AWS - Cloudfront issues

KingMilli75 · June 15, 2023, 12:50pm

I ran this command: sudo /opt/bitnami/bncert-tool

It produced this output: Domains

Please provide a valid space-separated list of domains for which you wish to
configure your web server.

Domain list : kupoholik.rs www.kupoholik.rs

Warning: A certificate for the list of domains you entered already exists. It
will be used instead of generating a new one.
Press [Enter] to continue:
Warning: The domain 'kupoholik.rs' resolves to a different IP address than the
one detected for this machine, which is '18.159.190.83'. Please fix its DNS
entries or remove it. For more info see:
https://docs.bitnami.com/general/faq/configuration/configure-custom-domain/

My web server is (include version): Apache latest bitnami stack

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): SSH

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Now problem when you type in Kupoholik into google you will see the IP address of the server.

Now this is a problem as it says its unsecured and not routing it to the domain name (not sure how this happened) .

We upgrade our instance on AWS to a larger instance and we are behind cloudfront.

running the command: sudo /opt/bitnami/letsencrypt/lego --http --email="dragan@prodato.rs" --domains="kupoho
lik.rs" --domains="www.kupoholik.rs" --domains="d2si0dhe935ngk.cloudfront.net" --path="/opt/bitnami/letsencrypt"
run

output:
2023/06/15 12:31:19 [INFO] [kupoholik.rs, www.kupoholik.rs, d2si0dhe935ngk.cloudfront.net] acme: Obtaining bundle
d SAN certificate
2023/06/15 12:31:20 [INFO] [d2si0dhe935ngk.cloudfront.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/aut
hz-v3/237033057327
2023/06/15 12:31:20 [INFO] [kupoholik.rs] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/23703305733
7
2023/06/15 12:31:20 [INFO] [www.kupoholik.rs] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2370330
57347
2023/06/15 12:31:20 [INFO] [d2si0dhe935ngk.cloudfront.net] acme: Could not find solver for: tls-alpn-01
2023/06/15 12:31:20 [INFO] [d2si0dhe935ngk.cloudfront.net] acme: use http-01 solver
2023/06/15 12:31:20 [INFO] [kupoholik.rs] acme: Could not find solver for: tls-alpn-01
2023/06/15 12:31:20 [INFO] [kupoholik.rs] acme: use http-01 solver
2023/06/15 12:31:20 [INFO] [www.kupoholik.rs] acme: Could not find solver for: tls-alpn-01
2023/06/15 12:31:20 [INFO] [www.kupoholik.rs] acme: use http-01 solver
2023/06/15 12:31:20 [INFO] [d2si0dhe935ngk.cloudfront.net] acme: Trying to solve HTTP-01
2023/06/15 12:31:20 [INFO] [kupoholik.rs] acme: Trying to solve HTTP-01
2023/06/15 12:31:20 [INFO] [www.kupoholik.rs] acme: Trying to solve HTTP-01
2023/06/15 12:31:20 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/237033057327
2023/06/15 12:31:20 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/237033057337
2023/06/15 12:31:21 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/237033057347
2023/06/15 12:31:21 Could not obtain certificates:
error: one or more domains had a problem:
[d2si0dhe935ngk.cloudfront.net] [d2si0dhe935ngk.cloudfront.net] acme: error presenting token: could not start HTTP server for challenge: listen tcp :80: bind: address already in use
[kupoholik.rs] [kupoholik.rs] acme: error presenting token: could not start HTTP server for challenge: listen tcp :80: bind: address already in use
[www.kupoholik.rs] [www.kupoholik.rs] acme: error presenting token: could not start HTTP server for challenge: listen tcp :80: bind: address already in use

i before i checked Let's Debug

Now i am really not sure how to solve this part anymore as it seems something is not working as it should or wrong configured...

Anybody know how this can be solved?

MikeMcQ · June 15, 2023, 1:39pm

Welcome @KingMilli75

First, CloudFront is a CDN which means there are two HTTP(S) connections between a client (like a browser) and your origin server. The first connection is for requests to kupoholik.rs and its www subdomain. These are handled by CloudFront and it gets certs by itself for this. You can see these AWS certificates using an SSL Checker site like this (link here)

The second connection is between CloudFront and your Origin Server.

There are probably several good answers to your problem. But, I like to make a new domain name for my origin. As example make a domain of origin.kupoholik.rs with its IP (18.159.190.83). You use this domain name in your Origins in CloudFront and use bncert on your EC2 instance to get a cert for this name only. This allows HTTPS connections between CloudFront and your Apache server.

If this IP is not an Elastic IP you need to be sure to update the DNS when it changes.

You can setup a custom header to pass from CloudFront to your origin server if you wish to block access to Apache without passing through CloudFront (see AWS docs for details).

As an aside, you never need a cert for names like d2si0dhe935ngk.cloudfront.net that you tried to get.

