Apache2 open SSL certificates are shown on AWS Load balancer

0
votes

I'm trying to configure SSL certificates on AWS ec2 Instance, I followed the following steps:

  1. Created instance on ec2 with ubuntu OS.
  2. Issued a certificate through certificate manager on my domains -> Ex: *.domains.com and domains.com
  3. Created a Classic Load balancer to point these certificate and ec2 instance.
  4. Configured A record in Route 53 to alias of load balancer
  5. Configured my virtual host on apache2

$sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache-selfsigned.key -out /etc/apache2/ssl/apache-selfsigned.crt

I obtained self signed certificates with all the necessary details which was asked.

And configured my virtual host something like this:

<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin [email protected]
        ServerName ssltest.domains.com
        ServerAlias ssltest.domains.com
        DocumentRoot /var/www/html/****/public
        ErrorLog /var/www/html/****/error.log
        CustomLog /var/www/html/****/access.log combined

        SSLEngine on

        SSLCertificateFile /etc/apache2/ssl/apache-selfsigned.crt
        SSLCertificateKeyFile /etc/apache2/ssl/apache-selfsigned.key

        <Directory /var/www/html/****/public>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                Allow from all
                Require all granted
        </Directory>

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
         # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>


<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin [email protected]
        ServerName ssltest.domains.com
        ServerAlias ssltest.domains.com
        DocumentRoot /var/www/html/****/public
        ErrorLog /var/www/html/****/error.log
        CustomLog /var/www/html/****/access.log combined

        <Directory /var/www/html/****/public>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                Allow from all
                Require all granted
        </Directory>

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

When I access my domain it is not taking Amazon Issued Certificates. How can I point the certificates, I've gone through almost all the resources available on Internet. My default-ssl.conf is also enabled mod_ssl is also enabled. Help me out with this.

1
apacheamazon-web-servicessslamazon-ec2
Can you give us the actual domain, so we can take a look?ceejayoz
@ceejayoz ssltest.biltrax.comNitish Kumar
I don't think you've correctly pointed it at the load balancer. dig ssltest.biltrax.com returns a single IP address (13.232.245.240); AWS classic load balancers usually have several.ceejayoz
That 13.232.245.240 appears to be the IP of your EC2 instance, too. ec2-13-232-245-240.ap-south-1.compute.amazonaws.com You've got a DNS problem, not an SSL one.ceejayoz
@ceejayoz can you check this image: i.stack.imgur.com/NO78Z.png is the issue over here?Nitish Kumar

1 Answers

1
votes

Configured A record in Route 53 to alias of load balancer

OK, here's where I think you messed up. dig ns biltrax.com gives me the following nameservers for your domain:

  • ns34.domaincontrol.com
  • ns33.domaincontrol.com

I believe these are GoDaddy's. Whatever they are, they're not Route53's nameservers. As such, the records you have in Route53 have no effect - they're ignored, as your domain's DNS is handled by a different service entirely.

If you want Route53 to be responsible for the domain, you'll have to point the domain at the Route53 nameservers at your registrar.