0

I'm setting HTTP2 for my application and I get randomly ERR_SSL_PROTOCOL_ERROR on y browser.

this is happening only on Google Chrome browser. Everything is OK on Firefox.

I'm using Let's Encrypth to encrypt with SSL and everything was working well. The problem occured after I have enabled HTTP2 today. I'm using Apache2. I updated it to 2.4.38 to support HTTP2 module

I tried the following :

  • disabling http2 module / restarting apache2

  • clearing all the browser cache

  • resetting the HSTS header using .htacess :

Header set Strict-Transport-Security "max-age=0; includeSubDomains;" env=HTTPS

No results, this is still have randomly the error.

here is my vhost config :

<IfModule mod_ssl.c>
    <VirtualHost *:443>
            DocumentRoot /var/www/domain/prod/web
            ServerName sub.domain.tld
            ServerAlias domain
            ServerAdmin admin@domain.tld

    <Directory "/var/www/domain/prod/web/">
            Options FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            Allow from All
    </Directory>
    ErrorLog /var/www/domain/prod/logs/error.log
    LogLevel warn
    CustomLog /var/www/domain/prod/logs/access.log combined
    ServerSignature On

            SSLEngine On
            Include /etc/letsencrypt/options-ssl-apache.conf

            Protocols h2 http/1.1

            SSLCertificateFile 
            /etc/letsencrypt/live/domain/fullchain.pem
            SSLCertificateKeyFile 
           /etc/letsencrypt/live/domain/privkey.pem
    </VirtualHost>
 </IfModule>

last update

I've market Martin's answer as best answer because installing PHP-FPM seems to have solved my problem (don't see the SSL_ERROR) what i did: https://www.vultr.com/docs/use-php5-fpm-with-apache-2-on-ubuntu-14-04

but for one of my websites, I get a 500 error for a specific page. le apache error logs says :

[Mon Apr 01 14:58:31.844703 2019] [:error] [pid 30434] [client 81.200.189.9:30902] FastCGI: server "/usr/lib/cgi-bin/php5-fcgi" stderr: PHP message: PHP  12. Project->projectFormat() /var/www/jachete/models/Project.php:137

I don't really understand what's the error is about, any idea ?

update

interesting things happens here after disabling "pagespeed" module, here the errors I get from error.log

[Sun Mar 31 16:13:07.090348 2019] [http2:warn] [pid 16845] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Sun Mar 31 16:13:07.119247 2019] [mpm_prefork:notice] [pid 16845] AH00163: Apache/2.4.38 (Ubuntu) OpenSSL/1.1.1b mpm-itk/2.4.6-01 PHP/5.5.9-1ubuntu4.27 configured -- resuming normal operations

according to https://http2.pro/doc/Apache this is due to mpm-itk not supproting http2. as it's just notices/warnings I think there is no reason to cause SSL_ERROR ?

here is the test results of Qualys Lab (A)Qualys : https://i.stack.imgur.com/deMnu.jpg

here are some apache2 error logs :

    [Sun Mar 31 15:31:07.393421 2019] [pagespeed:error] [pid 13785] [mod_pagespeed 1.13.35.2-0 @13785] Failed to make directory /var/cache/mod_pagespeed/v3/domain.tld/https,3A/,2Fapp.domain.tld: Permission denied
[Sun Mar 31 15:31:07.393454 2019] [pagespeed:error] [pid 13785] [mod_pagespeed 1.13.35.2-0 @13785] Could not create directories for file /var/cache/mod_pagespeed/v3/domain.tld/https,3A/,2Fapp.domain.tld/views/assets/img/loading.gif,.temp
[Sun Mar 31 15:31:07.393488 2019] [pagespeed:error] [pid 13785] [mod_pagespeed 1.13.35.2-0 @13785] /var/cache/mod_pagespeed/v3/domain.tld/https,3A/,2Fapp.domain.tld/views/assets/img/loading.gif,.tempqeySBV:0: opening temp file: No such file or directory
[Sun Mar 31 15:31:08.115111 2019] [pagespeed:error] [pid 13785] [mod_pagespeed 1.13.35.2-0 @13785] Failed to make directory /var/cache/mod_pagespeed/v3/domain.tld/https,3A/,2Fapp.domain.tld: Permission denied
[Sun Mar 31 15:31:08.115142 2019] [pagespeed:error] [pid 13785] [mod_pagespeed 1.13.35.2-0 @13785] Could not create directories for file /var/cache/mod_pagespeed/v3/domain.tld/https,3A/,2Fapp.domain.tld/views/assets/img/logo/favicon.png,.temp
[Sun Mar 31 15:31:08.115162 2019] [pagespeed:error] [pid 13785] [mod_pagespeed 1.13.35.2-0 @13785] /var/cache/mod_pagespeed/v3/domain.tld/https,3A/,2Fapp.domain.tld/views/assets/img/logo/favicon.png,.tempT2JwQU:0: opening temp file: No such file or directory
[Sun Mar 31 15:31:08.118059 2019] [pagespeed:error] [pid 13785] [mod_pagespeed 1.13.35.2-0 @13785] Failed to make directory /var/cache/mod_pagespeed/v3/domain.tld/https,3A/,2Fapp.domain.tld: Permission denied
[Sun Mar 31 15:31:08.118103 2019] [pagespeed:error] [pid 13785] [mod_pagespeed 1.13.35.2-0 @13785] Could not create directories for file /var/cache/mod_pagespeed/v3/domain.tld/https,3A/,2Fapp.domain.tld/views/assets/img/logo/xfavicon.png.pagespeed.ic.coNvSghNBK.webp,.temp
[Sun Mar 31 15:31:08.118126 2019] [pagespeed:error] [pid 13785] [mod_pagespeed 1.13.35.2-0 @13785] /var/cache/mod_pagespeed/v3/domain.tld/https,3A/,2Fapp.domain.tld/views/assets/img/logo/xfavicon.png.pagespeed.ic.coNvSghNBK.webp,.tempg9bR5T:0: opening temp file: No such file or directory

