Nginx – Installing SSL certs with nginx on Amazon EC2

I finally got a cert from an authority and am struggling to get things working. I've created the appropriate combined certificate (personal + intermediate + root) and nginx is pointing to it. I got an elastic IP and connected it to my EC2 instance. My DNS records point to that IP. But when I point the browser to the hostname, I get the standard "Connection Untrusted" bit, with ssl_error_bad_cert_domain. Port 443 is open – I can get to the site over https if I ignore the warning. Weird thing is, under technical details, it lists the domain I tried to access as valid!

When I try and diagnose with ssl testing sites, they don't even detect a certificate!

What am I missing here?

domain is yanlj.coinculture.info. Note I've got coinculture.info running on a home server without a dedicated IP and have the same problem, but I'll be moving that to the same EC2 instance as soon as I figure this thing out. I thought the elastic IP would solve things but it hasn't

Nginx config:

server {
  listen 443;
  server_name localhost;

  ssl                  on;
  ssl_certificate      /home/ubuntu/certs/startssl/ssl-unified.crt;
  ssl_certificate_key  /home/ubuntu/certs/startssl/ssl.key;

  keepalive_timeout    70;

  #ssl_session_timeout  5m;

  ssl_protocols  SSLv2 SSLv3 TLSv1;
 #ssl_ciphers  HIGH:!aNULL:!MD5;
 #ssl_prefer_server_ciphers   on;

  root /home/ubuntu/programming/YanlJ;
  index index.php index.html;

      location / {
        #try_files $uri $uri/ /index.php;  # this line was causing the index.php file to be loaded twice...
      }

        location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-cgi alone:
                #fastcgi_pass 127.0.0.1:9000;
                # With php5-fpm:
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi.conf;
        }

  try_files $uri $uri.php $uri.html =404;
}

and results of curl -kv https:// ELASTIC_IP:

* Rebuilt URL to: https:// 54.186.114.3/ * Hostname was NOT found in DNS cache * Trying 54.186.114.3... * Connected to 54.186.114.3 (54.186.114.3) port 443 (#0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using TLSv1.0 / DHE-RSA-AES256-SHA * Server certificate: * subject: C=CA; ST=Ontario; L=Guelph; O=Ethan Buchman; CN=blog.coinculture.info; emailAddress=webmaster@coinculture.info * start date: 2014-05-29 15:10:52 GMT * expire date: 2016-05-29 10:44:27 GMT * issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 2 Primary Intermediate Server CA * SSL certificate verify ok.

Best Answer

I see that coinculture.info has five authoritative DNS servers. Three of them refuse to resolve yanlj.coinculture.info, and the other two give me the IP address 184.168.221.12. That does not look like an EC2 IP address. That IP address is registered to GoDaddy, and it appears there is a broken firewall in front of that address. I get timeout when trying to connect to port 443 on it.

Name Server:NS1.WORDPRESS.COM
Name Server:NS2.WORDPRESS.COM
Name Server:NS3.WORDPRESS.COM
Name Server:NS15.DOMAINCONTROL.COM
Name Server:NS16.DOMAINCONTROL.COM

Best Answer

Related Solutions

Ssl – Dovecot and StartSSL problems with issuer

NginX + WordPress + SSL + non-www + W3TC vhost config file questions

Related Topic