Reputation: 594
Error: SSL Misconfiguration (Your connection to this site is not secure)
Exact error I am getting on browser:
This server could not prove that it is XXX.XX.XXX.XXX; its security certificate is from newDomain.live. This may be caused by a misconfiguration or an attacker intercepting your connection.
NGINX Config:
server {
# listen on port 443 (https)
listen 443 ssl;
server_name _;
# location of the self-signed SSL certificate
ssl_certificate /home/ubuntu/certs/server.pem;
ssl_certificate_key /home/ubuntu/certs/server.key;
# write access and error logs to /var/log
access_log /var/log/app_access.log;
error_log /var/log/app_error.log;
location / {
# forward application requests to the gunicorn server
proxy_pass http://localhost:8000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
What I have done:
- Ran
openssl req –new –newkey rsa:2048 –nodes –keyout server.key –out server.csrin terminal - Copied
server.csrfrom server to SSL provider as it asked for CSR from web hosting - SSL Certificate issued by provider have two fields 1. Server Certificate 2. CA Certificates(intermediate and root)
- At this moment I have checked but it was still unverified and couldnt establish https connection.
- Then, I deleted the
server.csrfile from server and created a new one by copying "1. Server Certificate" given by SSL provider.
I am using AWS EC2 instance and running NGINX as reverse proxy. How can I fix this misconfiguration of SSL?
Upvotes: 3
Views: 8458
Answers (1)
Reputation: 2695
The certificate returned by the server does not match the name in the URL. Based on this description you've created a certificate for newDomain.live but you are trying to access the site using and IP address xxx.xxx.xxx.xxx, which is not the domain you created.
If the domain is not a valid domain (i.e. no DNS entry you can add the domain to your local hosts file, with the IP as the target then put the domain name in your browser as the address. This will redirect to the IP defined in your hosts file.
For more information, update host in windows, update host in linux.
Solution: access the website using the same domain name that you registered the certificate for.
See this thread for details of a similar error you are experiencing and this thread for details of self signed certificate errors.
An alternative approach:
This approach does not solve your NGINX problem.
Instead of using NGINX, why don't you front your EC2 instance with an Application Load Balancer.
Then use a certificate generated by AWS Certificate Manager (ACM), not only are the certificates free but:
- they are signed by Amazon, so the certificate is trusted, if you use
- DNS validation the certificates are automatically rotated when they expire.
You can find out how to do this here.
You can restrict traffic to originate from the load balancer using security groups, and you can front the load balancer with Amazon CloudFront.
ACM best practice information is available here.
Upvotes: 3
Related Questions
- 400 Bad Request: The SSL certificate error
- SSL, Connection is not secure
- nginx https not working
- Nginx config SSL Error
- Invalid value "ssl_certificate" in /etc/nginx/nginx.conf
- nginx error: (99: Cannot assign requested address)
- I have installed SSL and Also Fixed Insecure Content, still i get Your Connection to this site is not fully secure
- Setting up SSL on Nginx on AWS Ubuntu instance
- Incorrect validation on ssl
- Installing SSL in nginx problems