Having trouble getting SSL working on Amazon Lightsail using let's encrypt (certbot --apache)
- Lightsail image Centos7
- Added Apache2
note: (example.com, subdomain.example.com are not my domains, I'm anonymizing them)
These are the troubleshooting steps I've taken.
I'm able to confirm 443 is open using netcat,
apache is listening using
lsof -i -P -n | grep LISTENrunning this command from another system
echo | openssl s_client -showcerts -servername example.com -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -textshows a let's encrypt certificate (I don't know how to validate it)chrome shows 'This site can’t provide a secure connection. example.com sent an invalid response. ERR_SSL_PROTOCOL_ERROR
this testing tool https://www.ssllabs.com/ssltest/analyze.html gives the result 'Assessment failed: No secure protocols supported'
these are the instructions I've followed to install certbot https://certbot.eff.org/lets-encrypt/centosrhel7-apache
My SSL configuration:
<IfModule mod_ssl.c>
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost example.com:443>
# This first-listed virtual host is also the default for *:80
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
ServerName example.com
ServerAlias example.com
DocumentRoot "/var/www/html/com.example"
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost subdomain.example.com:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
ServerName subdomain.example.com
ServerAlias subdomain.example.com
DocumentRoot "/var/www/html/com.example.subdomain/"
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
</IfModule>
#certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: example.com
Serial Number:XXXXXXXXXXXXXXXXXXXXXXXX
Key Type: RSA
Domains: example.com subdomain.example.com
Expiry Date: 2021-04-16 18:02:53+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Loaded apache Modules:
core mod_so http_core mod_access_compat mod_actions mod_alias mod_allowmethods mod_auth_basic mod_auth_digest mod_authn_anon mod_authn_core mod_authn_dbd mod_authn_dbm mod_authn_file mod_authn_socache mod_authz_core mod_authz_dbd mod_authz_dbm mod_authz_groupfile mod_authz_host mod_authz_owner mod_authz_user mod_autoindex mod_cache mod_cache_disk mod_data mod_dbd mod_deflate mod_dir mod_dumpio mod_echo mod_env mod_expires mod_ext_filter mod_filter mod_headers mod_include mod_info mod_log_config mod_logio mod_mime_magic mod_mime mod_negotiation mod_remoteip mod_reqtimeout mod_rewrite mod_setenvif mod_slotmem_plain mod_slotmem_shm mod_socache_dbm mod_socache_memcache mod_socache_shmcb mod_status mod_substitute mod_suexec mod_unique_id mod_unixd mod_userdir mod_version mod_vhost_alias mod_dav mod_dav_fs mod_dav_lock mod_lua prefork mod_proxy mod_lbmethod_bybusyness mod_lbmethod_byrequests mod_lbmethod_bytraffic mod_lbmethod_heartbeat mod_proxy_ajp mod_proxy_balancer mod_proxy_connect mod_proxy_express mod_proxy_fcgi mod_proxy_fdpass mod_proxy_ftp mod_proxy_http mod_proxy_scgi mod_proxy_wstunnel mod_ssl mod_systemd mod_cgi mod_php5