SSL installed on Apache2 but HTTPS not working

H

10

29

I recently installed an SSL certificate on my Amazon EC2 Ubuntu 12.04(32bit) server running Apache 2.

When I attempt to access my site via https, it does not load. When I perform an nmap scan, i see that port 443 is not open.

I tried to open port 443 in my ip tables to no avail. iptables -L yeilds

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Here's how I installed ssl

I modified /etc/init.d/apache2.conf to include ssl.conf and modified ssl.conf to include the requisite paths of my certificate files, ie

SSLCertificateFile /path/file SSLCertificateKeyFile /path/file SSLCertificateChainFile /path/file

I configured my security group to allow inbound requests from port 443 (TCP source:0.0.0.0/0)

When I perform the following test with php

if (!extension_loaded('openssl')) 
{
  echo "not loaded";
}
else
{
  echo "loaded"   ;
}

I get "loaded".

Any ideas?

Hyunhz answered 16/7, 2013 at 17:4 Comment(4)

what happens when you try opening a telnet connection from a remote machine to your server on port 443? Does it connect? If so, then you can rule out a firewall or routing problem, or a problem with iptables. I would also be curious if your apache logs are showing anything interesting. – Enshrine 16/7, 2013 at 17:16

telnet to 443 returns "Connection Refused". Nothing is appended to apache logs when I attempt to access mydomain.net – Hyunhz 16/7, 2013 at 17:26

Interesting. How about if you try a loopback connection, from the host itself, on port 443? In other words, telnet localhost 443. Does that connect? I'm trying to isolate whether this is an apache issue or a networking / firewall issue. – Enshrine 16/7, 2013 at 17:40

Ahh looks like an apache issue. Thanks – Hyunhz 16/7, 2013 at 17:49

E

28

In httpd-ssl.conf, do you have Listen 443

If not, try adding that, and restarting apache.

Enshrine answered 16/7, 2013 at 17:45 Comment(6)

I did not. While I'm using apache2.conf(ubuntu thing?) to load an external ssl.conf, I did not have this directive anywhere. Adding it directly to my apache conf and reconfiguring virtual host directive / mod_ssl.so include resolved things. Thanks – Hyunhz 16/7, 2013 at 17:52

This worked for me as well, only I had to modify "ports.conf" – Sharecrop 27/7, 2016 at 23:27

in apache 2.4 the file is ports.conf – Hajji 17/8, 2016 at 3:5

@Bakhshi--that depends on your distribution of apache, your platform, and the default configuration... xampp distributes apache 2.4.* on windows with the ssl settings in httpd-ssl.conf, it is port 443 is enabled by default... the virtual host section in this file needs some alteration to point to a specific domain, but it's not in ports.conf – Mimimimic 20/2, 2017 at 13:17

You could make it the first line of your conf file, outside the tags, always works – Abecedarian 10/8, 2018 at 21:34

Thanks, spent an hour trying to figure this out and all along the problem was ports.conf – Taite 28/10, 2018 at 4:48

P

24

First check if mod_ssl is enabled. If not, enable it by running a2enmod ssl. Then check if Apache is listening on port 443 for https. Then check if the firewall is not blocking port 443.

Polo answered 28/8, 2016 at 15:16 Comment(2)

Me too. Please check your Inbound firewall ports, 443 in this case. – Pulchritude 18/7, 2018 at 10:56

Thanks bro, You saved me. – Ambrosine 4/10, 2018 at 20:7

N

23

Edit: from comments, the following is true for AWS Lightsail, Oracle Cloud, IONOS, and probably many other managed web hosts:

If anyone else finds this and is using Amazon Lightsail (like me), you have to use their web UI to explicitly open port 443.

I spent hours pouring over my server config files before I discovered that :/

Neral answered 5/6, 2019 at 20:50 Comment(5)

You're a lifesaver – Engineer 1/9, 2020 at 7:7

Thank you, this was the hint for me. I had an EC2 instance linked to a Security Group with no inbound rule for HTTPS (443). – Kamkama 26/2, 2021 at 10:46

Thank you! Totally missed this one – Dutton 10/6, 2021 at 22:35

if anyone is on oracle cloud, same thing! – Muscadel 19/7, 2021 at 14:6

Same for IONOS. – Letreece 27/1, 2023 at 14:37

R

7

In httpd.conf the following is disabled by default:

# Secure (SSL/TLS) connections
# Include conf/extra/httpd-ssl.conf

Simply remove the # from the Include and restart Apache.

Rosamondrosamund answered 1/9, 2014 at 14:20 Comment(1)

I'm probably going to leave on work time now thanks to this. Thank you. – Thomasenathomasin 27/5, 2016 at 14:48

S

5

If you can connect locally (e.g. with telnet localhost 443 as mti suggests), check if the firewall is configured properly.

In my case, ufw was blocking everything, so I had to ufw allow 443 which fixed the underlying problem to the same symptom.

Scrofula answered 19/11, 2013 at 1:54 Comment(1)

Thanks, this idea helped us figure out our issue. For us it was the corporate firewall though, so people should consider that as well. – Melvamelvena 24/2, 2014 at 14:29

T

2

I just ran into a situation where there was a process listening on port 443, the firewall was completely open, SELinux was disabled, and I still couldn't telnet to port 443. Not even from the localhost. I kept getting:

telnet 127.0.0.1 443
telnet: connect to address 127.0.0.1: Connection refused`

It turns out the iptables NAT table had some rules redirect traffic coming in on port 443 to a different port (8443). Nothing was listening on port 8443.

# iptables --table nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:https redir ports 8443

Removing the relevant NAT entries fixed the problem for me.

Troxler answered 5/7, 2017 at 12:24 Comment(2)

This was exactly the issue I was having. I think the NAT rules were in place to service a VM running on my server, although as that has its own (bridged) IP those rules are not necessary. – Aruwimi 20/4, 2022 at 15:33

This was mine, for some reason when I restarted Apache it decided to switch from port 8443 to 443...redirect was the problem then. – Scudder 8/2 at 9:27

M

1

For me it's the stupid Chrome cache. Ctrl + Shift + Del to clear the cache, restart Chrome, and SSL is correctly working now.

Monofilament answered 14/3, 2019 at 9:5 Comment(0)

C

0

If the SSL keys are not set (or were inexplicably commented out by gremlins), Apache 2.2 SSL will silently fail. There will be no error in the log, and it will not be listening to 443. The http:80 sites will work.

Clarineclarinet answered 4/12, 2018 at 16:44 Comment(0)

M

0

First, Check processes on port "80" and "443" sudo netstat -peanut | grep ':80' and *sudo netstat -peanut | grep ':443'* .If 443 is has no process then this would help: Editing the Apache configuration file to serve the cert works well. Use the command sudo certbot --apache You are good

Maynord answered 29/10, 2020 at 20:31 Comment(0)

O

-6

Sometimes an iptables -F works. I had the port 443 open for inbound in Amazon, but still the site was not opening in my browser.

Logged on to the site, gave an iptables -F and immediately the site was accessible.

Ochrea answered 18/8, 2014 at 12:43 Comment(1)

iptables -F will delete all your firewall rules. Not a good idea. ipset.netfilter.org/iptables.man.html – Otoole 24/10, 2014 at 18:49

Recommended topics

Hot tags