Can't get Network Solutions Certificate chain working with EC2 Elastic Load Balancer

certificate ssl-certificate amazon-elb

I have a certificate file provided to me which is a wildcard domain name. It comes as both a key and a crt file. No other files were provided.

I'm having trouble getting it to work correctly with the elastic load balancer.

I've tried this order:

http://www.networksolutions.com/support/installation-of-an-ev-ssl-certificate-for-tomcat-apache/

With the intermediate certs obtained from here: http://www.networksolutions.com/support/where-can-i-locate-the-network-solutions-nsprotect-root-and-intermediate-certificate-files/

I've also tried the following:

  • Network Solutions Add Trust External CA Root
  • Network Solutions UTN Add Trust CA
  • Network Solutions UTN Server CA
  • Network Solutions Extended Validation (EV) CA
  • Network Solutions Intermediate Certificate
  • Network Solutions EV Root

The error that the ELB returns is:

Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: -1

There is so much conflicting and outdated information out there and nothing seems to work. How do I get this working?

Is there a method I can use with OpenSSL to manually work it out what certificates I need at each step?


I just ended up working this out, the correct order for the certificate chain is as follows:

OV_NetworkSolutionsOVServerCA2
OV_USERTrustRSACertificationAuthority
AddTrustExternalCARoot

Good luck!


Please make sure that whether your certificate chain contains the intermediate and Root certificates in the proper order.

The best way to analyze the problem with the chain certificate I was found here: Wormly Test SSL Web Server.

I have started the Amazon ELB SSL configuration for my domain here: SSL Certificate for Elastic Load Balancing.

I am using COMODO Instant SSL certificates. So, I got the bundle of the certificates in a zip file. When I extracted, it contains four files inside it like:

             1.AddTrustExternalCARoot {Root certificate}
             2.COMODORSAAddTrustCA    {intermediate certificate 1}
             3.COMODORSADomainValidationSecureServerCA {intermediate certificate 2}
             4.www_example_com   {public key for my domain name}

Note: We need to convert the above certificate file into .PEM format, before using it in Amazon ELB. This is done by using the command:

             openssl x509 -inform PEM -in {above certificate file name}

Now I went to Listeners part of ELB to configure HTTPS. ELB HTTPS have three brackets called:

             1.Private Key {paste the private key which was generated using openSSL}
             2.Public Key Certificate {paste the public key of www_example_com certificate}
             3.Certificate Chain {paste the intermediate and Root certificate}

In the first attempt, as amazon guided the Certificate Chain part is optional. I went on leaving it's blank. It's worked fine in the PC browsers. And the problem was arrised while trying to open it in the android mobile browsers.

I have found solution here:Setting up SSL on an Amazon Elastic Load Balancer and Creating a .pem File for SSL Certificate Installations links.

So, to avoid this I have included the chained certificate in this order:

             COMODORSADomainValidationSecureServerCA 
             COMODORSAAddTrustCA    
             AddTrustExternalCARoot

I have copy pasted the above three certificate including Begin and End tags in to the chain certificate bracket.

Now it's done. Great its worked fine. Now my SSL configuration is shown 100% secure when I checked it with Wormly Test SSL Web Server.

Thank you.


After fighting with this to close to two hours we found that reordering the intermediary certificates does not work. Although the certificate is imported into Certificate Manager, it is not visible to the Application Load Balancer.

Digging on this further I found an article on AWS that states clearly that to use a 4096 bit certificate you need to import it using IAM CLI.

You can read about this here

https://aws.amazon.com/premiumsupport/knowledge-center/elb-ssl-tls-certificate-https/

and here

https://aws.amazon.com/premiumsupport/knowledge-center/import-ssl-certificate-to-iam/

Related

Unable to install or update using yum
Accidentally deleted /tmp/systemd-private-015eb2a30-apache2.service-9h6i
Replacement for Windows command console
Cisco vs Everything else
Why doesn't the C++11 'auto' keyword work for static members?
Dedicated firewall vs. on-machine
Do I need to stop services (Apache, MySQL) during software RAID 1 reconstruction on Linux?
Unlimited Storage
What's the benefit of using "containers" in the datacenter as opposite to regular installation
Best way to break up a large subnet
Determining if a bot is scraping utility bill content and how to block it
EC2 instances in VPC and access to the Internet