Site Won't Load (SSL Issue) After Restoring AWS/EC2 Instance W/ Elastic IP

What is the name of the domain?

tradablepatterns.com

What is the error message?

The IP address has changed. The IP address for this domain may have changed recently. Check your DNS settings to verify that the domain is set up correctly. It may take 8-24 hours for DNS changes to propagate. It may be possible to restore access to this site by following these instructions for clearing your dns cache.

What is the issue you’re encountering

Hi, my website was working fine w/ Cloudflare until I decided to backup my AWS/EC2 Instance and Restore it. Subsequently, I pointed the previous Elastic (Static) IP back to my Domain, but the site no longer loads.

What steps have you taken to resolve the issue?

I’ve tried relaxing the Cloudflare SSL/TLS encryption mode from Full to Flexible and even Off, but to no avail. I’ve also cleared Cache from Cloudflare as well as from my browers, and reinstalled the SSL certifcate from Cloudflare, as well as restarted my Apache server.

Screenshot of the error

Your site is not proxied by Cloudflare, so you don’t need to look at your Cloudflare settings, other than to make sure you are using the correct IP address.

If the IP address is correct, the issue will be with your server configuration.

Hi, thanks for the quick response. The site initially was proxied by CF, but I turned off the proxy on the A record to see if it would help. I have since turned it back on. If I have a hostname (e.g. server.tradablepatterns.com) different from my domain (tradablepatterns.com) do I need that proxied as well?

Within WHM on the SSL/TLS status, my domain has an unknown certifcate type (as seen in the following)

Any idea on how why this may be the case even though my SSL configuration/installation got graded B on GlobalSign?

That’s because you are using a Cloudflare Origin Certificate for the connection between Cloudflare and your server.

That test sees the Certificate that is used for the connection between Cloudflare and your visitors, which is a publicly trusted certificate, not an Origin certificate.

I would recommend that you keep the proxy off until you have fixed the issues with your server configuration.

Thanks again for the prompt response Laudian.

So even though I have the Cloudflare Origin Certifcate installed, I still need one by another CA like https://letsencrypt.org/? I was trying to install Cerbot (https://certbot.eff.org/) yesterday via command line (I’m hosted on an AWS EC2 instance of Centos) but failed as I’m a complete novice w/ Linux command lines. I followed the instructions on the Cerbot side, w/ the Cerbot commands not really working as Cerbot couldn’t seem to access the Apache server.

Darren

Yes, but Cloudflare handles that automatically when the domain is proxied.

What you need to do is fix your server configuration so that your website is shown instead of the generic cPanel error page.

hmm…I’m in WHM now, and I see that leah.ns.cloudflare.com points to 108.162.192.129. Is this the correct IP address?

I’m confused as when I google this nameserver, I also see an IP of: 173.245.58.129

Yo do not need to replace your Cloudflare Origin CA certificates for any hostname that will be proxied. You just need to understand that you will receive an unknown issuer warning while the hostname is not proxied.

The issue that needs to be fixed is the server not loading your site, which usually indicates a missing configuration on the server itself.

1 Like

Cloudflare nameservers answer at many different addresses and and use anycast, which means that even the same address may appear to exist in different datacenters for different users. The simplest approach is to not dwell on it.

If you want to learn more about how Anycast DNS works, this article is a good starting point.

https://www.cloudflare.com/learning/dns/what-is-anycast-dns/

Ok, on the proxying, assuming I can get tradablepatterns.com to load properly, should I within Cloudflare also set a hostname (like server.tradablepatterns.com) to proxy?

I’m wondering how the server configuration could have been messed up since I restored an AMI within AWS EC2 from a snapshot I would’ve created from an instance working perfectly fine in conjunction with Cloudflare before I made any changes.

The change that brought my site down yesterday was, I decided to create a 2nd instance of my web server image from within AWS (as a backup) before trying to upgrade Centos 7.9 to AlmaLinux. The upgrade didn’t work part way through, where I couldn’t even Putty into my server anymore. I then decided to restore from the backup AMI, creating this 2nd instance which I then had to associate with the IP address that was used all along and associated w/ the 1st instance.