KingMilli75 · June 15, 2023, 2:11pm

Hi Mike,

thank you for the tip i made the origin part and it shows as following;

now in the DNS i pointed origin to the server ip adress (yes its static)

it still show in Google as unsecure... and not sure why google indexed the IP address of the server as well

KingMilli75 · June 15, 2023, 2:12pm

KingMilli75 · June 15, 2023, 2:17pm

here is the apache log

MikeMcQ · June 15, 2023, 2:24pm

The certs for all your domains look correct to me. The root and www have AWS certs and your new origin domain has a Let's Encrypt cert. Use this SSL Checker to check each of your domain names

You should not use the IP address in your HTTPS request. That will fail because the name in the request does not match any name in the cert.

You have some sort of problem in your CloudFront Origins settings because I get a 502 error with your root or www name. Note you should use the origin domain name in the CloudFront Origins and not the IP address.

Using your root or www name will connect to CloudFront and this is your normal requests.

You can use your new origin domain name in a browser but that will go directly to your Apache bypassing CloudFront. You might want to do this for your admin purposes but this is not the way people will normally connect to your site.

Your system design is fairly complex. You need to read more on how CloudFront works.

KingMilli75 · June 15, 2023, 4:47pm

currently i simplified it all and removed the CloudFront distribution "so simple is maybe better" the root domain and www domain and that's it for now i need to check the issues why its making problems with CloudFront as this part i still do not get. Now it works and now to figure out how the to make CloudFront with its CDN to play ball with the server...

i thought this would solve this:

but seems there is more to this then meets the eye. Because CloudFront renames the DNS which now points from domain name to static IP into domain name CloudFront address, the certificates say Hey the IP does not exist and this is how you come into a circle of Doom.

Are we the only ones who use CloudFront...? or in general AWS...

MikeMcQ · June 15, 2023, 4:51pm

I use CloudFront exactly like I described it

MikeMcQ · June 15, 2023, 5:23pm

I just read that thread and that is another way to go. But, I think that method is confusing which is why I suggested using a different domain name for your origin server. CloudFront allows multiple origin servers to sit behind its edge. You can, for example, use Behaviors to direct some requests to an S3 bucket and other requests to a server like Apache. Your origin server can be any name you want it to be.

You have to make sure any web pages seen by the browser client have URLs for the domains controlled by CloudFront edge. I don't use Wordpress but you might have to make sure you tell it to use your root or www domain name when making pages and not the new origin domain name handled by your Apache server.

Your quote below is confusing. I agree there is a learning curve when designing more complex systems. And, on a different day I might be willing to spend more time. I'm pretty sure your 502 was because your CloudFront Origin wasn't set right. It should have been your origin.kupoholik.rs domain name and set to use HTTPS only. Your Apache server process those requests. That is, CloudFront is a client to your Apache server. The browser is a client to the CloudFront server (its edge).

KingMilli75 · June 15, 2023, 6:24pm

I will try it again tmw to see your sollution probably I did something wrong for sure but what it is not really sure tbh.

But step by step I will go tru all never thought about the origin part that was very smart to solve it like this but I need to set it to cloud front because this build is on lights ail need to check how I can set this to pull the data from it because wit was set to pull from the static IP set to the instance. However the connection I believe between it was https not http.

MikeMcQ · June 15, 2023, 6:39pm

I've never used this but maybe the CDN feature that's part of Lightsail would work for you?

KingMilli75 · June 16, 2023, 7:22am

Hi,

For sure i will check this out as we did probably something wrong with he setting inside the distribution. Today we will be doing some new attempts for this. However i just checked apache log

[Fri Jun 16 06:32:01.592739 2023] [mpm_event:notice] [pid 11044:tid 139787213540352] AH00493: SIGUSR1 received. Doing graceful restart
[Fri Jun 16 06:32:01.602421 2023] [ssl:warn] [pid 11044:tid 139787213540352] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jun 16 06:32:01.602900 2023] [mpm_event:notice] [pid 11044:tid 139787213540352] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations
[Fri Jun 16 06:32:01.602911 2023] [core:notice] [pid 11044:tid 139787213540352] AH00094: Command line: '/opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf'

its a SSL warning which i can not place why its providing it now.

KingMilli75 · June 16, 2023, 7:27am

i found this solution not sure if its the way to go:

How to Fix “Server Certificate Does NOT Include an ID Which Matches the Server Name”).

MikeMcQ · June 16, 2023, 11:56am

Is that exactly the error message? Or did you modify the domain name?

Because www.example.com is not a valid name for actual use. It means there is a problem in your apache config that you have a VirtualHost handling that name. You need to review Apache config or the system that created it.