there is a permission denied error, but when I look to permissions, I get this

drwxr-xr-x  6 www-data www-data 4096 Oct 30 06:34 http,3A/
drwxr-xr-x  3 www-data www-data 4096 Jun 30  2018 https,3A/

should I add write permission for all users ? (chmod a+w dir/ -R) ?

By the way, the SSL error still occure, even when I disable the PageSpeed module, so i guess the errors in log above aren't related to my SSL problem ?

Dany M
  • 103
  • 3
  • @anx copy/paste mistake, sorry. I updated the post. any idea ? – Dany M Mar 31 '19 at 12:59
  • @MichaelHampton I just updated the post with tail error.log all is in relation with pagespeed – Dany M Mar 31 '19 at 13:46
  • Are you unfamiliar with Linux? The error message is obvious, but perhaps not to someone who doesn't know Linux. – Michael Hampton Mar 31 '19 at 13:48
  • @anx I updated the post with Qualys results (note: A), Where can I find the TLS+HTTP/2 logs ? by disabling TLS1.3 you mean remove Lets Encrypt certificate ? – Dany M Mar 31 '19 at 13:51
  • You have permission issues. And directory paths look suspicious `/var/cache/mod_pagespeed/v3/domain.tld/https,3A/,2Fapp.domain.tld` has commas in it and two characters that resembles URI encoding characters. – ychaouche Mar 31 '19 at 13:56
  • @MichaelHampton I see the Permission Denied and Directory not found error, but is this in relation with SSL issues ? – Dany M Mar 31 '19 at 13:56
  • It might be related, and it might not be. You won't be able to rule it out until you fix it. – Michael Hampton Mar 31 '19 at 13:57
  • @MichaelHampton & ychaouche ok I updated the post because I actually have rwx perpission on the user www-data, do you recommand doing something like chmod a+w ? by the way, the SSL error still even when I disable PageSpeed module – Dany M Mar 31 '19 at 14:03
  • @MichaelHampton I diasbled pagespeed module and get another warning related to http2 / ssl. any chance for you to have another look to my updates and give your feedback ? – Dany M Mar 31 '19 at 14:21
  • I'm pretty sure you need to be using mpm_event (or possibly mpm_worker) for http2. prefork should have died in a fire years ago, and itk is a niche thing that you might not be able to get much help for here. – Michael Hampton Mar 31 '19 at 14:55
  • @MichaelHampton acutually, I don't need http2 anymore, I just want to get my app works on Google Chrome again. I disabled http2 for now. – Dany M Mar 31 '19 at 15:00

1 Answers1

0

Disable mpm_prefork, don't use mod_php use PHP FPM as a fast CGI proxy and all will be well.

See: https://http2.pro/doc/Apache

I hope that helps.

Martin McEvoy
  • 16
  • 1
  • @MarinMcEvoy thank you for your answer. I've marked it as the best response cause it seems to solve my problem. but on an other site, I have a 500 error with the following verbose: `[Mon Apr 01 14:58:31.844703 2019] [:error] [pid 30434] [client 81.200.189.9:30902] FastCGI: server "/usr/lib/cgi-bin/php5-fcgi" stderr: PHP message: PHP 12. Project->projectFormat() /var/www/domain/models/Project.php:137` any idea ? – Dany M Apr 01 '19 at 13:06