I have a server that hosts a website delivered via https on port 443. The website is not directly open to the public internet, but traffic is routed via a VPN from an EC2 instance that has a public facing IP.
The website can be accessed from the host server, computers on the same internal network and computers on the VPN, that are not the EC2 instance.
Issuing the command openssl s_client -connect www.mydomain.tld:443 from any of those machines gives the response:
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = cloud.hss.ac.uk
verify return:1
---
Certificate chain......
[Truncated for brevity]
However, the same command issued on the EC2 instance, or from a machine outside the internal or VPN networks gives the response:
CONNECTED(00000003)
So, we are getting a connection, but no SSL certificates?
Setting log level to debug on the Apache conf file shows that the SSL certificates are being served, but they do not reach the EC2 instance for some reason.
The EC2 instance just NATs incoming request on ports 80 and 443 to the hosting server using IFtables. Here are the settings in /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table ip nat {
chain prerouting {
meta nftrace set 1
type nat hook prerouting priority -100; policy accept;
iifname "eth0" tcp dport { 80, 443 } dnat to x.x.x.x
counter
}
chain postrouting {
meta nftrace set 1
type nat hook postrouting priority 100; policy accept;
masquerade
}
}
This all works fine on port 80.
I'm running out of ideas, so looking for some here.
The VPN is a Hamachi VPN, in case that is relevant.
IP forwarding is enabled:
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
