I'm trying to set up a solution which includes an EC2 instance with Apache running NodeJS. I've already successfully created a working webserver-instance with a public SSL-certificate from Certifate Manager accessed on port 80 and 443. This server should be able to connect to my other instance but for some reason I keep running into dead-ends and I suspect the solution is not possible...
I've built a working setup using Let's Encrypt certificates but I would love to keep as much as possible in AWS.
Issue: In the LE-solution, I can access the local .pem-files on my server. I can include the local paths to the LE-certificates in the server-setup-file like this:
...
var options = {
key: fs.readFileSync("/etc/letsencrypt/live/example.com/privkey.pem"),
cert: fs.readFileSync("/etc/letsencrypt/live/example.com/fullchain.pem")
};
var https = require('https').Server(options, app);
...
but when I'm using AWS Certificate Manager's public certificates, I'm not sure how to get around this?
My solution (not working): I'm no SSL-wizard, so I might be trying to do something impossible here. I've tried to create a local certificate using OpenSSL but keep the Load Balancer and Certificate Manager certificate on the domain.
...
var options = {
key: fs.readFileSync("/home/ec2-user/server-key.pem"),
cert: fs.readFileSync("/home/ec2-user/server-cert.pem"),
};
var https = require('https').Server(options, app);
...
This solutions returns following error message when I try to connect to the node/socket server with url: https://live.example.com:3000:
WebSocket connection to 'wss://live.example.com:3000/socket.io/?EIO=4&transport=websocket' failed: Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID
So I guess that my solution with both Certificate Manager certificate on the domain and the OpenSSL certificate on the server isn't possible or is the problem to be found elsewhere?
Please let me know :-)
As mentioned in comments, certificates created through AWS Certificate Manager can only be used for certain AWS services such as Elastic Load Balancers, not self-managed web servers. What you can do is use a Certificate Manager cert and put it on a load balancer, with your Apache/Node server sitting behind the load balancer in a target group. All connections over the public internet would be HTTPS, but the connection between the load balancer and your app server (going over AWS's internal network) would be plain HTTP.