Enable SSL/TLS on Cluster

This tutorial will walk you through setting up an ALB with ACM to use your own custom DNS name to access your Critical Stack cluster.

By default, Critical Stack uses a self-signed certificate for all cluster nodes. This means TLS is enabled, but you will get a security warning in your browser when you try to access the console. Following this tutorial will allow you access the console without having to accept the self-signed certificate.

For an automated deployment method skip to the “Using Terraform to Automate” subsection of this tutorial.

ACM Certificate Creation

Perform the following steps to create a new ACM certificate that we will use to enable SSL/TLS:

  1. Go to the ACM service in the AWS console and request a new certificate:

  2. Request a public certificate:

  3. Input a domain name that you control. For the purpose of this tutorial we will request a wildcard certificate that will work for any subdomain we want to create. (NOTE: Any public certificate you request via ACM will show up in Amazon’s public certificate transparency logs. Do not request a certificate for a domain you want to keep private.)

  4. Select DNS validation, AWS will create two route53 records under the domain that you specified to verify you have control over that domain:

  5. Specify any tags that you would like to add to your certificate:

  6. Confirm that the information that you have input was correct and “Confirm and request” the certificate:

  7. Now AWS will attempt to validate the certificate. Click the drop-down arrow next to your domain. Either create the specified CName in your own DNS configuration or click the Create record in Route 53 which will create the records in your account to validate the certificate automatically.

  8. After a moment, AWS will validate your certificate and the status should change from provisioning to Issued.

Create ALB Security Group

Perform the following steps to create the security group used to lock down the ALB.

  1. Go to the EC2 service in the AWS console. Click on Security Groups under Network & Security.

  2. Take note of your master security group. The group name will be in the format “CS-Cluster-XXXXX-master” where the XXXXX will be the first five characters of your license key.

  3. Click on Create Security Group

  4. Name your security group and provide a brief description about it.

  5. Select the VPC that your Critical Stack cluster was installed into. If you do not your VPC-ID, you can find which one it is by searching the assets from install.criticalstack.com.

  6. While the inbound tab is selected, add the following rules:

    | Type | Protocol | Port Range | Source | Description |
    | ---- | -------- | ---------- | ------ | ----------- |
    | HTTPS | TCP | 443 | 0.0.0.0/0 | HTTPS In to Cluster (IPV4) |
    | HTTPS | TCP | 443 | ::/0 | HTTPS In to Cluster (IPV6) |
  7. While the outbound tab is selected, add the following rules:

    | Type | Protocol | Port Range | Source | Description |
    | ---- | -------- | ---------- | ------ | ----------- |
    | HTTPS | TCP | 30000 | Master-SG | Master UI Ingress Listener | 
    | HTTPS | TCP | 6443 | Master-SG | Master Health Check |
  8. Click Create

Create ALB

Perform the following steps to create the Application Load Balancer in your AWS account.

  1. Go to the EC2 service in your AWS account. Click on Load Balancers under Load Balancing.

  2. Click on Create Load Balancer

  3. Select Application Load Balancer

  4. Enter the name in the appropriate field

  5. Specify the listener as HTTPS. The port should update to 443.

  6. Select the VPC that your cluster is located in and enable all subnets. Pick the public subnet from the drop-down lists that are now enabled.

  7. Click Next: Configure Security Settings

  8. Choose the Certificate name that was created in a previous step of this tutorial.

  9. Click Next: Configure Security Groups

  10. Select an existing Security Group and select the one created in a previous step of this tutorial.

  11. Click Next: Configure Routing

  12. Specify a name for your target group and change the protocol to HTTPS. The port should update to 443.

  13. Change the Health Check protocol to HTTPS and path to “/healthz

  14. Click on the Advanced health check settings and check the “override” radio button next to Port. Specify a port of 6443 in the box that appears.

  15. Click Next: Register Targets

  16. In the instance list below, select all of the master node instances. They can be identified by having a security group of CS-Cluster-XXXXX-master where the XXXXX is the first five characters of your licence key.

  17. Before clicking Add to registered specify a port of 30000 next to the button.

  18. Click Next: Review

  19. Verify that all information was input correctly and then click Create.

  20. After a moment the ALB should finish provisioning. In the bottom panel, click on the Listener tab and then click on Add listener.

  21. The protocol should default to http and port 80. Click on Add action and the Redirect to…

  22. Leave the default protocol as HTTPS and add the port 443. CLick the blue checkmark and then click Save in the top right of the screen.

  23. You can now back out of the listener screen. After it’s finished provisioning, get the DNS name of the load balancer from the Description tab in the bottom pane.

Create Route 53 Hosted Zone

Perform the following steps to create the Route 53 Hosted Zone in your AWS account.

  1. Go to the Route53 service in the AWS console and create a hosted zone.

  2. Enter the domain that you would like to route traffic to. You can optionally supply a comment describing what the zone you are creating is for. For the purposes of this tutorial we will be created a publicly hosted zone.

  3. Click Create

Create Route 53 Record

Perform the following steps to create the Route 53 Record that you will access your Critical Stack Cluster from.

  1. Choose the hosted zone that you created in the previous step and create record.

  2. Click Create Record Set

  3. Input a subdomain that you want to access your cluster from.

  4. Leave the type as an “A - IPV4 address”

  5. Select Yes for the Alias value.

  6. Input the routable DNS value of the ALB that you previously created.

  7. Click Create

Congratulations! Your Critical Stack Cluster is now SSL/TLS enabled. You will be able to access your cluster securely from the Route 53 addresses that you have created in this tutorial.

Using Terraform to Automate

All of these steps can be tedious to do when creating clusters. We have created a terraform repository that will create all of the AWS elements specified in this tutorial. You can access that code here: (https://github.com/criticalstack/labs-code/tree/master/alb-terraform)

Amazon Web Services, the “Powered by AWS” logo, [and name any other AWS Marks used in such materials] are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.