This site can’t provide a secure connection LAMP on EC2

I am trying to get Let’s Encrypt working on my website hosted on EC2 using the LAMP stack (Ubuntu 16.04 server). Here is my config file in /etc/apache2/sites-available:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost

    ServerName bancsdegolf.com
    ServerAlias www.bancsdegolf.com
 
    <Directory /var/www/bancsdegolf.com/>
        Options -Indexes +FollowSymLinks +MultiViews
        AllowOverride FileInfo
        Order allow,deny
        allow from all
    </Directory>

    DocumentRoot /var/www/bancsdegolf.com/
    ErrorLog /var/www/apache2/.log/error.log
    CustomLog /var/www/apache2/.log/access.log combined
    RewriteEngine on
    # Some rewrite rules in this file were disabled on your HTTPS site,
    # because they have the potential to create redirection loops.

    #     RewriteCond %{SERVER_NAME} =bancsdegolf.com
    #     RewriteRule ^ https://www.%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/bancsdegolf.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/bancsdegolf.com/privkey.pem
</VirtualHost>
</IfModule>

My domain, obviously: bancsdegolf.com I have added my config with a2ensite. “sudo apachectl -t” return “Syntax OK”, “sudo service apache2 restart” returns no errors. The HTTP version works fine.

In short, everything looks like it should be working, but it is not. On top of that, all the other certificates on my host (using letsencrypt as well) are also not working.

I have tried several things I found online, including changing the permissions on /etc/letsencrypt/live and archive.

Perhaps the error message in FireFox is pertinent? "An error occurred during a connection to www.bancsdegolf.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG "

Maybe:

a2enmod ssl

and restart Apache. Or at least, get rid of the IfModule guard:

<IfModule mod_ssl.c>
</IfModule>

so that Apache won’t start if the SSL module isn’t available.

Thanks for the suggestion. Here is the output of “a2enmod ssl”

Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled

I removed the IfModule mod_ssl around the other tags, but it still has the same problem (I also did a apache2 restart after that).

try adding to the vhost config:
SSLEngine On

And ensure EXTERNAL:443 goes to INTERNAL:443
NOT
EXTERNAL:443 goes to INTERNAL:80

Weird.

ss -tlnp
apachectl -D DUMP_VHOSTS

@rg305 - adding “SSLEngine On”, I still have the same results (added right before"Include /etc/letsencrypt…")

Sorry: I’m not sure how to check the EXTERNAL/INTERNAL things you mentioned.

@_az

“ss -tlnp” gives:

LISTEN     0      80                                 127.0.0.1:3306                                                   *:*                  
LISTEN     0      128                                        *:22                                                     *:*                  
LISTEN     0      128                                       :::80                                                    :::*                  
LISTEN     0      128                                       :::22                                                    :::*                  
LISTEN     0      128                                       :::443                                                   :::*                  
LISTEN     0      128                                       :::443                                                   :::*                  
LISTEN     0      128                                       :::443                                                   :::*                  
LISTEN     0      128                                       :::443                                                   :::*                  

“apachectl -D DUMP_VHOSTS | grep bancsdegolf” gives:

     port 443 namevhost bancsdegolf.com (/etc/apache2/sites-enabled/bancsdegolf-com-le-ssl.conf:1)
             alias www.bancsdegolf.com
     port 80 namevhost bancsdegolf.com (/etc/apache2/sites-enabled/bancsdegolf-com.conf:1)
             alias www.bancsdegolf.com

Perhaps also pertinent without the grep is this line:

*:443 is a NameVirtualHost

That looks strange to me. Can you re-run the command as root or with sudo - that will provide a lot more detail.

I wonder if you have orphaned Apache processes sitting around (that use a stale config). This can be checked by stopping Apache and making sure nothing is still listening on 443 while Apache is stopped.

LISTEN     0      80                                 127.0.0.1:3306                                                   *:*                   users:(("mysqld",pid=865,fd=14))
LISTEN     0      128                                        *:22                                                     *:*                   users:(("sshd",pid=868,fd=3))
LISTEN     0      128                                       :::80                                                    :::*                   users:(("apache2",pid=7184,fd=4),("apache2",pid=7183,fd=4),("apache2",pid=7178,fd=4),("apache2",pid=7129,fd=4),("apache2",pid=7127,fd=4),("apache2",pid=7105,fd=4),("apache2",pid=7104,fd=4),("apache2",pid=7086,fd=4),("apache2",pid=7084,fd=4),("apache2",pid=7083,fd=4),("apache2",pid=7079,fd=4))
LISTEN     0      128                                       :::22                                                    :::*                   users:(("sshd",pid=868,fd=4))
LISTEN     0      128                                       :::443                                                   :::*                   users:(("apache2",pid=7184,fd=6),("apache2",pid=7183,fd=6),("apache2",pid=7178,fd=6),("apache2",pid=7129,fd=6),("apache2",pid=7127,fd=6),("apache2",pid=7105,fd=6),("apache2",pid=7104,fd=6),("apache2",pid=7086,fd=6),("apache2",pid=7084,fd=6),("apache2",pid=7083,fd=6),("apache2",pid=7079,fd=6))

If I “service apache2 stop” then “ss -tlnp” outputs just my SSH (22) and MySQL (3306) lines.

I don’t know if it is pertinent, but here is the output of my /etc/apache2/ports.conf:

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

Is it odd that I have two modules listening on 443 ?

Nah, that ports.conf is normal.

I’m kinda stumped, it should be working from the basic things we have checked.

Rudy’s idea about NAT is really the only other thing that I’ve seen cause this kind of problem, but since you’re using EC2, I don’t think there’s any to easily screw your NAT up this way. To confirm that the problem isn’t NAT:

openssl s_client -connect localhost:443

(it should fail with ssl3_get_record:wrong version number:).

Here is the output of “openssl s_client -connect localhost:443” (on the server):

CONNECTED(00000003)
140189695293080:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1547261117
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I thought I mentionned this in my first post, but I just checked back and it’s not there. What I did to make it stop working is:

sudo certbot -d bancsdegolf.com -d www.bancsdegolf.com

And then I agreed to allow letsencrypt to do the auto-redirect to https, which I have never done before.

Yeah, that’s what we expect - the problem is with the Apache config and not with the Amazon NAT.

IDK if you’ve already look in /var/log/apache2/error_log but that might reveal something.

Unless you’re willing to zip up your full Apache config I’m out of ideas for now.

If you are willing to look at it I seriously would be willing to share the whole thing through a Google Drive link so I can remove it later, because I am really stuck. I assume that would be a tarball of /etc/apache2/sites-available/ ?

more like: /etc/apache2/
or at least: /etc/apache/sites-enabled/

I would try:
SSLEngine On
to the file:
/etc/apache2/sites-enabled/bancsdegolf-com-le-ssl.conf

While there also add (for testing):
SSLProtocol +TLSv1.2
SSLCipherSuite all

It’s all symlinks in the sites-enabled directory, and I can’t figure out how to tar them (I tried the -h flag). I added SSLEngine On in the bancsdegolf-com-le-ssl.conf to no avail. Also the two other lines you just sent me.

You restarted Apache?

Yes, I did restart apache.

Please show:
openssl version

A tarball would be great:

tar zcf conf.tar.gz /etc/apache2/

Something is up with the virtualhost setup but trying to guess it is death by a thousand cuts D:

Output of openssl version:

OpenSSL 1.0.2g  1 Mar 2016

I just discovered that disabling all of my sites has solved the issue - so I am going to enable them one-by-one. I don’t know why I didn’t think of that earlier.