How to enable SSL on ubuntu apache2 ec2 instance correctly?

ssl ssl-certificate apache-2.4

9,807

I am not getting any connection at all to your server on port 443 it feels like a firewall issue. Have you opened port 443 in you EC2 security group firewall. Have you opened it in your host's firewall ?

Update;

Your DNS is setup incorrectly

dig +short theaudioserver.com
52.25.39.220

Whereas you say you can connect via 52.24.39.220.

9,807

user2212461

Updated on September 18, 2022

Comments

user2212461 over 1 year
I have set up a ubuntu (14.04.2) apache2 (2.4.7) server for SSL, but the certificate doesnt seem to be found. Ubuntu is running on an EC2 instance with static IP, enabled 443 port and domain name theaudioserver.com with DNS record to that static IP. Here is how I set up my server:
- Created key: openssl genrsa 2048 > privatekey.pem
- Generated certificate request: openssl req -new -key privatekey.pem -out csr.pem
- bought a CA SSL certificate with the csr and saved keys to server.crt and server_bundle.crt
- added ssl.conf file in /etc/apache2/sites-available, which is configured for SSL:
```
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000) <VirtualHost *:443>
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On Header always set
    Strict-Transport-Security "max-age=63072000; includeSubdomains;
    preload" Header always set X-Frame-Options DENY Header always set
    X-Content-Type-Options nosniff
    SSLCompression off SSLUseStapling on
    ServerName theaudioserver.com
    SSLEngine on
    SSLCertificateFile /home/ubuntu/certs/server.crt
    SSLCertificateKeyFile /home/ubuntu/certs/privatekey.pem
    SSLCertificateChainFile /home/ubuntu/certs/server_bundle.crt

    DocumentRoot /var/www/html/
</VirtualHost>
```
- added SSL with sudo a2enmod ssl
- restarted apache2 successfully (without any error in the log)
- I also checked if apache2 is listening to 443 and it seems to listen correclty: sudo netstat -anp | grep apache gives: tcp6 0 0 :::443 :::* LISTEN 3138/apache2
But when I test my domain, the certificate doesn't seem to be found.

On ssllabs.com, I get No SSL certificates were found on theaudioserver.com. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server's firewall.

When accessing the server via https://52.24.39.220, I get a name mismatch error since I am not accessing via the domain name, but this shows that the server firewall on EC2 seems to be set up correctly.

What am I doing wrong here?
- Admin over 8 years
  
  I for one can't even establish a remote connection to theaudioserver.com on port 443 to that is the first place to start looking (maybe after you verify from your own server that something is indeed listening to port 443 e.g. with openssl s_client -connect theaudioserver.com:443 )
- Admin over 8 years
  
  thanks, it seems apache2 is listening to 443 correctly, see my edit in the question. any other ideas?
- Admin over 8 years
  
  cipherli.st
- Admin over 8 years
  
  @MichaelHampton I added the config parameters from cipherli.st (see my edit in the question), it didn't solve the problem. Any other ideas?
- Admin over 6 years
  
  connect: Connection refused
user2212461 over 8 years

see my edit, when I access the server via h t t p s : / / I P , i can access it, so the firewall on EC2 seems to be set up correctly. any other ideas?