By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSL Issuing from EC2 Instance

0

EDIT: Feb23 - Issue is still not resolved, After triying my elastic IP and my DNS provided from the AWS console, in both the SAN and CN interchangeably testing both my problems persist. Mainly, I either need to use the Elastic IP In both to proceed to the step that requires me to custom map a local DNS to use a custom domain to compelte the assignment, which is not possible as that domain was not incldued in the certicifcate, or using that custom domain in the certificate results in httpd/apache failing to start.

Hi all,

I am currently enrolled in a course with an instructor and am having a difficult time with competing the task. The issue is around common name, subject alt name, and issuing then certificate. I am using Canvas and AWS learning modules to launch my EC2 instance of my linux server. My goal is to issue request and verify my certificate, but cannot find clear direction on what should be the SAN or the CN when establishing. In my SSL.Conf file, what do I place in my SAN? or in my CN at time of issuing and then verifying the CA? Is it the same?

My dns using nslookup Server: 172.31.0.2 Address: 172.31.0.2#53

I am also issued a DNS of ec2-44-216-81-198.compute-1.amazonaws.com in my console, and am using an elastic IP to log in with my SSH Private key. My instructions are here, and they are not clear (to me at least)

For Chroms, we need to generate the server certificate with new subjectAltName field. On google support web site https://support.google.com/chrome/a/answer/7391219?hl=en, it indicates “For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. The certificate subject alternative name can be a domain name or IP address.” We need to add the following lines to your openssl.cnf file after line 205. See https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html#Subject-Alternative-Name subjectAltName=email:copy subjectAltName=DNS:<your web server dns name> In my case, I replace <your web server dns name> with *.myuccs.net For real applications, you can substitute <your web server dns name> with the *.<your organization’s DNS name> or the specific web server domain name. * allows the server certificate to be used with any server with the same domain name. Excerpt from a much longer document, but I believe that is where I am running into trouble*

[ec2-user@ip-172-31-85-142 tls]$ sudo misc/CA -newreq
Generating a 2048 bit RSA private key
....................................+++
..................................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [BC]:
Locality Name (eg, city) [Vancouver]:
Organization Name (eg, company) [UCCS]:
Organizational Unit Name (eg, section) [CS]:
Common Name (eg, your name or your server's hostname) []:ec2-44-216-81-198.compute-1.amazonaws.com
Email Address []:myemail@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Einstein
An optional company name []:      
Request is in newreq.pem, private key is in newkey.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp newkey.pem serverKey.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp newreq.pem serverReq.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            85:ef:ea:65:fa:af:38:c7
        Validity
            Not Before: Feb 10 21:37:46 2024 GMT
            Not After : Feb  9 21:37:46 2025 GMT
        Subject:
            countryName               = CA
            stateOrProvinceName       = BC
            localityName              = Vancouver
            organizationName          = UCCS
            organizationalUnitName    = CS
            commonName                = ec2-44-216-81-198.compute-1.amazonaws.com
            emailAddress              = myemail@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B1:48:76:E3:B9:0C:B3:55:5A:68:0F:2A:C8:7C:6D:66:90:C6:F5:19
            X509v3 Authority Key Identifier: 
                keyid:0F:3E:BF:3D:FE:2F:7E:AF:DC:7E:7A:3E:C4:20:94:76:5F:99:F6:59

