Enabling SSL on an AWS EC2 instance

1
votes

On an EC2 instance that services multiple domains via Virtual Hosts, I have set up a Load Balancer that forwards HTTPS traffic from port :443 to :8443 for one of the domains, in part following this example: http://elwoodicious.com/2009/12/23/using-elb-to-serve-multiple-domains-over-ssl-on-ec2-for-giggles/

My working httpd.conf Virtual Hosts look like this:

NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/domain.om
    ServerName domain.com
    ServerAlias *.domain.com
    ErrorLog logs/domain.com-error_log
    CustomLog logs/domain.com-access_log common
</VirtualHost>

# more VirtualHosts on *:80 here

Now, as soon as I add a new virtual host for the same domain.com, like so,

<VirtualHost _default_:8443>
    ServerAdmin [email protected]
    DocumentRoot /var/www/domain.om
    ServerName domain.com
    ServerAlias *.domain.com
    SSLEngine On
    RequestHeader set X_FORWARDED_PROTO 'https'
    ErrorLog logs/domain.com-https-error_log
    CustomLog logs/domain.com-https-access_log common
</VirtualHost>

...Apache fails to restart. There are no error notices - it just says [FAILED].

The only clue I have: even when I remove all *:80 Virtual Hosts and only leave a single one for port *:8443, Apache fails... even when setting NameVirtualHost *:8443.

Could this mean it's an EC2 directive of some sort that only allows Virtual Hosts on port 80?

Thanks for any help!

---------------- Edit: add error log

var/log/httpd/error_log contains this:

[Tue Jun 09 16:52:37 2015] [notice] caught SIGTERM, shutting down
[Tue Jun 09 16:52:37 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jun 09 16:53:13 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jun 09 16:53:47 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jun 09 16:53:47 2015] [notice] Digest: generating secret for digest authentication ...
[Tue Jun 09 16:53:47 2015] [notice] Digest: done
[Tue Jun 09 16:53:47 2015] [notice] Apache/2.2.29 (Unix) DAV/2 PHP/5.3.29 mod_ssl/2.2.29 OpenSSL/1.0.1k-fips configured -- resuming normal operations

var/log/httpd/ssl_error_log contains this:

[Tue Jun 09 16:53:47 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 09 16:53:47 2015] [warn] RSA server certificate CommonName (CN) `ip-xx-xx-xx-xx' does NOT match server name!?

And finally, var/log/httpd/domain.com-https-error_log looks like this:

[Tue Jun 09 16:53:13 2015] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/httpd.conf:1026)

On line 1026 of httpd.conf is <VirtualHost _default_:8043>. I've uploaded the self-signed OpenSSL certificate I created on my local computer using the aws cli, and I attached it to the Load Balancer for HTTPS traffic.

The CNAME record for the domain points to the ELB DNS Name as well. Not sure what I missed.

1
apachesslamazon-web-servicesamazon-ec2
it says [FAILED] on the commandline, but there should be info in the error log.tedder42
@tedder42 thanks for the hint. I updated the question to add the logs. It looks like a problem with the self-signed certificate I created with OpenSSL on my local computer... Could that be the cause for Apache failing to start? It's "only" a [warn] so I didn't consider it for this issue, but was planning to look into it later.bobsoap
@tedder42 I updated the question again with a log I neglected to check before.bobsoap

1 Answers

1
votes

Great. The error messages helped. You're missing two lines:

SSLCertificateFile /directory/to/file.crt
SSLCertificateKeyFile /directory/to//file.key

Here's a howto on configuring SSL on Apache.