I have read the amazon ec2 guide for setup https and finished several steps. But it still not working.
sign a SSL certification, I use self-signed cert.
use aws iam to upload the SSL cert to amazon server.
In ec2 control platform, add port 80 and port 443 in the current security group's inbound
create new load balancer, add http with port 80, the port 443 and https with the uploaded cert in the new load balancer, and assign current instance in the load balancer
Last, I have check the instance's security group and make sure it is right. I reboot the instance and the https does not work. The health check can pass in checking port 80. But it does not pass in checking port 443.
Do I miss any step?
I know this post is a year old, but I recently had similar issues and hope that someone might find this useful.
I see you are using a load balancer. You have to do the following:
Step 1
Make sure that port 443 is open on your EC2 instance and not being blocked by a firewall. You can run
sudo netstat -tlnp
on linux to check which ports are open. The output should look something like this:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 937/sshd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1060/mysqld
tcp6 0 0 :::22 :::* LISTEN 937/sshd
tcp6 0 0 :::443 :::* LISTEN 2798/apache2
tcp6 0 0 :::80 :::* LISTEN 2798/apache2
Step 2
Make sure your security groups are setup as follows:
EC2 (INBOUND)
HTTP TCP 80 LOAD BALANCER
HTTPS TCP 443 LOAD BALANCER
Load Balancer (Outbound)
HTTP TCP 80 EC2 Instance
HTTPS TCP 443 EC2 Instance
Step 3
Make sure your EC2 instance is listening on port 443 (/etc/apache2/ports.conf) :
Listen 80
Listen 443
If you are using a virtual host, make sure it looks like this:
<VirtualHost *:80>
DocumentRoot /var/www/html/mysite.com
ServerName mysite.com
ServerAlias www.mysite.com
<Directory /var/www/html/mysite.com>
AllowOverride All
RewriteEngine On
Require all granted
Options -Indexes +FollowSymLinks
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/mysite.com
ServerName mysite.com
ServerAlias www.mysite.com
SSLEngine on
SSLCertificateFile /usr/local/ssl/public.crt
SSLCertificateKeyFile /usr/local/ssl/private/private.key
SSLCACertificateFile /usr/local/ssl/intermediate.crt
</VirtualHost>
Step 4
Upload your certificate files in .pem format using the following commands:
aws iam upload-server-certificate --server-certificate-name my-server-cert
--certificate-body file://my-certificate.pem --private-key file://my-private-key.pem
--certificate-chain file://my-certificate-chain.pem
Step 4
Create a listener on the Load Balancer which has the EC2 instance attached to it. The listener is for HTTPS and port 443. The listener will ask for a certificate and it will have the one you added from the aws cli already listed. If it is not listed, log out of the AWS console and log back in.
After, this, traffic via HTTPS will start flowing to your EC2 instance.
I had similar issues, and posted my question and answer here: HTTPS only works on localhost
Related
I have a similar problem as mentioned in Apache redirect to another port but the answer does not work for me.
I have Apache set up on an Debian VM, with an instance of Nextcloud.
I setup a vhost for cloud.mydomain.com on port 443 and it works fine.
Also, I installed Gitlab on the same VM, and the external url is https://debianvm.local:1234
How can I redirect https://gitlab.mydomain.com:443 to https://debianvm.local:1234 ??
I have tried
<VirtualHost *:443>
ServerName gitlab.mydomain.com
ServerAlias gitlab.mydomain.com
ProxyPass / https://debianvm:8508/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
I was hoping to later be able to call certbot -d gitlab.mydomain.com and change the certificate...
I also tried putting exactly the same file for *:80 (without SSLEngine lines) and then call certbot but without success.
I also tried directly putting https://gitlab.mydomain.com in the gitlab configuration, in vain.
Any ideas?
Thanks.
On the DNS side, I set up 2 DNS redirections type A: one for cloud.mydomain.com and one for gitlab.mydomain.com, but they are pointing to the same IP.
On the port forwarding side, the NAS with the host IP is forwarding 80 and 443 to 80 and 443 of the debianvm.local
I've installed Apache httpd on my Mac and "It works".
