Exact error I am getting on browser:

This server could not prove that it is XXX.XX.XXX.XXX; its security certificate is from newDomain.live. This may be caused by a misconfiguration or an attacker intercepting your connection.

NGINX Config:

server {
    # listen on port 443 (https)
    listen 443 ssl;
    server_name _;

    # location of the self-signed SSL certificate
    ssl_certificate /home/ubuntu/certs/server.pem;
    ssl_certificate_key /home/ubuntu/certs/server.key;


    # write access and error logs to /var/log
    access_log /var/log/app_access.log;
    error_log /var/log/app_error.log;

    location / {
        # forward application requests to the gunicorn server
        proxy_pass http://localhost:8000;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

What I have done:

• Ran openssl req –new –newkey rsa:2048 –nodes –keyout server.key –out server.csr in terminal
• Copied server.csr from server to SSL provider as it asked for CSR from web hosting
• SSL Certificate issued by provider have two fields 1. Server Certificate 2. CA Certificates(intermediate and root)
• At this moment I have checked but it was still unverified and couldnt establish https connection.
• Then, I deleted the server.csr file from server and created a new one by copying "1. Server Certificate" given by SSL provider.

I am using AWS EC2 instance and running NGINX as reverse proxy. How can I fix this misconfiguration of SSL?

The certificate returned by the server does not match the name in the URL. Based on this description you've created a certificate for newDomain.live but you are trying to access the site using and IP address xxx.xxx.xxx.xxx, which is not the domain you created.

If the domain is not a valid domain (i.e. no DNS entry you can add the domain to your local hosts file, with the IP as the target then put the domain name in your browser as the address. This will redirect to the IP defined in your hosts file.

For more information, update host in windows, update host in linux.

Solution: access the website using the same domain name that you registered the certificate for.

See this thread for details of a similar error you are experiencing and this thread for details of self signed certificate errors.

An alternative approach:

This approach does not solve your NGINX problem.

Instead of using NGINX, why don't you front your EC2 instance with an Application Load Balancer.

Then use a certificate generated by AWS Certificate Manager (ACM), not only are the certificates free but:

• they are signed by Amazon, so the certificate is trusted, if you use
• DNS validation the certificates are automatically rotated when they expire.

You can find out how to do this here.

You can restrict traffic to originate from the load balancer using security groups, and you can front the load balancer with Amazon CloudFront.

ACM best practice information is available here.