I've been banging my head against the wall trying to figure out how to setup multiple SSL certificates on an amazon VPC instance (I'm using amazon's standard linux AMI)
Here's what I did:
I setup a VPC instance
Added a secondary private IP address
Added 2 elastic IP addresses & "linked" them to the private ones
Went to my domain registrar & pointed two test domains to the elastic IP addresses
Waited until new IP addresses were propagated
I uploaded the SSL certificates to the VPC instance
Then I tried editing ssl.conf, see line 74 to 93 & httpd.conf, see line 1046 to 1086:
ssl.conf
<VirtualHost domain1.com:443>
ServerName www.domain1.com:443
DocumentRoot "/var/www/html"
SSLENGINE on
SSLCertificateFile /etc/ssl/domain1_com.crt
SSLCertificateKeyFile /etc/ssl/domain1_com.key
SSLCertificateChainFile /etc/ssl/domain1_com.ca-bundle
</VirtualHost>
<VirtualHost _default_:443>
...Default SSL certificate (domain1.com) here...
</VirtualHost>
httpd.conf
<VirtualHost *:80>
ServerName domain1.com
ServerAlias www.domain1.com
DocumentRoot /var/www/html
ServerAdmin webmaster#domain1.com
</VirtualHost>
<VirtualHost *:80>
ServerName domain2.com
ServerAlias www.domain2.com
DocumentRoot /var/www/html
ServerAdmin webmaster#domain2.com
</VirtualHost>
I also tried <VirtualHost *:443> and <VirtualHost IP.ADDRESS:443>, didn't work either.
The result is basically this:
domain1.com (which is the default SSL certificate) works just fine (resolve fine, green bar)
domain2.com: doesn't even resolve to anything, even though when I do ping www.domain2.com, I get the correct elastic IP
My question is: Any idea how to make domain2.com resolve & use the correct SSL certificate?
EDIT / Additional Info:
I also tried this:
Temporarily stopped firewall as suggested, ie. sudo service iptables stop
From outside of EC2, curl --connect-timeout 10 https://domain2.com gave me this curl: (28) connect() timed out!
wget https://www.domain2.com/ gave me this: --2013-10-03 15:57:22-- domain2.com Resolving www.domain2.com... 54.229.111.22 Connecting to www.domain2.com|54.229.111.22|:443... failed: Connection timed out. Retrying.
EDIT (2):
I noticed 2 things:
If I use 2 network interfaces (each NIC with one private IP) sudo ifconfig doesn't show the 2nd NIC (ie. eth1), and wether I use one or two NICs, sudo ifconfig always return the 1st private IP (10.0.0.10), never the 2nd one (10.0.0.183)
Unsurprisingly, the unreachable website domain2.com corresponds to the 2nd IP (which is missing): 10.0.0.183
This command curl --interface 10.0.0.10 ifconfig.me correctly retuns the elastic IP address associated to domain1.com while
This command curl --interface 10.0.0.183 ifconfig.me retuns:
curl: (45) bind failed with errno 99: Cannot assign requested address
I followed this guid, I can see eth1, but domain2.com is still unreachable
And curl --interface 10.0.0.183 ifconfig.me now returns this:
curl: (7) Failed connect to ifconfig.me:80; Connection timed out
You will need to use ip based virtual hosting for SSL. The IP address you are going to listen will be the private, not public IP.
Your sites on port 80 can use name based virtual hosting. But you need to make sure you are using this directive: NameVirtualHost *:80
This tutorial fixed it for me
One small (but important) note:
Instead of typing this command (step #5):
echo "1 admin" >> /etc/iproute2/rt_tables
You should do this instead:
sudo vi /etc/iproute2/rt_tables
then add 1 admin at the end of the file
I think you need to follow a troubleshooting methodology for this.
Start by simplifying your configuration and verifying the basic components, then gradually build it up to the complete solution. For example:
Map the elastic IP for domain2 to a new EC2 server.
On the new server, start by making domain2.com available over HTTP
Once it is working over HTTP, set it up to work over HTTPS
Once it is working over HTTPS map the elastic IP back to the original server and make it work on the original server using HTTP
Once it is working over HTTP take the final step of getting it to work over HTTPS on the original server.
