Installing cert on amazon ec2 linux prior to site migration?


#1

I’m a novice regarding security certificates, and have only been using Amazon Web Services for a couple weeks. My company has an internal use only website which is on a godaddy server. I have FTP access, but no shell access to the old server.

I’m trying to migrate the website to AWS ec2 linux. I have the site sort of working without HTTPS, but I’m worried about logging and using it in it’s current state because the site has access through LDAP and MSSQL connections.

This website is actively used on the old godaddy server, so I can’t redirect the domain to the new site until I know it’s fully functional, but I want to make sure it’s secure before I keep working on it.

How would I go about getting HTTPS setup on the new server when I only have the public IP address currently?

Following that, would something need to change with the certificate once I get the domain name pointed over?

I tried using the ./certbot-auto command, but it gave me unauthorized error messages on the domains I entered, which are pointing to the old godaddy server still.


#2

There are a number of ways that this can be done …

  1. If the domains already have certificates with them, just copy those certificates over to the new server. (although tricky to do that securely if you only have FTP access)

  2. You could use the DNS challenge to obtain new certificates for the domains ( this involves adding a token in a TXT record in the domains DNS rather than a token on a webpage).

  3. You could set up a forward / redirect just for the “.well-known/acme-challenge” folder to the new server (using IP) and then verify it there.

  4. If only you connecting, you could just use some self-signed certs to secure the sites (you will get a warning in the browser about them being self signed, but as you trust yourself, then it’s just as secure if not more-so).

  5. You could just copy the tokens over to the existing server for verification via http, and generate the certs on the new server.

and possibly a couple of other variations I haven’t thought of.


#3

Hi serverco, I appreciate the detailed response. It took me a bit longer than I hoped to get a certificate properly installed.

Since I’m still working on the new server which only has an IP address, I used the Get HTTPS for free website to generate a certificate, and verified ownership of the domain by putting a file on the old server. It worked and I got a certificate, which I installed on the new server. When I route to https:// it still gives me an error, as expected, and says that the certificate is for a domain that doesn’t match the IP address.

I’m still a bit confused, but is this essentially a self-signed certificate at the moment? If I log into the website on the new server and connect to my database, will the information still be encrypted over HTTPS, or will that not work until the certificate matches the new server?


#4

It’s not self-signed no. The error is simply because, as you say, the IP address isn’t the domain name.

As long as you are using https then it should be encrypted.

Personally I tend to define the host / IP in your hosts file ( you can get plugins in firefox etc to do this for you ) then you can use the domain name and check everything is OK.


#5

Awesome, thanks again for the fast response!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.