            X509v3 Subject Alternative Name: 
                DNS:172.31.0.2
Certificate is to be certified until Feb  9 21:37:46 2025 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            85:ef:ea:65:fa:af:38:c7
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CA, ST=BC, O=UCCS, OU=CS, CN=*.compute-1.amazonaws.com/emailAddress=myemail@gmail.com
        Validity
            Not Before: Feb 10 21:37:46 2024 GMT
            Not After : Feb  9 21:37:46 2025 GMT
        Subject: C=CA, ST=BC, L=Vancouver, O=UCCS, OU=CS, CN=ec2-44-216-81-198.compute-1.amazonaws.com/emailAddress=myemail@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:3e:4e:07:a6:4f:70:1f:1f:88:c0:07:f6:1b:
                    56:e4:bd:00:26:fa:a4:41:9b:90:66:a4:3a:a8:fc:
                    bc:50:47:23:fd:0f:5c:62:f6:1b:5b:24:42:8a:6a:
                    fc:7a:56:4d:c1:e7:06:be:7e:6a:f8:01:77:f8:15:
                    dc:93:f5:1c:a8:a1:70:5b:32:97:20:dc:62:6e:c1:
                    5b:0b:63:05:9f:8f:5f:ef:44:7c:fb:36:e1:96:10:
                    57:5e:c4:59:9c:c8:11:41:b5:06:36:b7:04:cf:4b:
                    12:17:92:72:56:10:af:13:49:0d:fb:2f:70:84:59:
                    3c:a4:e9:57:a5:a9:29:3a:7b:75:e3:53:a1:7a:3f:
                    66:2e:84:aa:77:51:91:a6:e3:2b:98:e9:c2:be:d6:
                    34:b8:1e:35:3d:c0:92:15:0e:48:cd:b5:22:a4:33:
                    32:f3:76:35:87:86:a8:74:78:3f:b7:2e:76:88:c0:
                    a0:fc:6f:f6:0b:1c:f6:67:b3:58:9c:0d:db:72:83:
                    a7:4c:9b:d1:b9:dc:b5:d1:3d:ae:5d:2e:86:b9:f5:
                    a9:10:61:18:6b:bd:17:bb:8a:92:38:7a:46:6a:ea:
                    a3:32:fd:39:af:31:d0:6b:62:89:9f:17:26:87:94:
                    06:10:e2:e8:35:a9:5c:75:75:6a:5c:b6:47:a1:b6:
                    1f:ef
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B1:48:76:E3:B9:0C:B3:55:5A:68:0F:2A:C8:7C:6D:66:90:C6:F5:19
            X509v3 Authority Key Identifier: 
                keyid:0F:3E:BF:3D:FE:2F:7E:AF:DC:7E:7A:3E:C4:20:94:76:5F:99:F6:59

