I am hosting Tableau Server on Amazon Web Services (AWS) EC2. My domain name is ec2-xx-xx-xxx-xx.xx-xxxx-x.xxxxxxx.amazonaws.com. I would like to convert http to https, so I want to get a SSL certificate. When I asked a certificate authority (CA), they told me that my domain includes "amazonaws.com", so I couldn't get a SSL certificate. I then tried to get a SSL certificate from AWS, I received an error message.
Error message.png
This was due to the fact that I couldn't request a certificate for Amazon-owned domain name ending in "amazonaws.com".
Does anyone know how to deal with this issue?
Sincerely,
Kazumi
Looks like you need to understand the basics of the process of purchasing a domain name, assigning an IP address to the domain name, purchasing an SSL certificate etc.
Below steps are the easiest and the cheapest way to make your endpoint be served by SSL on AWS infrastructure:
Purchase a domain name eg. knozawa.com from AWS Route 53
Create a new SSL certificate free of cost using AWS
Certification Manager (ACM)
Add your EC2 instance which hosts the Tableau server behind an ELB. The ELB
should be configured to accept traffic over port 443 only. Select
the certificate created using ACM to serve for SSL traffic over port
443.
Go to Route 53, and created a hosted zone entry like
tableau.knozawa.com and add the ELB alias to the entry.
And you are done! You can now access your Tableau installation on your own domain name, serving traffic over SSL on the link https://tableau.knozawa.com
This will probably cost you and additional USD 12.00/year for the domain name, $10-$20 per month for ELB based on traffic.
Related
I have followed the below steps to make it https but still i am seeing the site is insecure.. what else i am missing?
Uploaded content in S3 Bucket
Created EC2 Instance with security group for port 22 and 80 to allow 0.0.0.0/0
Installed apache and started the services in the ec2 instance
Created ELB and added listeners to route
http to https
https to target group
Registered Target and when I launch url (DNS name in ELB), I am getting still insecure..
Thanks,
Chandra
when I launch url (DNS name in ELB)
You can't use the ELB's DNS name if you want to use SSL, because you won't be able to have an SSL certificate that matches that DNS name. You have to point a domain name at the ELB that you own, and use an SSL certificate that matches that domain name.
Does anyone know how to easily setup https for a rest api in google compute engine ? I have currently a static ip and the api works over http but in the browser when I call it I get mixed content error because the client is server over https (firebase hosting)
Is it possible to setup https with only a static ip (and not a domain name) ?
-Jani
Is it possible to setup https with only a static ip (and not a domain
name) ?
Yes, it is possible, but since 2016 you cannot purchase an SSL certificate with a public IP address. You can use a self-signed certificate but you will have even more browser issues. Not recommended.
Possible Options:
Use your domain name (or purchase one) and use Let's Encrypt for SSL which is free and is one of your better options.
Use a different service such as Cloud Run, Cloud Functions, Firebase or App Engine which offers SSL and does not require a domain name that you own as you can use Google's endpoint.
Attach a Google Load Balancer in front of your Compute Engine instance and configure a front end with a Google Managed SSL certificate. However, this will require a domain name.
If you do not want to use your own domain name, then option #2 is your only choice.
To setup https for a rest api in google compute engine:
1- You have to buy a domain
2- You have to buy an SSL certificate
3- create a load balance resource in Google Cloud to which I assign the domain and the certificate
4- You can install the certificate to the server directly
If you want to use https over IP instead of domain, please follow click here
I am working to setup my application to watch calendar events through Google's Calendar API. In doing so I must setup a "Push" endpoint on my server that has a valid SSL certificate (not self-signed).
My production environment is running on Heroku so setting up an SSL cert was easy using Expidited SSL. I have two CNames setup in GoDaddy, one for my production application and one for my development environment tunneled through ngrok. I'm using the paid ngrok feature of white labeled domain tunneling (dev.mydomain.com).
Host Points To
www saga-1234.herokussl.com
dev ngrok.com
The problem is that my ssl certificate is recognized when you hit the production application (www.mydomain.com), but it uses ngrok's certificate when you visit the development application (dev.mydomain.com).
How can I setup my ngrok tunnel to use my ssl certificate?
Ngrok's white labeled domain does not support HTTPS if you are using your own domain. Simply because it serves it's own certificate, where you need to serve your domain's. That's why you are getting certificate mismatch issue.
Here's what you could do to watch calendar events on your dev machine:
Point ngrok.mydomain.com to another server, let's say a new EC2
micro instance
Point wildcard CNAME to ngrok.mydomain.com
Compile ngrok server and client to use your certificate (rather than
ngrok.com)
Run the ngroku-server on EC2 instance
On your dev machine config the client to use ngrok.mydomain.com instead of ngroku.com
Run ngrok -subdomain=dev 80
Your local dev machine's 80 port should be accessible via https://dev.mydomain.com
This is really cool and is very helpful when debugging Google's webhooks, which require valid HTTPS and a verified root domain name.
Another interesting trick is to use CloudFlare's universal SSL to have a valid https://dev-machine.mydomain.com pointing to your dev machine without purchasing a certificate. The steps are exactly the same except that you need to issue your own certificate for ngrok client-server communications and use CloudFlare's Flex SSL for dev-machine.yourdomain.com.
ngrok has a new feature that tunnels and terminates SSL. Thus you can use your own domain and HTTPS. No need to open ports in your router or PC. They call it TLS Tunneling. The following is a link to a GitHub repos that describes how to do it.
How to use your own domain to access your home PC over the internet. Use HTTPS without raising SSL errors.
I've setup a SSL certificate w/ the common name, etc. as 'www.biglikeco.com'. I have set 1 cname in my dns to goto the main Heroku app area - what should the other CNAME record be? I I'm trying to get SSL working on 'www.biglikeco.com' also - is this possible (e.g. https://www.biglikeco.com as well as http://www.biglikeco.com) ?
Thanks.
SSL certificates are usually associated with an IP address, not a DNS record.
You need to associate the SSL certificate with your IP on the configuration of your web server. If you don't have an IP address dedicated to hosting the secure version of your site, you can rely upon Server Name Indication. Server Name Indication is an extension to the SSL certificate authentication process, such that the domain name AND the IP address are sent to your web server. DNS (and CNAME records) are not involved in this process, other than the initial name resolution.
Update:
You don't need a second IP address to host a secure version of your site. You can configure your web server to respond to HTTP and HTTPS separately. However, the SSL certificate is still strongly associated with your IP address. It cannot be redirected with a CNAME in DNS.
I am planning to add a SSL certificate to my app on Heroku. For that, I am planning to buy a wildcard ssl certificate. A requirement for that certificate is that I need to have a "dedicated IP address".
Afaik, I don't think I have a dedicated IP address as I am hosting my code with Heroku and I don't think I can be guaranteed an IP address of that machine.
Am I missing anything? Should I be looking at another kind of SSL certificate?
Thanks!
If your domain name is registered and pointing to Heroku as Heroku's documentation advises, then you should be able to get an SSL certificate for that domain name. Your SSL certificate authority should not require you to enter in an IP address. I can only speculate that it might say you need a "dedicated IP address" in order to discourage people from trying to get an SSL certificate for their residential cable modem, etc.