Having trouble getting SSL working on Amazon Lightsail using let's encrypt (certbot --apache
)
- Lightsail image Centos7
- Added Apache2
note: (example.com, subdomain.example.com are not my domains, I'm anonymizing them)
These are the troubleshooting steps I've taken.
I'm able to confirm 443 is open using netcat,
apache is listening using
lsof -i -P -n | grep LISTEN
running this command from another system
echo | openssl s_client -showcerts -servername example.com -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
shows a let's encrypt certificate (I don't know how to validate it)chrome shows 'This site can’t provide a secure connection. example.com sent an invalid response. ERR_SSL_PROTOCOL_ERROR
this testing tool https://www.ssllabs.com/ssltest/analyze.html gives the result 'Assessment failed: No secure protocols supported'
these are the instructions I've followed to install certbot https://certbot.eff.org/lets-encrypt/centosrhel7-apache
My SSL configuration:
<IfModule mod_ssl.c>
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost example.com:443>
# This first-listed virtual host is also the default for *:80
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
ServerName example.com
ServerAlias example.com
DocumentRoot "/var/www/html/com.example"
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost subdomain.example.com:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
ServerName subdomain.example.com
ServerAlias subdomain.example.com
DocumentRoot "/var/www/html/com.example.subdomain/"
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
</IfModule>
#certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: example.com
Serial Number:XXXXXXXXXXXXXXXXXXXXXXXX
Key Type: RSA
Domains: example.com subdomain.example.com
Expiry Date: 2021-04-16 18:02:53+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Loaded apache Modules:
core mod_so http_core mod_access_compat mod_actions mod_alias mod_allowmethods mod_auth_basic mod_auth_digest mod_authn_anon mod_authn_core mod_authn_dbd mod_authn_dbm mod_authn_file mod_authn_socache mod_authz_core mod_authz_dbd mod_authz_dbm mod_authz_groupfile mod_authz_host mod_authz_owner mod_authz_user mod_autoindex mod_cache mod_cache_disk mod_data mod_dbd mod_deflate mod_dir mod_dumpio mod_echo mod_env mod_expires mod_ext_filter mod_filter mod_headers mod_include mod_info mod_log_config mod_logio mod_mime_magic mod_mime mod_negotiation mod_remoteip mod_reqtimeout mod_rewrite mod_setenvif mod_slotmem_plain mod_slotmem_shm mod_socache_dbm mod_socache_memcache mod_socache_shmcb mod_status mod_substitute mod_suexec mod_unique_id mod_unixd mod_userdir mod_version mod_vhost_alias mod_dav mod_dav_fs mod_dav_lock mod_lua prefork mod_proxy mod_lbmethod_bybusyness mod_lbmethod_byrequests mod_lbmethod_bytraffic mod_lbmethod_heartbeat mod_proxy_ajp mod_proxy_balancer mod_proxy_connect mod_proxy_express mod_proxy_fcgi mod_proxy_fdpass mod_proxy_ftp mod_proxy_http mod_proxy_scgi mod_proxy_wstunnel mod_ssl mod_systemd mod_cgi mod_php5
A few things resolved the answer to this question.
make sure theres a virtual host entry that will resolve www.yourdomain.com -certbot requires this.
only put one virtual host per configuration file - certbot has trouble adding config when there is more then one entry per file.
in my case the main domain and subdomain resolved to different IP addresses and servers (testing and development/production). certbot can't automate this, either configure apache manually or set the DNS for both to the same server, run certbot, then copy the config and certificates to the other server and change DNS again.