I finally got a cert from an authority and am struggling to get things working. I've created the appropriate combined certificate (personal + intermediate + root) and nginx is pointing to it. I got an elastic IP and connected it to my EC2 instance. My DNS records point to that IP. But when I point the browser to the hostname, I get the standard "Connection Untrusted" bit, with ssl_error_bad_cert_domain. Port 443 is open – I can get to the site over https if I ignore the warning. Weird thing is, under technical details, it lists the domain I tried to access as valid!
When I try and diagnose with ssl testing sites, they don't even detect a certificate!
What am I missing here?
domain is yanlj.coinculture.info. Note I've got coinculture.info running on a home server without a dedicated IP and have the same problem, but I'll be moving that to the same EC2 instance as soon as I figure this thing out. I thought the elastic IP would solve things but it hasn't
Nginx config:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /home/ubuntu/certs/startssl/ssl-unified.crt;
ssl_certificate_key /home/ubuntu/certs/startssl/ssl.key;
keepalive_timeout 70;
#ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
root /home/ubuntu/programming/YanlJ;
index index.php index.html;
location / {
#try_files $uri $uri/ /index.php; # this line was causing the index.php file to be loaded twice...
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
#fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
try_files $uri $uri.php $uri.html =404;
}
and results of curl -kv https:// ELASTIC_IP:
* Rebuilt URL to: https:// 54.186.114.3/
* Hostname was NOT found in DNS cache
* Trying 54.186.114.3...
* Connected to 54.186.114.3 (54.186.114.3) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / DHE-RSA-AES256-SHA
* Server certificate:
* subject: C=CA; ST=Ontario; L=Guelph; O=Ethan Buchman; CN=blog.coinculture.info; emailAddress=webmaster@coinculture.info
* start date: 2014-05-29 15:10:52 GMT
* expire date: 2016-05-29 10:44:27 GMT
* issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 2 Primary Intermediate Server CA
* SSL certificate verify ok.
Best Answer
I see that
coinculture.info
has five authoritative DNS servers. Three of them refuse to resolveyanlj.coinculture.info
, and the other two give me the IP address184.168.221.12
. That does not look like an EC2 IP address. That IP address is registered to GoDaddy, and it appears there is a broken firewall in front of that address. I get timeout when trying to connect to port 443 on it.