alias not working with imported certificate

[sri-sp]

1. I have obtained a certificate in PFX format, which I converted to PEM encoded format successfully.

2. I imported the PEM certificate into AWS Certificate Manager (ACM) using OpenSSL, following the steps outlined in this AWS blog post.

3. I added the certificate to my environment and deployed the application using the Copilot command copilot env deploy.

4. However, I am unable to access the application via HTTPS. It throws an insecure HTTPS error when I try to access it.

here is my manifest file

name: web
type: Load Balanced Web Service

http:
  # Requests to this path will be forwarded to your service.
  # To match all requests you can use the "/" path.
  path: '/'
  # You can specify a custom health check path. The default is "/".
  # healthcheck: '/'
  healthcheck:
    path: '/'
    success_codes: '200,301'
    healthy_threshold: 3
    unhealthy_threshold: 2
    interval: 6s
    timeout: 5s
    grace_period: 598s
  deregistration_delay: 5s
  stickiness: false
  alias: ["staging.***********.com", "my.staging.**********.com"]
  # Add this to setup a proxy target container
  target_container: proxy-443-8080

sidecars:
  proxy-443-8080:
    port: 443
    image: ************.dkr.ecr.us-east-1.amazonaws.com/stage/proxy-443-8080:latest


alb:
  port: 443/tls


  

# Configuration for your containers and service.
image:
  location: ***********.dkr.ecr.us-east-1.amazonaws.com/stage-web-imagerepository-ubqp:latest
  # Port exposed through your container to route traffic to it.
  port: 8080

cpu: 1024       # Number of CPU units for the task.
memory: 2048    # Amount of memory in MiB used by the task.
count: 1       # Number of tasks that should be running in your service.
exec: true     # Enable running commands in your container.

network:
  vpc:
    placement: private

====================

Any help or insights into resolving this HTTPS error would be highly appreciated.

[iamhopaul123]

Hello @sri-sp. Can you double check if in the ACM certificate that you imported, do both aliases ["staging.***********.com", "my.staging.**********.com"] get covered there?

[sri-sp]

the certs are for [staging.*************.com] and [ *.staging.**************.com] so it should have to work for both am i right !

[iamhopaul123]

Yeah that should work...what copilot does under the hood is essentially adding the aliases to the LB rules to make sure LB route requests from these host headers to the correct target group (ECS service), and add the certificates to the LB. However, i wonder if you updated the A-records for ["staging.***********.com", "my.staging.**********.com"] (they should be resolved to the env LB DNS)?

[sri-sp]

Thank you for the clarification. Yes, I have updated the A-records for "staging.***********.com" and "my.staging.**********.com" to resolve to the environment's LB DNS. However, I'm still encountering an HTTPS error when trying to access the application via HTTPS.

Is there anything else I should check or configure to resolve this issue?

[iamhopaul123]

Is there anything else I should check or configure to resolve this issue?

You can go to the EC2 console and see if the Load Balancer is configured correctly but that's the only place where Copilot makes changes...it could be the DNS cache on your local device. Could you try to use other devices to access the URL?

[sri-sp]

Thank you for your suggestions. I have already checked the Load Balancer configuration in the EC2 console, and everything appears to be configured correctly. I have also tested accessing the URL from multiple devices, but unfortunately, the issue persists.