How to enable SSL on ubuntu apache2 ec2 instance correctly?
I am not getting any connection at all to your server on port 443 it feels like a firewall issue. Have you opened port 443 in you EC2 security group firewall. Have you opened it in your host's firewall ?
Update;
Your DNS is setup incorrectly
dig +short theaudioserver.com
52.25.39.220
Whereas you say you can connect via 52.24.39.220.
Related videos on Youtube
user2212461
Updated on September 18, 2022Comments
-
user2212461 over 1 year
I have set up a ubuntu (14.04.2) apache2 (2.4.7) server for SSL, but the certificate doesnt seem to be found. Ubuntu is running on an EC2 instance with static IP, enabled 443 port and domain name theaudioserver.com with DNS record to that static IP. Here is how I set up my server:
- Created key:
openssl genrsa 2048 > privatekey.pem
- Generated certificate request:
openssl req -new -key privatekey.pem -out csr.pem
- bought a CA SSL certificate with the csr and saved keys to
server.crt
andserver_bundle.crt
- added
ssl.conf
file in /etc/apache2/sites-available, which is configured for SSL:
SSLStaplingCache shmcb:/tmp/stapling_cache(128000) <VirtualHost *:443> SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff SSLCompression off SSLUseStapling on ServerName theaudioserver.com SSLEngine on SSLCertificateFile /home/ubuntu/certs/server.crt SSLCertificateKeyFile /home/ubuntu/certs/privatekey.pem SSLCertificateChainFile /home/ubuntu/certs/server_bundle.crt DocumentRoot /var/www/html/ </VirtualHost>
- added SSL with
sudo a2enmod ssl
- restarted apache2 successfully (without any error in the log)
- I also checked if apache2 is listening to 443 and it seems to listen correclty:
sudo netstat -anp | grep apache
gives:tcp6 0 0 :::443 :::* LISTEN 3138/apache2
But when I test my domain, the certificate doesn't seem to be found.
On ssllabs.com, I get
No SSL certificates were found on theaudioserver.com. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server's firewall
.When accessing the server via https://52.24.39.220, I get a name mismatch error since I am not accessing via the domain name, but this shows that the server firewall on EC2 seems to be set up correctly.
What am I doing wrong here?
-
Admin over 8 yearsI for one can't even establish a remote connection to theaudioserver.com on port 443 to that is the first place to start looking (maybe after you verify from your own server that something is indeed listening to port 443 e.g. with
openssl s_client -connect theaudioserver.com:443
) -
Admin over 8 yearsthanks, it seems apache2 is listening to 443 correctly, see my edit in the question. any other ideas?
-
Admin over 8 years
-
Admin over 8 years@MichaelHampton I added the config parameters from cipherli.st (see my edit in the question), it didn't solve the problem. Any other ideas?
-
Admin over 6 yearsconnect: Connection refused
- Created key:
-
user2212461 over 8 yearssee my edit, when I access the server via h t t p s : / / I P , i can access it, so the firewall on EC2 seems to be set up correctly. any other ideas?