EC2 Load Balancer - installing CA Bundle SSL / intermediate certificate

4
votes

I am using the EC2 Load Balancer to handle HTTPS requests. For Chrome & Safari, having the Load Balancer Protocol set HTTPs at Port 443 with the the SSL cert handles most traffic correctly. HTTPS requests from Safari & Chrome are fine. However in Firefox, I get the connection is insecure "(Error code: sec_error_unknown_issuer)." In checking with a cert checker, I get

The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates.

In talking with my cert provider, the information I got was :

As we can see certificate has been installed improperly at the server. There is no CA bundle at the server that is why browsers may show warning messages.

How do you install a CA Bundle using the Load Balancer?

3
sslamazon-ec2load-balancing

3 Answers

6
votes

The solution is to add the ca_bundle to your load_balancer under "Certificate Chain"

0
votes

That depends on how you are creating the ELB (Elastic Load Balancer).

If you are creating it from the AWS Console, then, when you create the ELB you can create a new SSL sercificate and, when promted, and as @Emile said, you have to specify the contents of the provided "CA Bundle" under the "Certificate Chain" field.

If you are creating it from the command line or using the API, then when you create the SSL certificate you have to specify the "CA Bundle" contents in the "Certificate Chain" parameter.

Right now, what you probably have to do is to create a new ELB specifying the right paramenters, modify your DNS accordingly and once the change has been applied, delete the old load balancer.

-1
votes

First you'll need to obtain a copy of the appropriate certificate bundle from your certificate authority.

Then you'll need to update the SSL certificate on your AWS ELB. Select "Upload a new SSL Certificate" from the ELB Select Certificate window. Paste your current private and public certificate keys into the appropriate fields and then paste the certificate bundle into the "Certificate Chain" field.