HTTPS only works on localhost

Question

I am trying to setup https on one of my EC2 instances. I\'ve done this many times, but for some reason, for this instance, it refuses to work.

Problem

Answer 1

Can you also attach a log to show any Apache error output?

Reorder your virtualhosts and put 443 first.

Its possible you could be affected by this: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/795315

Answer 2

The only way to achieve HTTPS traffic to an EC2 instance in a private subnet sitting behind a load balancer within a VPC on AWS, is to have an HTTPS listener on the load balancer (ELB) itself with the certificate of the specific server/domain on the load balancer. In my case, even if you have HTTPS 443 open in your security rules of the load Balancer (inbound, outbound) and on the EC2 instance (inbound, outbound), the ELB still blocks all HTTPS traffic on that port to the EC2 instance if the ELB does not have a listener with a valid certificate. No where in the documentation, as far as I have read, does it explicitly say that. Hope this helps.

Step 1

Submit the certificate from the EC2 instance into IAM using AWS cli.

I added the certificate files on my server and had to upload them to IAM like so (yes, the file:// part is necessary, even on linux):

aws iam upload-server-certificate --server-certificate-name my-server-cert 
--certificate-body file://my-certificate.pem --private-key file://my-private-key.pem 
--certificate-chain file://my-certificate-chain.pem

as explained here : http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html

Step 2

Then you need to setup a listener on the ELB which has the EC2 instance attached to it. The listener is then for HTTPS and port 443. The listener will ask for a certificate and it will have the one you added from the aws cli earlier, already listed. If it is not listed, log out of the AWS console and log back in. After, this, traffic via HTTPS will start flowing to your EC2 instance.

I wasn't sure that this was needed, because I had the ports open for 443 on the load balancer's security group and nowhere in the documentation does it explicitly say that if you use a load balancer, this is the ONLY way of achieving an HTTPS connection. It only explains that this is the way to go when you want a HTTPS load balancer, which can mean two different things, however, I'm glad it's sorted out.