Issue with HTTPS Access to AMP Front End

  • 141 Views
  • Last Post 13 March 2021
  • Topic Is Solved
Craigus posted this 11 March 2021

OS Name/Version: Windows Server 2019

Product Name/Version: 2.1.0.12

Problem Description: I have followed the GitHub instructions and successfully created a SSL wildcard certificate and imported this into my server as .PFX for use with AMP. Once the certificate is imported I can access the AMP Front End using HTTPS however after rebooting the server I cannot access the front end (I get ERRCONNECTIONCLOSED on my browser). I have to remove and re-import the certificate into the certificate store after each reboot before I am able to access AMP again.

Steps to reproduce:

  • Generate SSL certificate in PFX format
  • Import into Personal Store (Local Computer)
  • Add the serial number of the certificate into the AMP.conf file
  • Start the Front End instance and verify you can connect via HTTPS
  • Stop the Front End instance and reboot the server
  • Start the Front End instance and attempt to access again (ERRCONNECTIONCLOSED)

Actions taken to resolve so far:

Posted a message in the Discord Chat and a member of the group suggested I try setting up a Reverse Proxy through IIS, unfortunately this hasn't resolved the issue.

Thanks in advance for your help

Order By: Standard | Newest | Votes
Mike posted this 13 March 2021

Using a reverse proxy is very much the advised way to do HTTPS with AMP. AMP itself is somewhat picky about the certificates it uses.

Configuring IIS to act as a proxy requires that ARR is installed and configured. After that the standard profile for a reverse proxy works fine after telling it what the server address is.

Craigus posted this 13 March 2021

Hi Mike,

Thanks a lot for the help with this, is there any information on how to set this up on IIS specifically to AMP? I've not had any dealings with Reverse Proxying so I'm struggling to know whether what I'm doing is right. Is the goal to proxy any external requests on Port 80 to the AMP instance on Port 8080?

Another thing I wanted to mention is that my SSL certificate was generated with Certbot and converted to .PFX format using OpenSSL, I'm not sure if it has any bearing on anything,

Thanks in advance Craig

Craigus posted this 13 March 2021

Hi Mike,

Just wanted to let you know that I've managed to figure this one out now, there was an event in Event Viewer to do with a TLS issue (ID 36870) it looks like it was something to do with accessing the private key. I did a bit of googling and it turns out its a permissions based issue within Windows.

To fix this I had to alter the permissions on the following folder:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

To this:

Everyone; Allow; Read and Write

Administrators; Allow; Full Control

I'm assuming that the folder was inheriting some broken permissions which took affect after rebooting the server and my re-importing of the certificate was fixing it temporarily however after setting the fixed permissions above everything is now working great even after a reboot.

Hope this helps and thanks for getting back to me again so quickly Mike.

Cheers Craig

Close