2

I'm probably missing something really basic, but I've been trying for some time now to configure an apache server (which serves a wordpress site) for ssl with a DigitalOcean Load balancer.

The load balancer is supposed to hold the certificate and redirect http access on port 80 to https 443, the problem is that the apache responds with a 400 and this string "\x16\x03\x01".

According to my investigation (I might be wrong, feel free to correct me) this is because apache is trying to do an ssl handshake, and for that, I need to enable the SSLEngine directive, but when I do so I get an error "Failed to configure at least one certificate and key for <my_domain>:443".

I think I understand this is because I'm not adding the SSLCertificateFile and SSLCertificateKeyFile directives, I was expecting it will read the certificate from the load balancer, but apparently is not and I don't see any directive which allows me to do that on the apache documentation.

There's a lot online about setting apache as a reverse proxy, but I haven't been able to find anything on connecting from a proxy/load balancer.

I appreciate any help you can provide, I'm adding some screenshots here to help clarify the situation.

Apache Error
Load Balancer Config
SSL Config File
Default Config File

Improve this question
4
  • Welcome to this site, the digital ocean could help you docs.digitalocean.com/products/networking/load-balancers/how-to/… Commented Mar 4, 2023 at 0:15
  • If you want ssl termination, the certificate needs to be on the loadbalancer, not on apache Commented Mar 4, 2023 at 0:16
  • Hi, yes, I've seen that guide and configured the balancer accordingly, the issue is apache responds with a 400 status and the string "\x16\x03\x01" to connections on the 443 port. Commented Mar 4, 2023 at 10:13
  • if you don't care about the internal traffic encryption, you need to use ssl termination as per documentation, lb-with-certificates-configured->apache(listening-on-port-80) Commented Mar 4, 2023 at 17:38

1 Answer 1

Reset to default
0

I've managed to make it work by adding a self-signed certificate in apache, not sure if is the best or most elegant way but it's the only one I'm aware of that allows me to keep the balancer certificate for the clients (which I want so DO auto renews it) and not having to configure it all over again in the server.

As per my understanding this does not present a security issue because the communication between the LB and the server happens on a VPC, and even with a self-signed cert it's still encrypted with ssl.

If any one have suggestions on improving this, they are welcome, I'm just posting this in case it helps someone in the future.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.