            X509v3 Subject Alternative Name: 
                DNS:172.31.0.2
    Signature Algorithm: sha256WithRSAEncryption
         6e:eb:96:a6:aa:28:06:5a:47:64:9d:d3:b0:58:46:7b:89:73:
         76:dd:6b:47:f8:26:30:56:b3:c9:43:0e:47:10:af:50:49:2a:
         01:29:90:4b:a8:62:7a:53:a7:10:4a:3f:01:0c:b4:c4:50:73:
         97:78:2c:a2:51:5f:1e:81:b2:97:2e:a9:51:9b:24:2c:59:c1:
         2f:3b:31:a6:7d:2f:b9:45:40:4a:cb:06:dc:72:5c:77:24:f4:
         34:8c:a9:f6:60:d4:b9:5f:7d:53:60:dd:53:8c:38:93:0f:17:
         2c:e2:46:44:d8:03:bd:95:cb:9f:29:a4:b1:00:af:30:46:9a:
         6b:6f:93:b8:bf:13:75:54:70:3f:77:89:f9:58:8d:20:7a:b0:
         ad:e5:e5:ea:b7:6f:29:50:b3:0d:77:bb:46:a2:6e:8e:43:d8:
         12:42:34:bf:bd:58:12:b6:b0:97:d0:85:96:88:1c:be:6f:f6:
         88:34:9f:55:e6:c3:73:36:4c:d0:94:f9:c9:85:90:d1:04:63:
         53:ba:8a:0b:01:c9:9f:ca:01:89:46:b8:a7:c8:c0:e8:44:22:
         aa:b4:39:cf:ea:20:dd:3d:f6:96:cc:fe:29:40:1d:29:1d:c3:
         dc:8a:b5:e1:55:63:fd:5d:a4:41:9e:4d:fb:f8:1c:7b:b7:fe:
         b9:27:c3:83
-----BEGIN CERTIFICATE-----
MIIEPzCCAyegAwIBAgIJAIXv6mX6rzjHMA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
VQQGEwJDQTELMAkGA1UECAwCQkMxDTALBgNVBAoMBFVDQ1MxCzAJBgNVBAsMAkNT
MSIwIAYDVQQDDBkqLmNvbXB1dGUtMS5hbWF6b25hd3MuY29tMSUwIwYJKoZIhvcN
AQkBFhZtb2hzZW5hcnRodXJAZ21haWwuY29tMB4XDTI0MDIxMDIxMzc0NloXDTI1
MDIwOTIxMzc0NlowgaUxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJCQzESMBAGA1UE
BwwJVmFuY291dmVyMQ0wCwYDVQQKDARVQ0NTMQswCQYDVQQLDAJDUzEyMDAGA1UE
AwwpZWMyLTQ0LTIxNi04MS0xOTguY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20xJTAj
BgkqhkiG9w0BCQEWFm1vaHNlbmFydGh1ckBnbWFpbC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDFPk4Hpk9wHx+IwAf2G1bkvQAm+qRBm5BmpDqo
/LxQRyP9D1xi9htbJEKKavx6Vk3B5wa+fmr4AXf4FdyT9RyooXBbMpcg3GJuwVsL
YwWfj1/vRHz7NuGWEFdexFmcyBFBtQY2twTPSxIXknJWEK8TSQ37L3CEWTyk6Vel
qSk6e3XjU6F6P2YuhKp3UZGm4yuY6cK+1jS4HjU9wJIVDkjNtSKkMzLzdjWHhqh0
eD+3LnaIwKD8b/YLHPZns1icDdtyg6dMm9G53LXRPa5dLoa59akQYRhrvRe7ipI4
ekZq6qMy/TmvMdBrYomfFyaHlAYQ4ug1qVx1dWpctkehth/vAgMBAAGjgZMwgZAw
CQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
dGlmaWNhdGUwHQYDVR0OBBYEFLFIduO5DLNVWmgPKsh8bWaQxvUZMB8GA1UdIwQY
MBaAFA8+vz3+L36v3H56PsQglHZfmfZZMBUGA1UdEQQOMAyCCjE3Mi4zMS4wLjIw
DQYJKoZIhvcNAQELBQADggEBAG7rlqaqKAZaR2Sd07BYRnuJc3bda0f4JjBWs8lD
DkcQr1BJKgEpkEuoYnpTpxBKPwEMtMRQc5d4LKJRXx6BspcuqVGbJCxZwS87MaZ9
L7lFQErLBtxyXHck9DSMqfZg1LlffVNg3VOMOJMPFyziRkTYA72Vy58ppLEArzBG
mmtvk7i/E3VUcD93iflYjSB6sK3l5eq3bylQsw13u0aibo5D2BJCNL+9WBK2sJfQ
hZaIHL5v9og0n1Xmw3M2TNCU+cmFkNEEY1O6igsByZ/KAYlGuKfIwOhEIqq0Oc/q
IN099pbM/ilAHSkdw9yKteFVY/1dpEGeTfv4HHu3/rknw4M=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp newkey.pem serverKey.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp newreq.pem serverReq.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            85:ef:ea:65:fa:af:38:c8
        Validity
            Not Before: Feb 10 21:38:01 2024 GMT
            Not After : Feb  9 21:38:01 2025 GMT
        Subject:
            countryName               = CA
            stateOrProvinceName       = BC
            localityName              = Vancouver
            organizationName          = UCCS
            organizationalUnitName    = CS
            commonName                = ec2-44-216-81-198.compute-1.amazonaws.com
            emailAddress              = myemail@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B1:48:76:E3:B9:0C:B3:55:5A:68:0F:2A:C8:7C:6D:66:90:C6:F5:19
            X509v3 Authority Key Identifier: 
                keyid:0F:3E:BF:3D:FE:2F:7E:AF:DC:7E:7A:3E:C4:20:94:76:5F:99:F6:59

            X509v3 Subject Alternative Name: 
                DNS:172.31.0.2
Certificate is to be certified until Feb  9 21:38:01 2025 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
Signed certificate is in newcert.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp newcert.pem serverCert.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp serverCert.pem /etc/pki/tls/certs/localhost.crt
[ec2-user@ip-172-31-85-142 tls]$ sudo openssl rsa -in serverKey.pem -out serverUnenc.key
Enter pass phrase for serverKey.pem:
writing RSA key
[ec2-user@ip-172-31-85-142 tls]$ sudo chmod 600 *.key
[ec2-user@ip-172-31-85-142 tls]$ sudo cp serverUnenc.key /etc/pki/tls/private/localhost.key
[ec2-user@ip-172-31-85-142 tls]$ sudo nano /etc/httpd/conf.d/ssl.conf
[ec2-user@ip-172-31-85-142 tls]$ sudo nano /etc/httpd/conf.d/ssl.conf -c
[ec2-user@ip-172-31-85-142 tls]$ sudo service httpd restart
Redirecting to /bin/systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

