AWS Elastic IP pointed to new instance does not work

C

4

7

I created an AMI of my server on AWS, and spun up a new instance.

When I point my elastic IP address to my new instance and type in my domain name I get a timeout error when going to my website.

I have done backups before and just re-pointed my elastic IP but this time it does not seem to be working, any ideas?

Steps I take on AWS:

I click on my elastic IP and pick actions-> Associate Address
Resource type = Instance
Instance: I select the new instance I just made by copying my old instance
Reassociation: I click the checkbox to allow Allow Elastic IP to be reassociated if already attached
I click associate

When I go to my webpage I get this error in edge:

Error Code: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_CN_INVALID

When I click proceed I get this instead of my website (Chrome would not allow me to proceed):

Looks like some sort of certificate issue...

The error I get in chrome is:

NET::ERR_CERT_AUTHORITY_INVALID

Clairvoyant answered 30/11, 2018 at 2:54 Comment(7)

Can you ssh into your instance through the elastic IP? – Leicester 5/12, 2018 at 2:24

Can you show more detail about result you got when re-point your elastic IP to that new instance? – Pandich 5/12, 2018 at 2:26

I added some new details – Clairvoyant 5/12, 2018 at 2:38

I guess this issue relate to SSL Certificate configuration not Elastic IP Address. Are you using Application Load Balancing? – Pandich 5/12, 2018 at 3:49

Nope, no load balancing – Clairvoyant 5/12, 2018 at 4:14

The SSL certificate is invalid, or not installed correctly. – Brickkiln 5/12, 2018 at 7:47

If we established that the SSL is the issue. I would recommend to use http first or use service like Cloudflare to provide ssl proxy. – Dasteel 11/12, 2018 at 0:37

C

0

I did not update my security groups correctly so web traffic wasn't allowed.

Clairvoyant answered 14/12, 2018 at 6:7 Comment(0)

G

0

Can you please check server of which type (EC2-VPC or Classic).

You can't associate an Elastic IP address that you allocated for use with a VPC with an instance in EC2-Classic, and vice-versa.

If this is the case you can migrate Elastic IP from classic to EC2-VPC.

Girvin answered 5/12, 2018 at 2:31 Comment(3)

Where can I see this? I thought it might be a security groups error, but I updated these and still got the same error. It looks more like a certificate error. – Clairvoyant 5/12, 2018 at 2:41

you can have look at this link: docs.aws.amazon.com/AmazonRDS/latest/UserGuide/… – Girvin 5/12, 2018 at 4:29

Both are VPC instances – Clairvoyant 5/12, 2018 at 4:37

B

0

The SSL certificate is invalid, or not installed correctly. It is not related to the EIP at all.

This site is not secure” is a security alert that prevents users from accessing various websites. In the technical language, this error is known under the name of DLG_FLAGS_SEC_CERT_CN_INVALID. The ou will need to provide more information about the cert, how it was issued, etc. to do any further troubleshooting.

See https://tecoreviews.com/how-to/fix-site-not-secure-pop-error-code-dlg_flags_sec_cert_cn_invalid/

The error message NET::ERR_CERT_AUTHORITY_INVALID is also related to the certificate.

Given these messages, I suspect the certificate has a common name mismatch, a root CA certificate is missing, or it's a self signed certificate.

Check the certificate details carefully as presented in the browser. The browser itself is rejecting the cert. Check globalsign.com/en/blog/how-to-view-ssl-certificate-details and review. It should be clear why the cert is being rejected. When you see the specific error, you can figure out the cause and then fix it.

Brickkiln answered 5/12, 2018 at 7:53 Comment(3)

But what would have changed when I made a copy of the working instance. Is the copy not exactly the same? – Clairvoyant 5/12, 2018 at 14:20

I used certbot with lets encrypt – Clairvoyant 5/12, 2018 at 14:32

Check the certificate details carefully as presented in the browser. The browser itself is rejecting the cert. Check globalsign.com/en/blog/how-to-view-ssl-certificate-details and review. It should be clear why the cert is being rejected. When you see the specific error, you can figure out the cause and then fix it. – Brickkiln 6/12, 2018 at 14:53

E

0

The domain name is key. When the SSL cert was created you provided a Common Name (i.e. domain name). Some SSL certificates cover subdomains (wildcard certificates issued for e.g '*.example.com') some don't (ie. www.example.com only). If you have the latter kind you need to use the exact same domain to address the new box.

Recommended topics

Hot tags