I am setting up a static site with the following:
I have acquired a SSL certificate through Amazon.
Accessing through https simply timeout and the browser will tell that the site could not be reached.
I have followed multiple articles that all say the same thing. (I list some of them at the end)
But I can't find the issue.
The only odd thing I have seen is that in the screenshots of the Cloudfront distribution options of these articles, they all have a origin SSL protocols settings available. I don't have these.
So, not being an expert on this, how can I debug? following all these articles, there is no troubleshooting section.
Some of the articles: - https://www.lambrospetrou.com/articles/migrate-to-aws-static-website/ - https://simonecarletti.com/blog/2016/08/redirect-domain-https-amazon-cloudfront/ - https://simonecarletti.com/blog/2016/08/redirect-domain-http-https-www-cloudfront/
You unfortunately do not provide the name involved so people can not really troubleshoot things except by throwing guesses.
Here is my generic (not exhaustive and not all possible corner cases) quick but logical list of steps to execute in order to check for timeouts, and you should complete, in that order, each step successfully before going to the next one:
clientHoldstatus that would forbid its correct resolution. Make also sure that you do not have DNSSEC related errorrs.
digand first check the authoritative nameservers of your domain, then some cache ones (yours,
126.96.36.199). Do you get the IP you are supposed to get? Take care of IPv4 and IPv6, and use both in later steps.
tcptraceroutewith the IP found at previous step, and towards port
https(or any other port specified in the URL). Do the trace complete without errors (no
!Xor stuff like that at the last line)? Do not use
pingfor this stuff as the results will not be relevant, you really need to test the TCP level
https://URLs of course): try to connect with
openssl s_clientor equivalent to see if you get back at least the beginning of the TLS handshake and hopefully up to the server certificate. Make sure it is the correct certificate. You can also try with other command line tools with proper switches to get more debug data, like
curl. Have a look at OCSP stuff inside the certificate.
curlto eliminate browsers complex behaviors.
If all this fails, you will need to go below and start running network sniffers, both in front of your webserver to see what it receives, and after your own client, to see what you send. But this could be another post just by itself, and is not necessary if you did not already remove all previous steps.
Also, since you are using commercial entities to handle your infrastructure, you may try asking them as I am sure you are also paying for some kind of support, and they should have troubleshooting tools and skills to help you for your specific case.