Debian server SSL certificate configuration returns err_ssl_protocol_error

I'm having problems with configuring HTTPS on my site that runs on a Debian server.

The error Google Chrome shows is:

err_ssl_protocol_error

This is my config:

/etc/apache2/ports.conf

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
        Listen 443 http
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

/etc/apache2/enabled-sites/000-default

<VirtualHost *:443>

 ## Anything matching this host should be silently ignored.
<Location />
Order Allow,Deny
Allow from all
</Location>
</VirtualHost>

/etc/apache2/enabled-sites/site

<VirtualHost *:80>

ServerName domain.be
ServerAlias domain.be www.domain.be www.domain.eu  test.domain.be
ServerAdmin webmaster@localhost

    DocumentRoot /var/www/htdocs/site
    <Directory />
            Options FollowSymLinks
            AllowOverride none
    </Directory>
    <Directory /var/www/htdocs/mds>
            Options  FollowSymLinks MultiViews
            AllowOverride all
            Order allow,deny
            allow from all
    </Directory>


    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mpm_itk_module>
AssignUserId domain domain
</IfModule>
</VirtualHost>

/etc/apache2/enabled-sites/site-ssl

<IfModule mod_ssl.c>

NameVirtualHost *:443
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName www.domain.be
        ServerAlias *.domain.be

        DocumentRoot /var/www/htdocs/site
        <Directory />
                Options FollowSymLinks
                AllowOverride none
        </Directory>
        <Directory /var/www/htdocs/mds>
                Options FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log


        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        SSLEngine on

        SSLProtocol all -SSLv2 -SSLv3
        SSLCompression off
        SSLCipherSuite AES128+EECDH:AES128+EDH

        SSLCertificateFile    /etc/ssl/apache/certs/domain2.crt
        SSLCertificateKeyFile   /etc/ssl/apache/private/domain2.key

          SSLCertificateChainFile /etc/ssl/apache/certs/global.crt


        <FilesMatch "\.(cgi|shtml|phtml|php)$">

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

     SSLOptions +StdEnvVars
        </FilesMatch>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0

        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<IfModule mpm_itk_module>
AssignUserId mds mds
</IfModule>
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName www.domain.eu
        ServerAlias *.domain.eu

        DocumentRoot /var/www/htdocs/mds
        <Directory />
                Options FollowSymLinks
                AllowOverride none
        </Directory>
        <Directory /var/www/htdocs/mds>
                Options FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log


        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        SSLEngine on

        SSLProtocol all -SSLv2 -SSLv3
        SSLCompression off
        SSLCipherSuite AES128+EECDH:AES128+EDH


        SSLCertificateFile    /etc/ssl/apache/certs/domain2.crt
        SSLCertificateKeyFile   /etc/ssl/apache/private/domain2.key

        SSLCertificateChainFile /etc/ssl/apache/certs/global.crt

        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0

        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<IfModule mpm_itk_module>
AssignUserId mds mds
</IfModule>
</VirtualHost>
</IfModule>

I also have these errors in the log:

[Wed May 30 12:03:13 2018] [warn] Init: (Server.domain.local:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Wed May 30 12:03:13 2018] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed May 30 12:03:14 2018] [notice] Apache/2.2.22 (Debian) PHP/5.4.45-0+deb7u14 mod_ssl/2.2.22 OpenSSL/1.0.1t configured -- resuming normal operations

Where could my problem be?


Solution 1:

The log message from the server shows the reason for your problem:

... [warn] ... You configured HTTP(80) on the standard HTTPS(443) port!

This means a call of https://... in the browser will connect with TCP to port 443 (default for HTTPS) and then try to start the HTTPS request by starting the SSL handshake. The handshake will fail since your server only expects plain HTTP but not HTTPS on this port and thus does not expect a SSL handshake and thus will abandon the handshake or send some plain HTTP "bad request" as response back. This again is unexpected by the client which then shows a SSL problem in the browser.

The reason for this misconfiguration is likely your /etc/apache2/enabled-sites/000-default where you have some listener on port 443 but do not enable SSL for it. It does not help that you have another listener on port 443 in your /etc/apache2/enabled-sites/site-ssl with SSL enabled because you can only have SSL (i.e. HTTPS) or not SSL (i.e. plain HTTP) on the same IP same port and not both at once.

What you probably need to do is enable SSL in /etc/apache2/enabled-sites/000-default and also add some certificate there (you might use the site-specific certificate).