0

I have a website hosted on AWS [EC2 instance + nginx server]. I have generated SSL certificate using AWS Certificate manager. The certificate has been added to load balancer and an entry for HTTPS in it. The port 443 is also opened in security group.

When I access the site is not loading with "https://.." and throws message "Connection refused..".

When I tried to connect/telnet to port 443 it says unable to connect to remote host.

nginx.conf file :

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##

#include /etc/nginx/naxsi_core.rules;

##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##

#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}


#mail {
#   # See sample authentication script at:
#   # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#   # auth_http localhost/auth.php;
#   # pop3_capabilities "TOP" "USER";
#   # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#   server {
#       listen     localhost:110;
#       protocol   pop3;
#       proxy      on;
#   }
# 
#   server {
#       listen     localhost:143;
#       protocol   imap;
#       proxy      on;
#   }
#}

And there is one more "default file in "sites-enabled" folder which is included in nginx.conf. It is as follows : 

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

root /usr/share/nginx/html;
index index.html index.htm;

# Make site accessible from http://localhost/
server_name localhost;

location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
    # Uncomment to enable naxsi on this location
    # include /etc/nginx/naxsi.rules
}
server {
listen 443;
server_name localhost;

root /usr/share/nginx/www;
index index.html index.htm;

ssl on;
ssl_certificate ./ssl/server.crt;
ssl_certificate_key ./ssl/server.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ =404;
}
}
Maddy
  • 105
  • 7
  • Can you provide a (censored) version of your NGINX host config for the site in question? It's tricky to help you out without it – Peter Reid Feb 23 '17 at 11:14
  • @PeterReid Yes sure. I have just included that in the question – Maddy Feb 23 '17 at 11:25
  • I think Peter meant the host config file, usually in `/etc/nginx/sites-enabled/` – lovethebomb Feb 23 '17 at 11:30
  • @Maddy, that's the nginx config, do you have a config for the host you're setting up inside `/etc/nginx/sites-available` – Peter Reid Feb 23 '17 at 11:31
  • @Lucas Okay. I have added that also in the question. – Maddy Feb 23 '17 at 11:31
  • Both "default" files are same in "sites-enabled" and "sites-available" folder. – Maddy Feb 23 '17 at 11:35
  • Yes sorry, was submitting the question and 2s after, your post was updated ;) If you look at the two first lines, your server is only listening on port 80! You'll need to add the port 443 :) Check [Nginx Officail documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) – lovethebomb Feb 23 '17 at 11:47
  • @Lucas If you see `default` file which is actually included in the `nginx.conf` port 443 has been added. I have edited the 443 but I am not able to find the certificate file and key to be given in the path. – Maddy Feb 23 '17 at 11:51
  • 1
    Sorry, read too quick! You won't be able to use the certs on your EC2 instance. Check this [stackoverflow post](http://serverfault.com/a/751224/101900) about the same issue, sorry! :( – lovethebomb Feb 23 '17 at 11:57
  • As i have mentioned in the question, i have added SSL to load balancer but HTTPS is not working. The status it shows is in use – Maddy Feb 23 '17 at 12:07
  • @Maddy, Lucas is correct - you cannot use certificates from AWS Certificate Manager on a EC2 instance - you'll have to get a cert from another provider such as Lets Encrypt – Peter Reid Feb 23 '17 at 12:39
  • @Peter so just because its ec2, cert from AWS Certificate manager cannot be applied ? It does not even give any warning while I attach the cert to ELB which in turn connected to ec2 instance!! :( – Maddy Feb 23 '17 at 14:26
  • @Maddy From the FAQ for Certificate Manager, "You can request and provision SSL/TLS certificates and deploy them for sites and applications that use Elastic Load Balancing or Amazon CloudFront." https://aws.amazon.com/certificate-manager/faqs/ – Peter Reid Feb 23 '17 at 14:39
  • Yes @Peter I have checked those documentations. I have used ELB (tried both application as well as classic). But it is still not working. – Maddy Feb 23 '17 at 15:00

0 Answers0