Virtual Party Space Devlog #22: Amazon Certificates Manager

In the past couple days I threw away all that work with Let’s Encrypt to use Amazon Certificates Manager instead.

Log

Tuesday, February 2

• Note for future: CPU and memory in ECS
• Error “The VPC in region has already been associated with the hosted zone with the same domain name”
  • Deleted VPC to fix this DO NOT DO THIS, need to have a default VPC to do anything
• verified that ELB changes every time I delete the stack, so will have to keep updating CNAME record
  • unless I can figure out how to retain ELB without breaking create
• updated health check by adding overlays, but have to delete whole stack for every change
• had to expose port 8080 which I don’t love, but at least it works
• tried out Amazon Certificate Manager to request a certificate for my domain, and that seems to have worked
  • think it should automatically use it for load balancer? Need to wait for domain to propagate to check
  • wasted all that time learning Let’s Encrypt and didn’t need it, but at least I learned something

Wednesday, February 3

• How to make drastic changes to cloudformation template: delete resource and manually recreate so update will work

ACM certificates

• need to add certificate to a listener on port 443
  • change type from TCP to TLS
  • leave other settings as default I guess
• PROBLEM: this causes “http request to https port” error
  • ELB terminates HTTPS and sends HTTP request to web server - need to tell nginx to stand down
  • SOLUTION:
    • remove ssl http2 from nginx listen 443 directives (this means probably want to turn on ALPN HTTP2 service on ELB listener)
      • if you get rid of ssl but not http2 server will still run but only return garbage - HTTP2 is SSL-only
    • remove all other ssl directives (conveniently packaged in ssl.conf)

About this series

Back in mid-December I started an ambitious project to create a custom platform for a virtual birthday party in February. I kept notes on my progress, both for personal reference and to turn into a series of blog posts. It quickly became apparent that I did not have time to both do the project and blog about the project. I have retroactively decided to post my raw notes as a dev log.