Certificate on elasticIP is issued againts internal IP

Hi, so i have generated lets encrypt certificate and use it for my AWS EC2 instance. However i have a problem. I am using EB and when i open enviroment url, i have certificate there, but it is invalid, bcs it is created for my custom domain and i understand that, when i open details about certificate, i can see all the correct info about my certificate.

But when I look at my custom domain( with elastic IP) i have invalid certificate, but this time, certificate is issued againt internal IP. I dont know why enviroment URL is having right certificate but custom domain(elastic IP) does not. Does anyone has any idea?

Custom domain: https://www.tamiel-technology.eu/
Enviroment domain: https://tamiel-env.eu-central-1.elasticbeanstalk.com/

That's expected. You can try getting a certificate for both domains, but I'm not sure that specific domain is allowed.

Use the staging environment to find out.


Is there a way to make it work on my custom domain but keep it how it is on my env domain?

I'm not sure you're actually using a Let's Encrypt certificate at all.

What domain name did you generate the certificate for?


For tamiel-technology.eu, looks like env domain is actually using a certificate with that domain. Btw thanks for helping me with this, i am new to this stuff so i am a little lost :slight_smile:

You realise tamiel-technology.eu and www.tamiel-technology.eu are two different domain names, for TLS certificates?


Your DNS using the beanstalk environ name references two EC2 instances.

Yet, the DNS for the custom name refers to a third EC2 instance.

For some reason the nginx server on these EC2 instances are not configured the same. Have you rebuilt the EB environ recently?


i dont think so

It doesn't look like you configured your Apache server to use the Let's Encrypt certs. An Apache server is responding to requests to your custom domain name so you should configure that.

Also, I see you have an IPv6 address in the DNS for that name. But, it doesn't work. You should remove that until you get IPv4 working and then try to get that sorted.


I changed it and create certificate for www but still problems with custom domain on elastic IP remains the same

ok thanks, i will try

1 Like

By any chance, do you have some website that you know is good about this configuration?

Yes, this one: ssl-config.mozilla.org

How did you get the Let's Encrypt certs for your custom domain? Some will configure your web server when you get the cert.

Do you realize your beanstalk environ will be rebuilt each time you upgrade the version? And, that AWS may rebuild it for its own purposes from time-to-time. Because anything you manually do to configure your beanstalk EC2 will be lost. It must instead be part of the beanstalk deploy instructions.


Oh, and, are you sure your DNS is setup right?

Because you have two IP addresses associated with your beanstalk domain name. And, an nginx server responds with a test page with your name in it to requests to either of these IP addresses.

But, the IP for your custom domain points to an EC2 instance with an Apache server running. And, it just shows a default apache page.


Well, i am gonna be honest i am kinda lost. I basically created the elastic IP that is associated with EC2, and then created my own domain, where i put the elastic ip into A record for that domain, now i am trying to do smth with that apache.

I have created lets encrypt cert with dns challenge and then, i put them in AWS cert manager. After that i have configured listeners and yes i have some conf files in my project.

So what should i do then?

Designing AWS components is beyond the scope of this forum.

My advice is to start simple and use more complicated configs once you understand that. A single EC2 instance (not in beanstalk) is easier to configure and get running. I'd also move your DNS service to Route53 for your custom name. It costs a little but will simplify things.

Beanstalk has its advantages. But, requires a rigid approach to customize it which can be very involved for certain items.


Okay then, i really appreciate your help. You are great. Thank you


So i did fix it. Kind of. You see i have created a subdomain https://sub.tamiel-technology.eu and also certificate for this kind of domain. In my DNS managment i have created CNAME record where name is https://sub.tamiel-technology.eu and value is actually eb enviroment domain https://tamiel-env.eu-central-1.elasticbeanstalk.com.

This works and https://sub.tamiel-technology.eu is secured.

Ofc if i enter env domain or my original www.tamiel-technology.eu the certificate is invalid and in case of original one certificate is still issued against internal Ip. Can someone explain to me why is this working this way? I want to understand what is actually going on. Plus if this solution is okay or if there is something wrong with it.

I heard that domains that i get from AWS before i get custom domain can change but also this eb env domain https://tamiel-env.eu-central-1.elasticbeanstalk.com. hasnt changed for months so what do you guys think about it? What can i do better?

How did you do that? Because that domain name points to 3 different IP addresses. So, each of those would have to reply properly to an HTTP Challenge and this can be tricky. A DNS Challenge is an alternative. And, there are other options for multi-server systems with other ideas if needed.

Yes, because when you use the www name (or env name) the cert used has just the sub name in it. A cert must have the same name used to request it. Use a site like this SSL Test decoder site and maybe this will be clearer. Try your sub and www names.

It may change when you upgrade your beanstalk environ. Minor updates won't matter but major platform updates you create a new environ. So, coordinate with your DNS. I also recall that warning about environ name changes but not sure exactly when that can happen.

The other problem is if you tried to use your apex name tamiel-technology.eu. You cannot use a CNAME for an apex name (only A record). So the IP addresses must be hard-coded. Route53 has a specialized A record that allows a symbolic name for certain other AWS services so behaves like a CNAME.


Well firstly i have a domain tamiel-technology.com in whois.com service, the only thing i did, was that in my DNS managment i have erased A record with elastic IP and simply added a CNAME where name is subdomain to tamiel-technology, and value is eb env domain.

Lets encrypt let me create certificate for sub.tamiel-technology.eu with just one DNS challenge with TXT record verification. And thats it. I have no idea why this works or why the previous solution was incorrect. Interesting thing was that when i applied the new certificate, and i tried eb env domain the cert was obviously new. The www domain still had internal ip cert and subdomain had the correct one, so it looks like www is some problem.

I have no understanding in this i am just trying and somehow it work :smiley: