是 https://waprodservice-env-1.eba-kzqan9yr.us-east-1.elasticbeanstalk.com/ ,它会从后端/EB LB 抛出 SSL 通用名称错误(不确定是哪一个。 )。
THANK YOU SO MUCH @ARBERMEJO.
So, here is the answer. After uploading my angular build to s3, I created a CloudFront using that s3 URL as shown in a lot of youtube videos. Then for the backend EB, for configurations, check above, and final part is, I have to create an A record in my hosted zone for my domain. check image. enter image description here
I have to add api.mydomain.com, in my second row (just type API in record name) and route traffic to load balancer which can be seen in the image.
THE MAGICAL PART IS : YOU SHOULD CALL https://api.mydomain.com FROM YOUR ANGULAR PROD BUILD BASE URL. THIS IS NOT MENTIONED IN A LOT OF TUTORIALS.
If you call your EB link from frontend, which in my case is https://waprodservice-env-1.eba-kzqan9yr.us-east-1.elasticbeanstalk.com/ , it will throw SSL common name error from backend/EB LB (not sure which one.).