Now I need to configure a Virtual Host in order to expose my application (Java Spring) with httpd as reverse proxy in front of it.
This is what I have into /usr/local/etc/httpd/extra/httpd-vhosts.conf file
<VirtualHost *:443>
ServerName my.domain.it:443
SSLEngine on
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/cert.key
ProxyPreserveHost On
ProxyPass / http://localhost:8080/myapp
ProxyPassReverse / http://localhost:8080/myapp
</VirtualHost>
In /etc/hosts I've mapped to server address in this way:
127.0.0.1 my.domain.it
And The Tomcat Connector configuration is:
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" proxyPort="443" scheme="https"/>
If I run the application with Eclipse it responds correctly at http://localhost:8080/myapp/ but If I try to call https://my.domain.it/myapp/ It doesn't work and Google Chrome tells me: "This site can't be reached".
What's wrong with my configuration?
P.S.
The httpd Apache instance is configured to Listen on port 80
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
Thanks.
EDIT: SOLVED
Unfortunately I was not able to solve with Apache Httpd but now with Nginx it works. Thanks for your answers
In mod_ssl.conf (file name might be different) you should have the following line
Listen 443
It tells apache to listen on port 443 (it's include in the configuration file when you install mod_ssl to be able to expose your site over HTTPS).
The same configuration file should include all the shared configuration about the TLS.
If apache is running, you can check if port 443 is listening, using netstat:
netstat -an | grep -i list
The output should include port 80 and 443 (and some other according to the services running on the server such as ssh).
If the port is shown in the list, next step is to check apache logs for errors.
■Background
trying to get SSL through Let's Encrypt
■Issue
As run the code below,
sudo certbot --apache -d hogehoge.com
I got the port 80 error
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
and unable to resolve this error
■What I have tried
have set up the port 80
vim /etc/httpd/conf/httpd.conf
add the description in the file.
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin root#hogehoge
DocumentRoot /var/www/html
ServerName hogehoge
</VirtualHost>
but I still got the same error.
would you kindly tell me the cause and how to make it work?
Default command "sudo certbot renew" error on localhost
(1)Uninstall certbot
(2)Reinstall certbot
(3)Sudo certbot certonly
(4)Select option 1, spin up temporary web server
(5)Ensure port 80 is accessible from outside, port forwarding in router
(6) Ensure all services using port 80 are stopped
Try
RewriteCond %{REQUEST_URI} !.well-known/acme-challenge
Enabling HTTPS on a Single Instance Beanstalk application: Unable to find a virtual host listening on port 80
Unfortunately I've not been able to deploy a basic Golang WebApp on production server. After going through many documentation and tutorials I understood that I need to run Golang WebApp as a Daemon.
First things first: the production server is a single IP running Ubuntu 16.04 with Apache based multiple VirtualHosts /etc/apache2/sites-enabled/.
Golang environment vars
# set golang environment vars
export GOROOT=/usr/local/go
# set multiple gopaths seperated by ":"
export GOPATH=/var/www/go_projects/gotest.domain2.com
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
# set PATH so it includes user's private bin directories
PATH="$HOME/bin:$HOME/.local/bin:$PATH"
Systemd Daemon file
[Unit]
Description=GoTest Webserver
[Service]
Type=simple
WorkingDirectory=/var/www/go_projects/gotest.domain2.com
ExecStart=/var/www/go_projects/gotest.domain2.com/main #binary file
[Install]
WantedBy=multi-user.target
VirtualHost Conf
<VirtualHost *:80>
ServerName gotest.domain.com
DocumentRoot /var/www/go_projects/gotest.domain2.com
<Directory /var/www/go_projects/gotest.domain2.com>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
Go file
package main
import (
"fmt"
"log"
"net/http"
)
func handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World %s!", r.URL.Path[1:])
}
func main() {
http.HandleFunc("/", handler)
log.Fatal(http.ListenAndServe(":8080", nil))
}
The program on http://gotest.domain2.com unfortunately is not executed. It rather lists the content of DocumentRoot
Manual run returns
admin#xyz:/var/www/go_projects/gotest.domain2.com$ ./main
2018/02/18 15:52:58 listen tcp :8080: bind: address already in use
What am I missing or is my deployment approach principally wrong?
