Using certs with a CDN (AWS)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: indieheaven.net

I ran this command: key generation "seemed" to work, it asked me to put some TXT records into my DNS and I did that and the certificates were created.

It produced this output: However Apache on startup says the domain name doesn't match the IP address - which it doesn't, because it's going through a CDN. The domain names point to my LightSail distribution, not the static IP address of the instance.

My web server is (include version): Apache as provisioned by Bitnami, Apache 2.4.57

The operating system my web server runs on is (include version): Debian

My hosting provider, if applicable, is: AWS (LightSail)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot is 1.12.0, I didn't use it because it complained about my domain names. Is there a way to tell it to use the CDN path instead?

The following two lines appear in my Apache error log at startup:

[Fri Sep 01 16:58:02.764729 2023] [ssl:warn] [pid 17548:tid 140474189442304] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Sep 01 16:58:02.772588 2023] [ssl:warn] [pid 17549:tid 140474189442304] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name

(not sure where the example.com came from, I was meticulous about entering the correct domain names, one for www and one raw)

2

Hi @furball, and welcome to the LE community forum :slight_smile:

You should remove an "example" configurations from your production system.

3 Likes
3

I have no experience with the LightSail platform.

Generally speaking - If you're going through a CDN:

  • the CDN should either automate getting SSL certificates itself, or have a control panel for you to upload certificates onto.
  • the CDN should be configured to pull content from either:
    1. your IP address
    2. a domain like "source.example.com"

The source server the CDN pulls content from rarely requires a publicly trusted certificate. Some CDNs - like Cloudflare - will generate a long-term SSL Certificate for you to use on it. Others will instruct you to use a self-signed certificate on the source server, or have another means.

LightSail is fairly specialized as it bundles together a simplified version of several Amazon services, so it expects things to be configured in a specialized way. You really need to dive into the LightSail documentation and communities/resources to find out how their system is designed and what it expects.

4 Likes
4

Thank you! Here is the output from certbot certificates:

Found the following certs:
Certificate Name: indieheaven.net
Serial Number: 42beede6fe5a4e3b9f6e0cca42f51b90164
Key Type: RSA
Domains: indieheaven.net *.indieheaven.net
Expiry Date: 2023-11-30 13:22:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/indieheaven.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/indieheaven.net/privkey.pem

As you can see, the domain names are correct. (I have no idea where the 'example.com' came from)

I did generate a certificate for the CDN, and it does seem to work (it correctly forwards https to my instance).

Question: can I use this same certificate in my Apache? Could I simply copy the one from the CDN and drop it into Apache? Would that work?

5

did you install certbot by yourself?

bitnami should use lego instead.

if you followed some tutorial, tell us which.

also: Using Bitnami? Please see Bitnami's documentation!

4 Likes
6

No. Your CDN is an Amazon cert. You do not have access to the private key that matches the cert.

What does this show?

httpd -t -D DUMP_VHOSTS
3 Likes
7

Yes, of course! I tried it half a dozen different ways. Bitnami's page is here: Generate and Install a Let's Encrypt SSL Certificate for a Bitnami Application

I tried it manually, I tried it using certbot, ....

The problem is very simple: the domain name doesn't match the IP address. Because of the CDN.

This is the MOST basic thing everyone has to do to get their application working, I find it unfathomable that there isn't better documentation on this.

The PHP sessions will not work "at all" unless Apache is happy. Bitnami has detailed instructions (and a tool) for WordPress, and makes us do it manually for everything else.

Apache needs to recognize my domain name, which is why I was asking if the CDN certificates will work. In turn, the CDN will not accept a self-signed certificate (well, it will, but the resulting behavior is very ugly).

8

Interesting. If run without sudo, it says this:

SSLCertificateFile: file '/opt/bitnami/apache/conf/bitnami/certs/server.crt' does not exist or is empty

If run with sudo, it says this:

Syntax OK

9

The vhosts file only has one entry, it looks like it's for phpmyadmin

<VirtualHost 127.0.0.1:80>
  ServerName status.localhost
  <Location /server-status>
    Require local
    SetHandler server-status
  </Location>
</VirtualHost>
10

Is that all it says? Usually it also shows the active VirtualHosts

sudo httpd -t -D DUMP_VHOSTS
2 Likes
11

Yes, that's all it says. For sure there's a host for phpmyadmin, it's 127.0.0.1

If I issue your command "while" phpMyAdmin is running, this is what it says:

127.0.0.1:80 status.localhost (/opt/bitnami/apache/conf/vhosts/00_status-vhost.conf:1)
*:80         www.example.com (/opt/bitnami/apache/conf/bitnami/bitnami.conf:6)
*:443        www.example.com (/opt/bitnami/apache/conf/bitnami/bitnami-ssl.conf:15)
12

Where is the example.com coming from ???

lol

13

Bitnami

2 Likes
14

Looks like you've solved this now, you maybe want to add an http to https redirect in your configuration at some point to help people get to the secure version of your site.

For general thread info, AWS LightSail is just the easy/cheap hosting arm of AWS and it includes things like basic linux VMs (like this) without having to use the full AWS administrative console and avoids getting into more gnarly storage/networking config.

15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.