mwunderl
commented
3 years ago Hi aus-it-admin,
With this setup, you still have a valid TLS certificate for the connection between the client and the load balancer. The self-signed certificate is to enable encryption between the load balancer and the hosts running your application. In the final step, you configure the load balancer to only trust the certificate that you specify. It is self-signed, but this does not affect the user experience because it is only presented to the load balancer, which has already negotiated the TLS connection with the browser.
To use trusted certificates for the backend connection, you could set up an internal certificate authority and generate valid certificates for each host, and have the load balancer verify certificates. I don't think ELB supports this, so you would want to look into creating your own load balancer application and CA in EC2.
Thanks, Michael
joshbean
It's in the title.
This seems to be a widespread issue dating back many years and still this documentation does not reflect the truth. You cannot use self-signed certificates and have production level end-to-end encryption. It is not a trusted certificate and that will be reflected in the user experience.
There are no instructions on how to actually deploy a commercial-grade application using this setup. This poses a major issue for auth frameworks like Auth0 which requires a secure environment to operate.
Getting seriously fed up with the outdated docs. It's honestly ridiculous how they're handled. One other example was deprecating AMI Linux out of the blue and not providing an official word on using Nodejs. Absolute joke.