The aim here is to validate each step and isolate exactly where it is going wrong. This will then enable you to best direct your energies for solving the root cause.
Related
I have a similar problem as mentioned in Apache redirect to another port but the answer does not work for me.
I have Apache set up on an Debian VM, with an instance of Nextcloud.
I setup a vhost for cloud.mydomain.com on port 443 and it works fine.
Also, I installed Gitlab on the same VM, and the external url is https://debianvm.local:1234
How can I redirect https://gitlab.mydomain.com:443 to https://debianvm.local:1234 ??
I have tried
<VirtualHost *:443>
ServerName gitlab.mydomain.com
ServerAlias gitlab.mydomain.com
ProxyPass / https://debianvm:8508/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
I was hoping to later be able to call certbot -d gitlab.mydomain.com and change the certificate...
I also tried putting exactly the same file for *:80 (without SSLEngine lines) and then call certbot but without success.
I also tried directly putting https://gitlab.mydomain.com in the gitlab configuration, in vain.
Any ideas?
Thanks.
On the DNS side, I set up 2 DNS redirections type A: one for cloud.mydomain.com and one for gitlab.mydomain.com, but they are pointing to the same IP.
On the port forwarding side, the NAS with the host IP is forwarding 80 and 443 to 80 and 443 of the debianvm.local
I'm kind of a new Apache user (version 2.4). I'm having trouble configuring the whole thing. My server has an IP address- 192.168.2.10, for example my public IP is 123.123.123.123. In my hosting provider website I did set an A record pointing at 123.123.123.123. My Apache config looks like:
Listen 443
<VirtualHost _default_:433>
# General setup for the virtual host
DocumentRoot "${SRVROOT}/htdocs"
ServerName www.example.com:443
ServerAdmin my#mail.com
ErrorLog "${SRVROOT}/logs/error.log"
TransferLog "${SRVROOT}/logs/access.log"
The problem is I receive ERR_CONNECTION_TIMED_OUT all the time. When I tried swaping www.example.com with local IP 192.168.2.5 it KIND OF worked (SSL certificate problems because they are connected to www.example.com, but I managed to see HTTP response. Where seems to be the problem?
EDIT:
I think the problem is I can't use port 443 because it's my routers default managment port. How should I configure it then? I have NAT rule on my router that does forward every :8456 request to 192.168.2.10:443.
I resolved the issue. It was "SSL 3.0" option turned off on my router.
I'm running an EC2 micro instance (Amazon Linux) and can't seem to get ssl (https) working.
The error I'm getting in Chrome is "ERR_CONNECTION_REFUSED" (no data sent).
I've enabled HTTPS inbound traffic for the security group in my AWS console.
I added this in the /etc/httpd/conf/httpd.conf file. (example.com is a placeholder for my website)
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/ssl/example_com.crt
SSLCertificateKeyFile /etc/ssl/example_com.key
SSLCertificateChainFile /etc/ssl/example_com.ca-bundle
</VirtualHost>
and it didn't work.
So to test VirtualHost, I replaced it with the following:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://google.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
Redirect permanent / https://google.com/
</VirtualHost>
http://example.com redirected to google like expected, but https://example.com didn't.
Anyone know what's the problem?
Connection refused means your server's IP stack actively rejected the incoming connection on port 443 (https) because no service is listening on port 443.
We use less and less Apache these days in my operations, because of the maturity of some other alternatives, so I may be a little rusty here, but I'm reasonably sure that your server, in spite of being configured with a way to respond to requests on port 443... is not actually listening for connections on port 443.
You probably have a listen 80 somewhere in your apache config. This will need to be accompanied by listen 443 based on httpd.apache.org/docs/2.2/bind.html:
When Apache starts, it binds to some port and address on the local machine and waits for incoming requests. By default, it listens to all addresses on the machine. However, it may need to be told to listen on specific ports, or only on selected addresses, or a combination of both. This is often combined with the Virtual Host feature, which determines how Apache responds to different IP addresses, hostnames and ports.
