'Enabling SSL on Debian
I want enable SLL on my Debian / Apache & Letsencrypt (by Certbot).
On ports.conf, both ports 80 & 443 are listening:
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
SSL is enabled:
> a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
And my VirtualHosts are configured as follow: my-host.conf
<VirtualHost XX.XX.XX.XX:80>
ServerName www.myhost.com
ServerAlias myhost.com
Redirect / https://www.myhost.com
DocumentRoot /home/myhost/www/public/
CustomLog /var/log/apache2/myhost.com-access.log combined
ErrorLog /var/log/apache2/lmyhost.com-error.log
LogLevel warn
<Directory "/home/myhost/www/public/">
Require all granted
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
myhost.com-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost XX.XX.XX.XX:443>
ServerName www.myhost.com
ServerAlias myhost.com
# Redirect / https://www.myhost.com
DocumentRoot /home/myhost/www/public/
CustomLog /var/log/apache2/myhost.com-access.log combined
ErrorLog /var/log/apache2/myhost.com-error.log
LogLevel warn
<Directory "/home/myhost/www/public/">
Require all granted
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLCertificateFile /etc/letsencrypt/live/www.myhost.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.myhost.com-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
When I try to got to http:///www.myhost.com:443, it works. But with https:///www.myhost.com I have an error on Chrome:
ERR_SSL_PROTOCOL_ERROR
On my server, when I check with:
openssl s_client -crlf -debug -connect www.myhost.com:443 -status -servername www.myhost.com
I get this:
...
124222757861008:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 323 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1494247901
Timeout : 300 (sec)
Verify return code: 0 (ok)
And finally, when in my Apache error log, I can see this:
[Sun May 07 20:06:53.419500 2017] [core:debug] [pid 18433] protocol.c(1275): [client xx.xx.xx.xx:52254] AH00566: request failed: malformed request line
In short, SSL is enabled, the port is correct and Apache can go through when I call it by its hosts:port. But, this port cannot calls my certificate and opens my host by https. It's like SSL is disabled...!
Can you give me some ways to resolve this? Thanks to all!
Solution 1:[1]
I had the same problem as you did and this was how I solved it but the tl;dr is that:
- the vhost configuration file must end in
.conf - you have to put it in the sites-available directory, and then
- you have to run a2ensite to enable the site.
Solution 2:[2]
This issue for me anyway typically is a config mistake or happens during migrations of servers. eg: The DNS is pointing to the wrong IP. Check your DNS A record closely.
Happens to me frequently on DNS migrations when the stale DNS record TTL has not expired (pointing to the old IP with the invalid cert), once it does expire the DNS A record flicks over to the new IP address & the error no longer occurs.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | dirkgroten |
| Solution 2 | fireblade-au |