I am working with an AWS EC2 instance (amazon Linux, elastic IP) trying to set up SSL through ACM. The certificate is verified and the load balancer is passing the health checks listening on prot 443, forwarding to port 80. Initially, when testing https I received a connection refused. This confused me because I thought the load balancer would catch and forward this to port 80. I enabled port 443 via nginx on the EC2 instance, so now it is listening on 443 (tested via telnet), which got rid of the connection refused error, but now I get a ERR_SSL_PROTOCOL_ERROR. This makes sense if it is missing the load-balancer and hitting the EC2 instance directly.

Is this the problem (missing the load-balancer)? If so, how do I fix this. I don't see a way to assign an an IP address to a load-balancer. Is a CNAME record required for this kind of setup? If so, how do I configure this?

Thanks.

Your load balancer will be the spot where SSL terminates, and then carries on to your insecure servers running on port 80. You should change your EC2 instance back to port 80.

Yes, you should point a CNAME at your load balancer from the domain the certificate was created for. You do not get an IP for ELB's, as there may actually be many load balancers behind the scenes, which you don't see, all hiding behind the AWS CNAME.

Summary:

• Change your EC2 to serve traffic on port 80 again
• Make ELB accept connections on port 443, and send to 80 on the instance
• Assign a valid domain to your ELB that the certificate is valid for
• Profit.

Cheers