1

I'm trying to set up my SSL certificate for my site. However my site responds with this site can't be reached in Chrome.

In the certificate manager, it shows my cert's associated resource is my ELB. The ELB is setup for HTTPS, port 443. Its target group is HTTP, port 80. The site works properly when browsing http/80. I was thinking my setup would mean a user hits HTTPS ELB, and the ELB would then use port 80 to serve my site.

httpstat https://www.ereverse.com outputs: 

> curl -w <output-format> -D <tempfile> -o <tempfile> -s -S ereverse.com curl error: curl: (7) Failed to connect to www.ereverse.com port 443: Connection refused

I should also note my app is running via docker, where it's doing a run with -p 80:5000 and the Dockerfile has EXPOSE 80 443.

Castaglia
  • 3,349
  • 3
  • 21
  • 42
Matt Gershowitz
  • 21
  • 1
  • 4
  • 1
    Define "did not work"? What happens? – ceejayoz Dec 19 '16 at 19:40
  • Did you install your SSL certificate to EC2 instance or ELB? – Sergey Kovalev Dec 19 '16 at 19:42
  • it says 'the site can't be reached' when i put https – Matt Gershowitz Dec 19 '16 at 19:42
  • I attached it to the ELB and then targeted the EC2 from the ELB – Matt Gershowitz Dec 19 '16 at 19:43
  • There are a multitude of things you could've configured incorrectly. You haven't given enough information to work it out, and in practice you can't give us all that information. Security group, NACL, some kind of external or on-instance firewall, ELB, application server, docker, etc, etc. You're going to have to work through everything yourself from first principles, basic problem solving. – Tim Dec 19 '16 at 22:32

1 Answers1

5

Based on this error, assuming your ELB has a listener on port 443...

Connection refused

...the most obvious explanation is that your DNS isn't actually pointing to the ELB. Use dig or nslookup to verify.

ELBs configured with listeners don't refuse connections. Security Groups and Network ACLS also do not refuse connections -- if misconfifured, the result you'd get would be Connection timed out, because they deny traffic by discard -- not by forcibly closing connection attempts, which is what Connection refused means: the connection made it all the way to the server at the other end, which actively returned a message that (in effect) said, "I have no idea why you think I would want to talk on port 443. Nothing listens on that port, here."

Easy check: connect directly to the ELB hostname shown in the AWS console using HTTPS. You should see a certificate warning, because the certificate doesn't match. If this happens, the ELB is up and listening, and it suggests the DNS entry is pointing directly to your instance, not the balancer.

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86
  • Yep, exactly this, the DNS was pointing to the EC2 static IP and not the ELB. I actually ended up doing exactly your suggestion of checking the ELB host name and saw the certificate was there but not verified because the domain name didn't match. All good now :) thanks! – Matt Gershowitz Dec 20 '16 at 03:57