0

i have just bumped into SSL thing without any prior knowledge. I am working on bitnami AWS EC2 instance. Yesterday i mistakenly deleted all the files on the home. So i lost my SSH access to instance. I created image from this instance and launched a new instance with same settings. Fortunately my code and database was intact.

Now i have a an up and running server but the browser always show the Invalid Certificate. Previously it was working fine. To make it correct i generated new Certificates by using this bitnami tutorial.

Problem:
Server still shows invalid certificate. If i access it via HTTP then it works fine but whenever i use HTTPS it does not validate certificate.

Configuration:

in /opt/bitnami/apache2/conf/bitnami/bitnami.conf i have 

<IfVersion < 2.3 >
  NameVirtualHost *:80
  NameVirtualHost *:443
</IfVersion>

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  <Directory "/opt/bitnami/apache2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

# Default SSL Virtual Host configuration.

<IfModule !ssl_module>
  LoadModule ssl_module modules/mod_ssl.so
</IfModule>

Listen 443
#SSLProtocol all -SSLv2 -SSLv3
#SSLHonorCipherOrder on
#SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH !RC4"
#SSLPassPhraseDialog  builtin
#SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
#SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

  <Directory "/opt/bitnami/apache2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  #ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
 # Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

# Bitnami applications that uses virtual host configuration
#Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf"

After changes i run /opt/bitnami/ctlscript.sh start

Rafay Zia Mir
  • 101
  • 1
  • Bitnami Engineer here. The guide you mentioned explains how to create a SSL certificate but you will need a Certificate Authority to sign the certificate. If you don't want to buy a certificate from a CA, you can also use [Let's Encrypt to generate the certificate](https://docs.bitnami.com/aws/apps/wordpress/administration/generate-configure-certificate-letsencrypt/). We include a script that takes care of creating and configuring the certificate in the instance: `sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m YOURMAIL -d YOURDOMAIN -d www.YOURDOMAIN` – Jota Martos Apr 22 '19 at 10:52
  • @JotaMartos your comment is appreciated. I have also tried that but that refuses me straight away because policy does not allow to create such certificate. It always gives me policy error. When I searched some forums(I dont remember which forums), a guy(Also from bitnami) commented that we dont allow address for certificates that contain EC2 instance address. Because today it belongs to you other month it belongs to someone else. – Rafay Zia Mir Apr 22 '19 at 11:23
  • And it makes sense to me as well. I also tried installed Lego Client separately but no luck. – Rafay Zia Mir Apr 22 '19 at 11:26
  • Ok, if you don't want to use Let's Encrypt, you will need to create a certificate following the documentation we have and you need to ensure that you set the correct domains when creating the certificate. After that, you will need to share that certificate with a CA so it signs the certificate for you to use. Once signed, you will need to replace the files you have in the server. – Jota Martos Apr 23 '19 at 07:29

0 Answers0