So my problem is this - when I follow the instructions to a T, i cannot start apache. When I put my dns (compute-1 DNS from AWS) it does proceed, but the later steps require me to map a local DNS which then was incompatible. My goal is to use the subject alt name to create a dns mapping locally (somedomain.com) while acknowledging that I must use a common name to map internally to the appropriate DNS ( the compute1) but for the life of me I can't seem to get the SAN and the CN to be friendly to each other in order to successfully restart the apache server and attempt to map a local DNS to view my page with a signed certificate. The farthest I got was to get the local DNS mapping to be the same as the SAN I put in the conf file, which doesn't really achieve the assignment goal, nor was the certificate secure at that point. The page only loaded. |My apologies if I am jumping around a bit but I've tried this so many times I feel a bit lost and would love some direction, even if just to restart from fresh. I also feel that with every repeated attempt at creating a new CA I am leaving vestigial files that may be impeding my progress (old server reqs, etc)

Thank you in advance for your assistance and for reading through this question!

Topics
ComputeSecurity, Identity, & Compliance
Tags
Website ProvisioningAmazon EC2AWS Certificate ManagerLinux
Language
English
Mohsen Jahanshahi
asked 3 months ago379 views
2 Answers
0

Hello, Mohsen

I can empathize with your situation, as SSL/TLS + certificates can be very confusing. I would recommend this knowledge base as a good starting point, for general SSL/TLS issues (including certificates and openssl commands).

Specific to your issue, here are also two URLs linked off of the main knowledge site above

I'm hopeful the above might be a good starting point to help answer questions. The information you provided understandably has a lot going on as troubleshooting was necessary, so I would recommend starting from the beginning, by breaking down the larger task into sequential steps as you did before.

Based on your info, it sounds like you may need to create a self-signed certificate which references your elastic IP, and that you might need to update ssl.conf so that Apache knows where to locate the certificate files you create. Apache ssl.conf is the configuration file for https (SSL/TLS) port 443 (default) and your elastic IP listener address for port 443. ssl.conf also contains paths where your certificate files should reside. Apache httpd.conf is the configuration file for http (port 80 default) and also has your elastic IP listener address for port 80. The elastic IP of the EC2 Linux host can also be added to the /etc/hosts file, and then a FQDN (fully qualified domain name) can be specified to the right of it, so that the Linux host knows to resolve that name to the elastic IP locally. I understand that you're using trying to use DNS with a SAN cert, in order to use wildcard domain names. Is the wildcard SAN cert necessary, or can you just use a fully qualified name?

If this helps solve the issues you've been experiencing, please choose this as the Accepted Answer so others on re:Post may benefit - Thank you!

profile pictureAWS
AWS-Eric
answered 3 months ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 3 months ago
  • Mohsen Jahanshahi
    2 months ago

    Thanks, I am looking into those now. My assignment results in my having to use local DNS mapping to load the page, I accomplished getting to this stage by using the Full DNS (temporary) provided by the EC2 in AWS console, however the DNS mapping didn't work. By that, I've narrowed down my issue to a mismatch in the CN and altName but I can't seem to find which is the right stuff to put in. My assignment says to use wildcard with a random URL that I can use later, but this always results in error. Are you saying the elastic IP Should work? This is all through canvas lab, so it is temporary therefore no permanent DNS/URL to use.

    So, I'm thinking perhaps the elastic IP should be the subjectAltName and the CN should be something with a wildcard and pulled from my EC2 DNS temp info ? I'll read through, but while I feel like I grasp the concept (The alt name something to be acecpted while the common name is something it relies on to exist and verify to secure the certificate) this error persists and the systemctl status logs really provide such little actionable info.

0

See "systemctl status httpd.service" and "journalctl -xe" for details.

Have you tried running these, and what did they tell you?

Check your cert is valid openssl x509 -in /path/to/my.crt -text

If it is, make sure that the output of these two commands are the same (this verifies the key matches the cert) openssl x509 -modulus -noout -in /path/to/my.crt | md5sum; openssl rsa -modulus -noout -in /path/to/my.key | md5sum

Check the entries in your /etc/httpd/conf.d/ssl.conf are referencing the correct filenames grep Cert /etc/httpd/conf.d/ssl.conf | grep -v ^#

Sanity-check your Apache config as a whole with sudo apachectl configtest

profile picture
EXPERT
Steve_M
answered 3 months ago
  • Mohsen Jahanshahi
    2 months ago

    The apachectl configtest always shows as valid. I'll try the output of those above commands, but I worry that I have now mismatching information and certs because I've tried so many times so I will recreate my instance and try from scratch with yours and the other commenters advice for reading.

    Any input on where the direct, relatable information for SAN and CN should be found and inputted would be hugely helpful though !

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content