Configured SSL/TLS certificate for Apache, https site throws back "The connection for this site is not secure, [site] sent an invalid response"

[CP-Tadeo]

Recently configured Apache to read the issued SSL/TLS certificate, but when I tested the https site it returns the insecure connection and invalid response.

Below is my virtual host configuration in httpd/conf.d/

<VirtualHost *:443>
    ServerName example.com

    DocumentRoot /var/www/html/capacity_management
    WSGIDaemonProcess capacity_management python-home=/var/www/html/capacity_management/myenv python-path=/var/www/html/capacity_management
    WSGIScriptAlias / /var/www/html/capacity_management/main.wsgi

    <Directory /var/www/html/capacity_management>

        Options +ExecCGI +FollowSymlinks

        AllowOverride None
        AddHandler wsgi-script .wsgi
        WSGIProcessGroup capacity_management
        WSGIApplicationGroup %{GLOBAL}
        WSGIScriptReloading On
        Require all granted
    </Directory>

    ErrorLog /var/log/httpd/error_log
    CustomLog /var/log/httpd/access_log combined
</VirtualHost>

Note: ServerName not officially issued name in TLS certificate.

Below is also my ssl.conf, which directs apache to the ssl certs:

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  30
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>
SSLEngine on
SSLProtocol all -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/[site_folder]/example.crt
SSLCertificateKeyFile /etc/pki/tls/certs/[site_folder]/example.key
SSLCACertificateFile /etc/pki/tls/certs/[site_folder]/example.cabundle
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost> 

For reference, I was following this: https://docs.aws.amazon.com/linux/al2/ug/SSL-on-amazon-linux-2.html When configuring it.

I used the SSL checker https://www.sslshopper.com/ssl-checker.html

and it says that:: No SSL certificates were found on [site]. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server's firewall. The SSL port 443 is open and listening.

What am I missing?

[GrahamDumpleton]

You need to have the SSL directives inside of the VirtualHost, for:

<VirtualHost *:443>
    ServerName example.com

You have them under:

<VirtualHost _default_:443>

The ServerName should be your actual hostname you access the site as and should match the hostname the certificates are created for.

[CP-Tadeo]

What a coincidence, minutes before I read your comment I just changed the directives to be under *:443, and now its working! Thank you!

Not sure why the guide from AWS had me set it to under default:443 though. Would there be conflicts if the directives are in both?

[GrahamDumpleton]

In the AWS docs they probably presume you will not create you own VirtualHost. When you don't it will use the default virtual host as a fallback. Since you did create a VirtualHost with your ServerName though, it would take priority over the default.

So by having in both, if someone accesses your site with hostname other than that defined for ServerName in your virtual host, the default will handle it, since since the certificates aren't going to match whatever host may have been used, would get rejected by browser as not matching. So best not to set up default SSL virtual host and rely on your own one where you set proper ServerName.

[GrahamDumpleton]

Note that default isn't actually that marked as _default_. That is just a convention that is named that. The one which it falls back onto it actually whatever VirtualHost was found first when reading configuration. Usually _default_ would be set up to be read first and thus why is used.