1

I am trying to add SSL certs to my server but when I connect via a browser it throws an error (ERR_SSL_PROTOCOL_ERROR in Chrome).

This is confirmed using testssh (https://testssl.sh/)

 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    not offered
 TLS 1.3    not offered

On the server I can see that mod_ssl and openssl are installed:

sudo yum list installed *ssl*
Loaded plugins: priorities, update-motd, upgrade-helper
Installed Packages
mod24_ssl.x86_64
openssl.x86_64
openssl-devel.x86_64

This is in my .conf file for the virtual host (*:80 excluded):

<VirtualHost *:443>
  ServerName freedomtospeakup.com
  ServerAlias www.freedomtospeakup.com
  DocumentRoot "/var/www/f2su"
  DirectoryIndex index.php
  ErrorLog /var/log/httpd/f2su-error_log
  CustomLog /var/log/httpd/f2su-access_log combined

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRS
A+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
  SSLCertificateFile /etc/letsencrypt/live/freedomtospeakup.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/freedomtospeakup.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/freedomtospeakup.com/chain.pem

  <Directory "/var/www/f2su">
    AllowOverride All
    Allow from All
  </Directory>
</VirtualHost>

Cert seems to be ok, this is what I get when doing sudo ./certbot-auto certificates

  Certificate Name: freedomtospeakup.com
    Domains: freedomtospeakup.com www.freedomtospeakup.com
    Expiry Date: 2019-10-27 12:53:18+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/freedomtospeakup.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/freedomtospeakup.com/privkey.pem

This is what I have tried to date:

  • yum update (no packages to update)
  • date (correct)
  • rebooted server (no change)
  • checked firewall to ensure 443 is open (it is)
  • checked ssl.conf with another server where it is working (no differences)

Anything else that I can check?

williamsdb
  • 493
  • 1
  • 8
  • 18
  • What version of Apache httpd are you using and where did you get it? – Michael Hampton Jul 31 '19 at 16:13
  • httpd -v gives this > Server version: Apache/2.4.39 (Amazon) - it is exactly the same version and setup as on the server that is working. – williamsdb Jul 31 '19 at 20:23
  • Did you see all the port 443 access in Apache logfiles, and have you looked at them for any kind of other hint? – Patrick Mevzek Jul 31 '19 at 20:47
  • So is this Amazon Linux or Amazon Linux 2? Is it up to date? – Michael Hampton Jul 31 '19 at 22:03
  • @MichaelHampton /etc/system-release shows “Amazon Linux AMI release 2018.03” and yes it is up to date. – williamsdb Aug 01 '19 at 07:00
  • @PatrickMevzek no there is no sign of any access from 443 in the access logs and no related errors in the error log either. That seems to suggest that the request is being rejected before the virtual host directive is processed? – williamsdb Aug 01 '19 at 07:22
  • Assuming my resolution to 3.8.252.198 is correct, your server is responding on 443 in HTTP-NOT-S: ClientHello gives (plaintext) response code 400, HTTP request gives reasonable-looking HTML. Could you have SSLEngine _off_ somewhere else e.g. another block? – dave_thompson_085 Aug 01 '19 at 09:09
  • @dave_thompson_085 running sudo grep 'SSLEngine' ./* -R only returns entires showing SSLEngine on so that doesn't appear to be it. – williamsdb Aug 01 '19 at 10:12
  • How about a block for \*:443 with SSLEngine _omitted_ so it defaults to off? – dave_thompson_085 Aug 03 '19 at 06:55
  • that seems to have been it. There were two 443 virtual hosts with no SSL sections. Removed them and the others are now working. Thanks! Do you want to answer the question or shall I? – williamsdb Aug 04 '19 at 09:08

0 Answers0