AWS Elastic IP pointed to new instance does not work

Question

I created an AMI of my server on AWS, and spun up a new instance.

When I point my elastic IP address to my new instance and type in my domain name I get a timeout error when going to my website.

I have done backups before and just re-pointed my elastic IP but this time it does not seem to be working, any ideas?

Steps I take on AWS:

1. I click on my elastic IP and pick actions-> Associate Address
2. Resource type = Instance
3. Instance: I select the new instance I just made by copying my old instance
4. Reassociation: I click the checkbox to allow Allow Elastic IP to be reassociated if already attached
5. I click associate

When I go to my webpage I get this error in edge:

Error Code: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_CN_INVALID

When I click proceed I get this instead of my website (Chrome would not allow me to proceed):

Looks like some sort of certificate issue...

The error I get in chrome is:

NET::ERR_CERT_AUTHORITY_INVALID

Answer 1

I did not update my security groups correctly so web traffic wasn't allowed.

Answer 2

The SSL certificate is invalid, or not installed correctly. It is not related to the EIP at all.

This site is not secure” is a security alert that prevents users from accessing various websites. In the technical language, this error is known under the name of DLG_FLAGS_SEC_CERT_CN_INVALID. The ou will need to provide more information about the cert, how it was issued, etc. to do any further troubleshooting.

See https://tecoreviews.com/how-to/fix-site-not-secure-pop-error-code-dlg_flags_sec_cert_cn_invalid/

The error message NET::ERR_CERT_AUTHORITY_INVALID is also related to the certificate.

Given these messages, I suspect the certificate has a common name mismatch, a root CA certificate is missing, or it's a self signed certificate.

Check the certificate details carefully as presented in the browser. The browser itself is rejecting the cert. Check globalsign.com/en/blog/how-to-view-ssl-certificate-details and review. It should be clear why the cert is being rejected. When you see the specific error, you can figure out the cause and then fix it.

Answer 3

Can you please check server of which type (EC2-VPC or Classic).

You can't associate an Elastic IP address that you allocated for use with a VPC with an instance in EC2-Classic, and vice-versa.

If this is the case you can migrate Elastic IP from classic to EC2-VPC.

Answer 4

The domain name is key. When the SSL cert was created you provided a Common Name (i.e. domain name). Some SSL certificates cover subdomains (wildcard certificates issued for e.g '*.example.com') some don't (ie. www.example.com only). If you have the latter kind you need to use the exact same domain to address the new box.