Cheers!
EDIT:
As suggested from Michael Ernst, I tried altering the port/proxy settings and here is the result:
http://gotest.domain2.com leads to 503 Service Unavailable
Following is the outcome of sudo netstat -talpen
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 16367 1250/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 473536 26340/master
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 0 16604 1417/dovecot
tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 5001 17289 1652/asterisk
tcp 0 xx.xx.xx.xx:22 xx.xx.xx.xx:6126 ESTABLISHED 0 615988 13025/sshd: admin [
tcp6 0 0 :::22 :::* LISTEN 0 16369 1250/sshd
tcp6 0 0 :::25 :::* LISTEN 0 473537 26340/master
tcp6 0 0 :::3306 :::* LISTEN 111 17564 1391/mysqld
tcp6 0 0 :::143 :::* LISTEN 0 16605 1417/dovecot
tcp6 0 0 :::80 :::* LISTEN 0 612412 12554/apache2
tcp6 0 0 xx.xx.xx.xx:80 xx.xx.xx.xx:6128 FIN_WAIT2 0 0 -
tcp6 0 0 xx.xx.xx.xx:80 xx.xx.xx.xx:6129 ESTABLISHED 33 615029 12561/apache2
Any idea where the problem lies?
As for configuring apache:
You need to start the go application and in the apache configuration reverse proxy the request to the port 8080 ( which the go daemon you wrote listens to ).
The go application needs to be always running so you might want to boot it at system start. Unlike php, which is called from apache, go should run as binary that is always there.
As for your port issue:
Make sure that your application is not yet started and that no other application is listening to port 8080. ( you can use netstat -talpen to see that )
Edit:
Port 8080 is often a http proxy. Is there are proxy or another application running on this point?
Edit:
You can configure your apache like that:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName www.example.com
ServerAlias example.com
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
You might also want to make the port of your go-application configurable so you don't need to re-compile the code in case you need to change the port. Also you can bind to the localhost interface so, in case you don't have a firewall configured, people can only access the go application over apache and not directly talk with the go application
// define the flag
port := flags.Int("port", 8080, "port to listen on")
// parse the flags
flags.Parse();
// here you might want to add code to make sure the port is valid.
// start webserver
log.Fatal(http.ListenAndServe("localhost:"+strconv.Atoi(*port), nil))
I'm running an EC2 micro instance (Amazon Linux) and can't seem to get ssl (https) working.
The error I'm getting in Chrome is "ERR_CONNECTION_REFUSED" (no data sent).
I've enabled HTTPS inbound traffic for the security group in my AWS console.
I added this in the /etc/httpd/conf/httpd.conf file. (example.com is a placeholder for my website)
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/ssl/example_com.crt
SSLCertificateKeyFile /etc/ssl/example_com.key
SSLCertificateChainFile /etc/ssl/example_com.ca-bundle
</VirtualHost>
and it didn't work.
So to test VirtualHost, I replaced it with the following:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://google.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
Redirect permanent / https://google.com/
</VirtualHost>
http://example.com redirected to google like expected, but https://example.com didn't.
Anyone know what's the problem?
Connection refused means your server's IP stack actively rejected the incoming connection on port 443 (https) because no service is listening on port 443.
We use less and less Apache these days in my operations, because of the maturity of some other alternatives, so I may be a little rusty here, but I'm reasonably sure that your server, in spite of being configured with a way to respond to requests on port 443... is not actually listening for connections on port 443.
You probably have a listen 80 somewhere in your apache config. This will need to be accompanied by listen 443 based on httpd.apache.org/docs/2.2/bind.html:
When Apache starts, it binds to some port and address on the local machine and waits for incoming requests. By default, it listens to all addresses on the machine. However, it may need to be told to listen on specific ports, or only on selected addresses, or a combination of both. This is often combined with the Virtual Host feature, which determines how Apache responds to different IP addresses, hostnames and ports.
In addition to configuring the security group to allow the traffic over port 443, you probably also need to open port 443 on the server itself.
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
If that fixes the issue, then to save the configuration so that it persists after a reboot:
/sbin/service iptables save