In addition to configuring the security group to allow the traffic over port 443, you probably also need to open port 443 on the server itself.
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
If that fixes the issue, then to save the configuration so that it persists after a reboot:
/sbin/service iptables save
I've been trying to create 3 different domains linking to 3 different sites on the same machine, 2 which works but the third on the different port links to the first page.
My apache config looks like this:
Listen 81
NameVirtualHost *:81
<VirtualHost *:80>
ServerName www.example.com
DocumentRoot /var/www/www
</VirtualHost>
<VirtualHost *:80>
ServerName www2.example.com
DocumentRoot /var/www/www2
</VirtualHost>
<VirtualHost *:81>
ServerName controlpanel.example.com
DocumentRoot /var/www/controlpanel
</VirtualHost>
I've used Bind9 to set up the domains.
www IN A 123.123.123.123
www2 IN A 123.123.123.123
controlpanel IN A 123.123.123.123
www and www2 works fine and shows the correct site, however controlpanel.example.com also links to the first www site. When I enter the port manualy on the ip, xxx.xxx.xxx.xxx:81, i get linked correctly. The thing is that I don't really know where I'm doing it wrong, this is the first time I'm trying anything like this. You got any ideas?
Im also running this on an old ubuntu 12.04 server.
Regarding where you're going in the comments for the previous answer:
You could add a port 80 virtualhost for controlpanel.example.com and put a single statement inside,
Redirect / http://controlpanel.example.com:81
The purpose of the ServerName is not to inform the browser what port your webserver is using. It's used for name-based virtualhosts and as a last resort for self-referential links (out of the box, self-referential links are generated with whatever the client already thought it was accessing via the Host: header)
But there is definitely something quite bizarre about your requirement. Usually the motivation is to not use custom ports, and if they are, to address the server with a low port and have the por remapped by some intermediary (load balancer, proxy).
If you want your third virtualhost to be simulataneously the defautl on port 81 and a name-based option on port 80:
Change
<VirtualHost *:81>
to
<VirtualHost *:80 *:81>
Apache finds the set of virtual hosts with the best IP:PORT based match first, then if NameVirtualHost also matches, starts looking at the ServerNames from that set.
I am trying to manage 2 domains with one server (running proxmox with several CT), I am using reverse proxy but seems to be wrong.. here's my configuration:
Let's say we have the main server running proxmox where I managed IPTables to redirect port 80 to the port 80 of my first container (CT01) and port 8109 to port 80 of my second container (CT02).
While using the port in my browser, everything is working well, and I am able to reach each container.
I bought 2 domain names, one for my private server (CT01) and another one for a business server (CT02). I associated both of the domain to my server address, and while typing one or another of them I am redirected to CT01 (normal, browser is running the address to the default port).
So now I tried to use reverse proxy in order to redirect to the desired server (DomainA -> CT01, DomainB -> CT02), I created 2 files in /var/apache2/sites-available/ :
/var/apache2/sites-available/domainA.com:
<VirtualHost *:80>
ServerName domainA.com
DocumentRoot /var/www/
</VirtualHost>
/var/apache2/sites-available/domainB.com:
<VirtualHost *:80>
ServerName domainB.com
ProxyPreserveHost On
ProxyRequests On
ProxyPass / http://x.y.z.h:8109/
ProxyPassReverse / http://x.y.z.h:8109/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
Then I runned a2ensite domainA.com and a2ensite domainB.com. I restarted my apache service.
But nothing have changed: both my domainA and domainB redirect me to the same container (CT01).
Any idea?
What i may suggest is doing a new CT just to host a proxy (nginx for example) that will route the requests to one or the other site depending of the Host: field value of the HTTP request. This may be a little bit overkill if it's just for two sites, but when you want to have more, it can be very useful. Plus the NGinx can be used to cache, etc.
Let me know if you are interested. I know a tutorial that you may follow, but it's in french : http://blog.ganbaranai.fr/2013/08/il-etait-une-fois-proxmox-derriere-une-ip-unique/
Hope it helps.
Regards,