Unable to establish SSL connection, how do I fix my SSL cert?
Solution 1:
SSL23_GET_SERVER_HELLO:unknown protocol
This error happens when OpenSSL receives something other than a ServerHello
in a protocol version it understands from the server. It can happen if the server answers with a plain (unencrypted) HTTP. It can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn't (by implementation or configuration).
It is unclear whether you attempted to pass --no-check-certificate
or not. I would be rather surprised if that would work.
A simple test is to use wget
(or a browser) to request http://example.com:443
(note the http://
, not https://
); if it works, SSL is not enabled on port 443. To further debug this, use openssl s_client
with the -debug
option, which right before the error message dumps the first few bytes of the server response which OpenSSL was unable to parse. This may help to identify the problem, especially if the server does not answer with a ServerHello
message. To see what exactly OpenSSL is expecting, check the source: look for SSL_R_UNKNOWN_PROTOCOL
in ssl/s23_clnt.c
.
In any case, looking at the apache error log may provide some insight too.
Solution 2:
In my case I had not enabled the site 'default-ssl'. Only '000-default' was listed in the /etc/apache2/sites-enabled
folder.
Enable SSL site on Ubuntu 14 LTS, Apache 2.4.7:
a2ensite default-ssl
service apache2 reload
Solution 3:
Just a quick note (and possible cause).
You can have a perfectly correct VirtualHost
setup with _default_:443
etc. in your Apache .conf file.
But... If there is even one .conf file enabled with incorrect settings that also listens to port 443, then it will bring the whole SSL system down.
Therefore, if you are sure your .conf file is correct, try disabling the other site .conf files in sites-enabled
.
Solution 4:
There are a few possibilities:
-
Your workstation doesn't have the root CA cert used to sign your server's cert. How exactly you fix that depends on what OS you're running and what release, etc.(I suspect this is not related) Your cert isn't installed properly. If your SSL cert requires an intermediate cert to be presented and you didn't set that up, you can get these warnings.- Are you sure you've enabled SSL on port 443?
For starters, to eliminate (3), what happens if you telnet to that port?
Assuming it's not (3), then depending on your needs you may be fine with ignoring these errors and just passing --no-certificate-check. You probably want to use a regular browser (which generally will bundle the root certs directly) and see if things are happy.
If you want to manually verify the cert, post more details from the openssl s_client
output. Or use openssl x509 -text -in /path/to/cert
to print it out to your terminal.