SSL installed on Apache2 but HTTPS not working

25
votes

I recently installed an SSL certificate on my Amazon EC2 Ubuntu 12.04(32bit) server running Apache 2.

When I attempt to access my site via https, it does not load. When I perform an nmap scan, i see that port 443 is not open.

I tried to open port 443 in my ip tables to no avail. iptables -L yeilds

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Here's how I installed ssl

I modified /etc/init.d/apache2.conf to include ssl.conf and modified ssl.conf to include the requisite paths of my certificate files, ie

SSLCertificateFile /path/file SSLCertificateKeyFile /path/file SSLCertificateChainFile /path/file

I configured my security group to allow inbound requests from port 443 (TCP source:0.0.0.0/0)

When I perform the following test with php

if (!extension_loaded('openssl')) 
{
  echo "not loaded";
}
else
{
  echo "loaded"   ;
}

I get "loaded".

Any ideas?

10
apachesslamazon-ec2firewalliptables
what happens when you try opening a telnet connection from a remote machine to your server on port 443? Does it connect? If so, then you can rule out a firewall or routing problem, or a problem with iptables. I would also be curious if your apache logs are showing anything interesting.mti2935
telnet to 443 returns "Connection Refused". Nothing is appended to apache logs when I attempt to access mydomain.netrocketas
Interesting. How about if you try a loopback connection, from the host itself, on port 443? In other words, telnet localhost 443. Does that connect? I'm trying to isolate whether this is an apache issue or a networking / firewall issue.mti2935
Ahh looks like an apache issue. Thanksrocketas

10 Answers

26
votes

In httpd-ssl.conf, do you have Listen 443

If not, try adding that, and restarting apache.

21
votes

First check if mod_ssl is enabled. If not, enable it by running a2enmod ssl. Then check if Apache is listening on port 443 for https. Then check if the firewall is not blocking port 443.

16
votes

If anyone else finds this and is using Amazon Lightsail (like me), you have to use their web UI to explicitly open port 443.

I spent hours pouring over my server config files before I discovered that :/

7
votes

In httpd.conf the following is disabled by default:

# Secure (SSL/TLS) connections
# Include conf/extra/httpd-ssl.conf

Simply remove the # from the Include and restart Apache.

5
votes

If you can connect locally (e.g. with telnet localhost 443 as mti suggests), check if the firewall is configured properly.

In my case, ufw was blocking everything, so I had to ufw allow 443 which fixed the underlying problem to the same symptom.

0
votes

I just ran into a situation where there was a process listening on port 443, the firewall was completely open, SELinux was disabled, and I still couldn't telnet to port 443. Not even from the localhost. I kept getting:

telnet 127.0.0.1 443
telnet: connect to address 127.0.0.1: Connection refused`

It turns out the iptables NAT table had some rules redirect traffic coming in on port 443 to a different port (8443). Nothing was listening on port 8443.

# iptables --table nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:https redir ports 8443

Removing the relevant NAT entries fixed the problem for me.

0
votes

If the SSL keys are not set (or were inexplicably commented out by gremlins), Apache 2.2 SSL will silently fail. There will be no error in the log, and it will not be listening to 443. The http:80 sites will work.

0
votes

For me it's the stupid Chrome cache. Ctrl + Shift + Del to clear the cache, restart Chrome, and SSL is correctly working now.

0
votes

First, Check processes on port "80" and "443" sudo netstat -peanut | grep ':80' and *sudo netstat -peanut | grep ':443'* .If 443 is has no process then this would help: Editing the Apache configuration file to serve the cert works well. Use the command sudo certbot --apache You are good

-6
votes

Sometimes an iptables -F works. I had the port 443 open for inbound in Amazon, but still the site was not opening in my browser.

Logged on to the site, gave an iptables -F and immediately the site was accessible.