Debian server SSL certificate configuration returns err_ssl_protocol_error
I'm having problems with configuring HTTPS on my site that runs on a Debian server.
The error Google Chrome shows is:
err_ssl_protocol_error
This is my config:
/etc/apache2/ports.conf
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
Listen 443 http
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
/etc/apache2/enabled-sites/000-default
<VirtualHost *:443>
## Anything matching this host should be silently ignored.
<Location />
Order Allow,Deny
Allow from all
</Location>
</VirtualHost>
/etc/apache2/enabled-sites/site
<VirtualHost *:80>
ServerName domain.be
ServerAlias domain.be www.domain.be www.domain.eu test.domain.be
ServerAdmin webmaster@localhost
DocumentRoot /var/www/htdocs/site
<Directory />
Options FollowSymLinks
AllowOverride none
</Directory>
<Directory /var/www/htdocs/mds>
Options FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mpm_itk_module>
AssignUserId domain domain
</IfModule>
</VirtualHost>
/etc/apache2/enabled-sites/site-ssl
<IfModule mod_ssl.c>
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName www.domain.be
ServerAlias *.domain.be
DocumentRoot /var/www/htdocs/site
<Directory />
Options FollowSymLinks
AllowOverride none
</Directory>
<Directory /var/www/htdocs/mds>
Options FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLCipherSuite AES128+EECDH:AES128+EDH
SSLCertificateFile /etc/ssl/apache/certs/domain2.crt
SSLCertificateKeyFile /etc/ssl/apache/private/domain2.key
SSLCertificateChainFile /etc/ssl/apache/certs/global.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<IfModule mpm_itk_module>
AssignUserId mds mds
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName www.domain.eu
ServerAlias *.domain.eu
DocumentRoot /var/www/htdocs/mds
<Directory />
Options FollowSymLinks
AllowOverride none
</Directory>
<Directory /var/www/htdocs/mds>
Options FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLCipherSuite AES128+EECDH:AES128+EDH
SSLCertificateFile /etc/ssl/apache/certs/domain2.crt
SSLCertificateKeyFile /etc/ssl/apache/private/domain2.key
SSLCertificateChainFile /etc/ssl/apache/certs/global.crt
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<IfModule mpm_itk_module>
AssignUserId mds mds
</IfModule>
</VirtualHost>
</IfModule>
I also have these errors in the log:
[Wed May 30 12:03:13 2018] [warn] Init: (Server.domain.local:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Wed May 30 12:03:13 2018] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed May 30 12:03:14 2018] [notice] Apache/2.2.22 (Debian) PHP/5.4.45-0+deb7u14 mod_ssl/2.2.22 OpenSSL/1.0.1t configured -- resuming normal operations
Where could my problem be?
Solution 1:
The log message from the server shows the reason for your problem:
... [warn] ... You configured HTTP(80) on the standard HTTPS(443) port!
This means a call of https://... in the browser will connect with TCP to port 443 (default for HTTPS) and then try to start the HTTPS request by starting the SSL handshake. The handshake will fail since your server only expects plain HTTP but not HTTPS on this port and thus does not expect a SSL handshake and thus will abandon the handshake or send some plain HTTP "bad request" as response back. This again is unexpected by the client which then shows a SSL problem in the browser.
The reason for this misconfiguration is likely your /etc/apache2/enabled-sites/000-default where you have some listener on port 443 but do not enable SSL for it. It does not help that you have another listener on port 443 in your /etc/apache2/enabled-sites/site-ssl with SSL enabled because you can only have SSL (i.e. HTTPS) or not SSL (i.e. plain HTTP) on the same IP same port and not both at once.
What you probably need to do is enable SSL in /etc/apache2/enabled-sites/000-default and also add some certificate there (you might use the site-specific certificate).