KingMilli75 · June 16, 2023, 12:08pm

Yep its exactly this name here is the full log:

[Thu Jun 15 15:54:18.415514 2023] [ssl:error] [pid 11066:tid 139786312361728] [client 64.41.200.114:59878] AH02042: rejecting client initiated renegotiation
[Fri Jun 16 06:32:01.592739 2023] [mpm_event:notice] [pid 11044:tid 139787213540352] AH00493: SIGUSR1 received. Doing graceful restart
[Fri Jun 16 06:32:01.602421 2023] [ssl:warn] [pid 11044:tid 139787213540352] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jun 16 06:32:01.602900 2023] [mpm_event:notice] [pid 11044:tid 139787213540352] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations
[Fri Jun 16 06:32:01.602911 2023] [core:notice] [pid 11044:tid 139787213540352] AH00094: Command line: '/opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf'
[Fri Jun 16 07:36:05.385453 2023] [mpm_event:notice] [pid 11044:tid 139787213540352] AH00491: caught SIGTERM, shutting down
[Fri Jun 16 07:36:05.822007 2023] [ssl:warn] [pid 29277:tid 139953384905728] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jun 16 07:36:05.831978 2023] [ssl:warn] [pid 29278:tid 139953384905728] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jun 16 07:36:05.842688 2023] [mpm_event:notice] [pid 29278:tid 139953384905728] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations
[Fri Jun 16 07:36:05.842732 2023] [core:notice] [pid 29278:tid 139953384905728] AH00094: Command line: '/opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf'
[Fri Jun 16 07:38:09.582465 2023] [mpm_event:notice] [pid 29278:tid 139953384905728] AH00491: caught SIGTERM, shutting down
[Fri Jun 16 07:38:10.021000 2023] [ssl:warn] [pid 31485:tid 140186585500672] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jun 16 07:38:10.030606 2023] [ssl:warn] [pid 31486:tid 140186585500672] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jun 16 07:38:10.037615 2023] [mpm_event:notice] [pid 31486:tid 140186585500672] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations
[Fri Jun 16 07:38:10.053335 2023] [core:notice] [pid 31486:tid 140186585500672] AH00094: Command line: '/opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf'
[Fri Jun 16 09:11:05.035868 2023] [mpm_event:notice] [pid 31486:tid 140186585500672] AH00491: caught SIGTERM, shutting down
[Fri Jun 16 09:11:05.467398 2023] [ssl:warn] [pid 35829:tid 140427412298752] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jun 16 09:11:05.475972 2023] [ssl:warn] [pid 35830:tid 140427412298752] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jun 16 09:11:05.491052 2023] [mpm_event:notice] [pid 35830:tid 140427412298752] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations
[Fri Jun 16 09:11:05.491098 2023] [core:notice] [pid 35830:tid 140427412298752] AH00094: Command line: '/opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf'

as you can see the files httpd-ssl.conf is set properly however i do not understand why this is show server has has a restart all the bells and whistles...

MikeMcQ · June 16, 2023, 12:24pm

What URL request are you making that causes that message? And, from where (a browser?)

And, can you show output of this?

sudo httpd -t -D DUMP_VHOSTS

(omit sudo if you don't need it)

KingMilli75 · June 16, 2023, 12:34pm

This we do not know as this is a config out of the box from AWS here is the output

MikeMcQ · June 16, 2023, 12:54pm

Well, you have to start learning how that works then. This isn't the place for that.

That command shows you have a mix of IP based (for 127.0.0.1) VirtualHosts and name based virtual hosts. And, that www.example.com is your default VirtualHost

Mixing IP and name based hosts can be especially difficult

Just so you know, I am an unpaid volunteer - as are most of the helpers here. I enjoy helping but I don't have the time or interest to educate you on all parts of your system. And, you didn't even answer my question about which URL request was failing. Until I see you have a better understanding of your system I won't be commenting further.

KingMilli75 · June 16, 2023, 1:35pm

Dear Mike,

yes i answered as we do not know which URL request is failing (as said: this we do not know) as this does not show in the Apache log, i copied all over and tried to figure out why its providing this error.

We appreciate all the help we can get from us it does not matter if its from who it is. In the 25 years that i am in the IT i am used we all help and share know how (I am for sure not the only one who has encountered this kind of a problem), this part with Cloudfront issue is for sure related to the this message as we now deducted it down to 1 failure.
Before we start the attempt to execute any new CloudFront part. We read on StackFlow and some other forums that we are not the only ones who have these kind of problems and i am for sure not educated enough in SSL.

We already spoke to the engineers from AWS and Bitnami support and the latter suggested that we check here if somebody know a solution as they could not help us much further in our case.

The Instance we use this is the standard AWS - Bitnami build (instance set up last Friday) we did not modify anything outside the normal scope (making a swapp file and some php settings for this build) we only added the forwarding text which was required for CloudFront to know what and how and it all worked except these error which just got the SSL problems suddenly in our build. It even caused the server to spin into a loop and freeze up.Thats why we are here...

We come before the finish line here as you deducted that the VirtualHosts are the problem.
As you can see

the IP address of 127.0.0.1 is not set by us (maybe a default config script) when a instance is launched as we just find it out when the command was run like you did. We never tampered with these kind of settings so we did not even know they were active. If you can not provide help than please tell us so and we will be looking into possible different solutions.

KingMilli75 · June 16, 2023, 1:51pm

based on your help we found this on the AWS site:

So AWS assign a standard template to it during the setup...
bitnami has this
https://docs.bitnami.com/aws/apps/wordpress/administration/redirect-custom-domains/

Now if we are talking about the same this should be changed to our DNS and this should be fixed then...