Thanks for clarifying! I’ll leave those nameserver entriies w/ the existing IPs then.

1 Like

That really depends on why you are creating that hostname and what you expect it to do. We would need to know that before we can answer this question.

When I first installed WHM/Cpanel, I would’ve been prompted to assign some hostname. Or can the hostname just be called the same as the domain (in my case that’d be tradablepatterns.com)?

I’ve not used cPanel in long enough, that I cannot answer that question. None of my naming practices are going to be useful for you.

If you want to be able to use any particular hostname, you will need a corresponding DNS entry in your Cloudflare DNS. Whether that hostname should be :orange: proxied or :grey: DNS Only will depend on whether it needs to work with protocols other than HTTP and HTTPS. Hostnames for use with email, ssh, and other non-HTTP protocols must be :grey: DNS Only. Hostnames that use Cloudflare Origin CA certificates need to be used only for HTTP and HTTPS and must be :orange: proxied.

2 Likes

Much appreciated on everything so far!

Going back to the DNS records within Cloudflare, I believe one of my issues is around Reverse DNS, where I’ve created the following PTR record in CF:

name: 113.47.44.52.in-addr.arpa
value: tradablepatterns.com

Because I use AWS EC2 for my Apache website, AWS appears to have control over my reverse DNS record.

I’ve provided them the following at their request, where EIP is my static IP:

  • Reverse DNS Record for EIP(s) : 113.47.44.52.in-addr.arpa
  • Elastic IP Address(es) : 52.44.47.113

For some reason though, they’re suggesting I first create an A record pointing to that IP which I of course have already done in CF. Let me know what you think of their following response:

The mapping for this reverse DNS entry is failing because the PTR record does not match the A record for that domain. We currently require the forward A record to match the PTR record for all reverse DNS entries.

You can either provide us with an alternate hostname or configure the A record for this domain to match the desired PTR record on your side.

If you would like to proceed with assigning a reverse DNS record to the Elastic IP, the first step would be to configure the A record for the domain to match the desired PTR record on your side.

Please follow the instructions at the link below to create the A record:
Creating records by using the Amazon Route 53 console - Amazon Route 53

Once created, please reply back with the updated record information so that we can continue processing your request.

I would still recommend that you set Cloudflare to DNS-Only and then forget it ever existed until your website starts working.

I see your Cloudflare Origin Certificate when I access your site, so we can be sure that you used the correct IP address and the IP binding to the instance is working.

What you now need to do is fix the configuration of your webserver. You don’t need to look at Cloudflare, or PTR records, or anything else. The only thing that matters is the configuration for your webserver.

You can’t create PTR records in Cloudflare, so you can delete that.

Your A record is proxied, so it is not pointing to that IP. It is completely unrelated to your other issue, but the target of your reverse records should be a DNS-Only A record.

2 Likes

ok, after a lot of back and forth w/ AWS, their support team has finally managed to save my reverse DNS record mapping as follows:

52.44.47.113 < – > tradablepatterns.com

This should at the very least help w/ my email deliverability (which has been suffering for the 10yrs of running this site due to confusion over exactly how to fine tune DNS records).

The nice thing is, after tidying up my numerous older SSL certs and private keys that were cluttered on my AWS Apache, my WHM and Cpanel work fine w/ no warnings on the SSL (which was the case earlier today).

The error when trying to browse my website now is as follows:

Just want to close by saying I finally managed to restore access to my website domain (w/ Cloudflare turned on now on strict SSL mode) where I had to launch a new AWS EC2 instance from Bitnami (w/ Wordpress) as the previous Centos 7 migration to AlmaLinux 8 appeared to have destroyed my installation/configuration of Wordpress / Apache. The domain now loads fine at https://tradablepatterns.com, where I’m building a new site using a fresh theme. The SSL warnings also disappeared after using the Bitnami SSL creation tool to issue a cert specifically for the traffic b/w Cloudflare and my server. Thanks once again @Laudian Laudian and @epic.network for your guys’ patience and assistance!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.