Using SSL with Kong and AWS LoadBalancer

Hey guys,

I’m trying to setup an service with SSL, but I’m not getting it right. Can someone help me?

My setup is:

I have the domain: example.com and I created a valid certifacate for

example.com
*.example.com

I set it up with my load balancer (AWS, using ACM), so now my load balancer test.elb.amazonaws .com is delivering this certificate.

When create a CNAME test.example .com to test.elb.amazonaws .com, it works just fine and the certificate works.

But I don’t want this scenario. I want to CNAME test .example .com to my Kong which is api .example .com.

I tried it by creating a service which contains this configuration:

{
  "host": "test.elb.amazonaws .com",
  "created_at": 1535236702,
  "connect_timeout": 60000,
  "id": "e5f8d5bf-4264-44a4-87e6-ec41d076ca62",
  "protocol": "https",
  "name": "test",
  "read_timeout": 60000,
  "port": 443,
  "path": null,
  "updated_at": 1535237202,
  "retries": 5,
  "write_timeout": 60000,
  "extras": {
    "createdUser": null,
    "updatedUser": null,
    "kong_node_id": "2",
    "service_id": "e5f8d5bf-4264-44a4-87e6-ec41d076ca62",
    "createdAt": "2018-08-25T22:36:09.530Z",
    "updatedAt": "2018-08-25T22:44:29.949Z",
    "id": 8
  }
}

And I created a route for this service with this configuration:

{
  "created_at": 1535236735,
  "strip_path": true,
  "hosts": [],
  "preserve_host": true,
  "regex_priority": 0,
  "updated_at": 1535237000,
  "paths": [
    "/test"
  ],
  "service": {
    "id": "e5f8d5bf-4264-44a4-87e6-ec41d076ca62"
  },
  "methods": [],
  "protocols": [
    "https"
  ],
  "id": "26bd6a07-3345-47ad-8816-49ef052fd825",
  "extras": {}
}

But it’s not working… Any tips?

Also, I don’t know if it’s the best way to work with SSL and Kong. If it’s not, feel free to point me that.


I put some links with spaces because I can’t post more that 5 link

I’m curious if you have already setup your LB listeners and have SSL routing partially somewhere? I’m trying to SSL unload at our ALB and then route traffic to our TargetGroups as HTTP. I “believe” I’m suppose to set a 443 listener and somehow route that to a 8444 port target group. But doesn’t seem to be working. Hopefully something in that text might be useful.