7

I created an AMI of my server on AWS, and spun up a new instance.

When I point my elastic IP address to my new instance and type in my domain name I get a timeout error when going to my website.

I have done backups before and just re-pointed my elastic IP but this time it does not seem to be working, any ideas?

Steps I take on AWS:

  1. I click on my elastic IP and pick actions-> Associate Address
  2. Resource type = Instance
  3. Instance: I select the new instance I just made by copying my old instance
  4. Reassociation: I click the checkbox to allow Allow Elastic IP to be reassociated if already attached
  5. I click associate

When I go to my webpage I get this error in edge: 

Error Code: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_CN_INVALID

When I click proceed I get this instead of my website (Chrome would not allow me to proceed):

enter image description here

Looks like some sort of certificate issue...

The error I get in chrome is:

NET::ERR_CERT_AUTHORITY_INVALID
ottomeister
  • 5,415
  • 2
  • 23
  • 27
Ten Digit Grid
  • 1,315
  • 4
  • 22
  • 43

4 Answers4

0

Can you please check server of which type (EC2-VPC or Classic).

You can't associate an Elastic IP address that you allocated for use with a VPC with an instance in EC2-Classic, and vice-versa.

If this is the case you can migrate Elastic IP from classic to EC2-VPC.

Swapnil Kadu
  • 589
  • 1
  • 8
  • 12
0

The SSL certificate is invalid, or not installed correctly. It is not related to the EIP at all.

This site is not secure” is a security alert that prevents users from accessing various websites. In the technical language, this error is known under the name of DLG_FLAGS_SEC_CERT_CN_INVALID. The ou will need to provide more information about the cert, how it was issued, etc. to do any further troubleshooting.

See https://tecoreviews.com/how-to/fix-site-not-secure-pop-error-code-dlg_flags_sec_cert_cn_invalid/

The error message NET::ERR_CERT_AUTHORITY_INVALID is also related to the certificate.

Given these messages, I suspect the certificate has a common name mismatch, a root CA certificate is missing, or it's a self signed certificate.

Check the certificate details carefully as presented in the browser. The browser itself is rejecting the cert. Check globalsign.com/en/blog/how-to-view-ssl-certificate-details and review. It should be clear why the cert is being rejected. When you see the specific error, you can figure out the cause and then fix it.

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
  • But what would have changed when I made a copy of the working instance. Is the copy not exactly the same? – Ten Digit Grid Dec 05 '18 at 14:20
  • I used certbot with lets encrypt – Ten Digit Grid Dec 05 '18 at 14:32
  • 1
    Check the certificate details carefully as presented in the browser. The browser itself is rejecting the cert. Check https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details/ and review. It should be clear why the cert is being rejected. When you see the specific error, you can figure out the cause and then fix it. – Rodrigo Murillo Dec 06 '18 at 14:53
0

The domain name is key. When the SSL cert was created you provided a Common Name (i.e. domain name). Some SSL certificates cover subdomains (wildcard certificates issued for e.g '*.example.com') some don't (ie. www.example.com only). If you have the latter kind you need to use the exact same domain to address the new box.

carlsborg
  • 2,628
  • 19
  • 21
0

I did not update my security groups correctly so web traffic wasn't allowed.

Ten Digit Grid
  • 1,315
  • 4
  • 22
  • 43