Why do I receive errors when I use the browser-based SSH console to access my Lightsail instance?

Short description

You receive one of the following error messages:

• "Your instance encountered an error and has closed the connection. Try again or contact customer support. UPSTREAM_ERROR [515]"
• "An error occurred and we were unable to connect or stay connected to your instance. If this instance has just started up, try again in a minute or two. UPSTREAM_NOT_FOUND [519]"
• "Login failed. If this instance has just started up, try again in a minute or two. CLIENT_UNAUTHORIZED [769]"

The "UPSTREAM_ERROR [515]" and "UPSTREAM_NOT_FOUND [519]" errors occur when you can't connect to your Lightsail instance through the SSH console.

The following reasons can cause connection issues:

• An instance boot failed, a status check failed, or CPU or memory resources are overused.
• An operating system (OS)-level firewall blocks SSH port access.
• The SSH port 22 isn't the default port configuration.
• The SSH service is down.

You get the "CLIENT_UNAUTHORIZED [769]" error when there's an SSH authentication issue in your Lightsail instance.

The following reasons can cause authentication issues:

• You misconfigured the /etc/ssh/lightsail_instance_ca.pub Lightsail system key.
• You didn't use the required SSH configuration when you upgraded your Ubuntu instance version to 20.04 or later.

Resolution

Check your instance health and status

View your instance metrics to check for system or instance status check failures.

If there are system status check failures, then stop and restart the instance to migrate it to healthy hardware.

Warning: The instance's public IP address changes every time you stop and start the instance. If you don't want the address to change, then assign a static IP address before you stop the instance.

If the instance status check failed, then an OS-level issue might have caused boot errors. Or, the instance's resources might be overused. For more information, see How do I troubleshoot common issues that cause my Lightsail instance to be unresponsive?

Resolve firewall issues

If an OS-level firewall, such as iptables or Uncomplicated Firewall (UFW), blocks access, then take one of the following actions:

• If you have SSH access through a terminal or PuTTY, then remove deny rules from the firewall and the /etc/hosts.deny file. For cPanel instances, use the Web Host Manager (WHM) console to remove firewall rules.
• If you don't have SSH access, then create a new instance and add a launch script that deactivates the firewall and /etc/hosts.deny file.

To use a launch script to deactivate OS-level firewalls, complete the following steps:

1. Open the Lightsail console.

2. Create a manual snapshot of the instance.

3. Create an instance from the snapshot.
   Note: Select the same Availability Zone as the previous instance.

4. Choose Add launch script, and then add the following script:

   sudo ufw disable
   sudo iptables -F
   sudo mv /etc/hosts.deny /etc/hosts.deny_backup
   sudo touch /etc/hosts.deny
   sudo systemctl enable sshd
   sudo systemctl restart sshd

   Note: The preceding example script deactivates the UFW firewall, flushes all the iptable chains or firewall rules, and renames the /etc/hosts.deny file to deactivate it.

5. Choose a new instance plan, or use the same plan as the previous instance.

6. Enter a name for the instance, and then choose Create instance.

After the new instance starts to run, wait 10-15 minutes and then use the browser-based SSH console to connect to the instance.

Note: If the previous instance had a static IP address, then assign the static IP address to the new instance. Choose the Networking tab on the Lightsail console, detach the static IP address, and then attach it to the new instance.

Resolve SSH service issues

If the SSH service isn't running or active on the instance, then the SSH connection fails and you receive the "UPSTREAM_NOT_FOUND [519]" error. To troubleshoot this issue, configure Session Manager, a capability of AWS Systems Manager, for your Lightsail instance. Then, access the instance without the SSH service to resolve the issue.

Complete the following steps:

1. Review one of the following SSH authentication log files to check for error messages or failed authentication attempts:
   Ubuntu log file:
   /var/log/auth.log
   Amazon Linux log file:
   /var/log/secure

2. If the file shows an error message, then take one of the following actions:
   For an "Invalid user" or "Failed password" message, check your SSH key configuration in the /etc/ssh/sshd_config file.
   For a "Connection refused" message, run the following command to confirm that the SSH service is running:

   sudo systemctl status sshd

   For a "Permission denied" message, run the following command to check the permissions on your SSH directory and key files:

   sudo chmod 700 ~/.ssh
   sudo chmod 600 ~/.ssh/authorized_keys

3. If there are no error messages, then run the following command to test and restart the SSH configuration:

   sudo sshd -t
   sudo systemctl restart sshd

Restore the Lightsail system key

If the /etc**/ssh/lightsail_instance_ca.pub** key is missing, then complete the following steps:

1. If you have SSH access through a terminal or PuTTY, then run the following command to verify the ssh-rsa key:

   sudo cat /var/lib/cloud/instance/user-data.txt | grep ^ssh-rsa

2. Take one of the following actions:
   If the key exists, then run the following command to restore it:

   sudo sh -c "cat /var/lib/cloud/instance/user-data.txt | grep ^ssh-rsa > /etc/ssh/lightsail_instance_ca.pub"
       sudo sh -c "echo >> /etc/ssh/sshd_config" 
       sudo sh -c "echo 'TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub' >> /etc/ssh/sshd_config"
       sudo systemctl restart sshd

   If you don't get an ssh-rsa key, or you can't use SSH to connect to the instance, then create a snapshot of the instance. When you launch a new instance from the snapshot, the Lightsail system key is automatically added to the server.

Configure SSH for Ubuntu 20.04 or later

If you upgraded your earlier Ubuntu instance version to 20.04, then you must manually allow certificate authorities (CAs) to use the ssh-rsa key to sign certificates. If you created an instance to run Ubuntu version 20.04 or later, then CAs can use the ssh-rsa algorithm by default.

To manually allow the CAs, complete the following steps:

1. Use an SSH client, such as the terminal or PuTTY application, to connect to the instance.

2. Open the /etc/ssh/sshd_config SSH configuration file.

3. Add CA parameters to the file for your Ubuntu instance version.

   Ubuntu 20.04:
   Run the following command to add the CASignatureAlgorithms parameter line to the sshd_config file:

   sudo vi /etc/ssh/sshd_config
   cat /etc/ssh/sshd_config | egrep "CASignature"
   CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

   Ubuntu 22.04:
   Run the following command to add both the CASignatureAlgorithms and PubkeyAcceptedAlgorithms parameter lines to the sshd_config file:

   sudo vi /etc/ssh/sshd_config
   cat /etc/ssh/sshd_config | egrep "CASignature|PubkeyAccepted"
   CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
   PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01@openssh.com,ssh-rsa

4. Run the following command to validate the sshd configuration file content:

   sudo sshd -T

5. Run the following command to restart the sshd service:

   sudo systemctl restart sshd  
   

Related information

What is Amazon Lightsail?

Connect to and manage your Lightsail instance