Accessing website returns ERR_SSL_PROTOCOL_ERROR

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: clash-finder.com www.clash-finder.com

I ran this command: sudo certbot --apache

It produced this output:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/clash-finder.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/clash-finder.com/privkey.pem
    Your cert will expire on 2020-06-06. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is: hosting on my own server

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

My webserver config:

/etc/apache2/sites-available$ ll
total 24
drwxr-xr-x 2 root root 4096 Mär 8 10:42 ./
drwxr-xr-x 8 root root 4096 Mär 8 11:19 …/
-rw-r–r-- 1 root root 1616 Mär 8 11:09 000-default.conf
-rw-r–r-- 1 root root 1471 Mär 8 11:05 000-default-le-ssl.conf
-rw-r–r-- 1 root root 6338 Jul 16 2019 default-ssl.conf

000-default.conf:

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/clash/public/

<Directory /var/www/html/clash/public/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted

ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =clash-finder.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

000-default-le-ssl.conf:

ServerAdmin webmaster@localhost DocumentRoot /var/www/html/clash/public/

<Directory /var/www/html/clash/public/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted

ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

This certificate is installed:

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: clash-finder.com
Domains: clash-finder.com www.clash-finder.com
Expiry Date: 2020-06-06 09:06:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/clash-finder.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/clash-finder.com/privkey.pem


What is wrong with my apache configuration?

Hi @frius94

checking your domain - https://check-your-website.server-daten.de/?q=clash-finder.com

You have created two certificates:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-03-08 2020-06-06 www.clash-finder.com - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-03-08 2020-06-06 clash-finder.com - 1 entries duplicate nr. 1

But both have only one domain name.

Critical: Your port 443 is a http port. Is this

92.107.220.161 Dubendorf/Zurich/Switzerland (CH) - Swisscom (Schweiz) AG - Bluewin Hostname: 161.220.107.92.dynamic.wline.res.cust.swisscom.ch

a home server? May be a wrong port forwarding port 443 extern -> port 80 intern.

What says

apachectl -S

One port 80 vHost with non-www and www is required, then create one certificate with both domain names.

Yes it is a home-server. 443 external is forwarding to 443 intern and 80 external is forwarding to 80 intern.
apachectl -S is returning this.

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: clash-finder.com
Domains: clash-finder.com www.clash-finder.com
Expiry Date: 2020-06-06 09:06:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/clash-finder.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/clash-finder.com/privkey.pem


I'm more interested what's in sites-enabled. :slight_smile:

or add both certificates to the same virtualhost :wink:

@frius94: you are definitely serving an http website on port 443: http://clash-finder.com:443/

Can you show us the virtualhosts on port 443? grep -r 443 /etc/apache2

@9peppe
grep -r 443 /etc/apache2
/etc/apache2/sites-available/000-default-le-ssl.conf:<VirtualHost *:443>
/etc/apache2/sites-available/default-ssl.conf:
/etc/apache2/ports.conf: Listen 443
/etc/apache2/ports.conf: Listen 443

@Osiris
/etc/apache2/sites-enabled$ ll
total 8
drwxr-xr-x 2 root root 4096 Mär 8 11:13 ./
drwxr-xr-x 8 root root 4096 Mär 8 11:19 …/
lrwxrwxrwx 1 root root 35 Mär 6 09:24 000-default.conf -> …/sites-available/000-default.conf
lrwxrwxrwx 1 root root 52 Mär 8 10:32 000-default-le-ssl.conf -> /etc/apache2/sites-available/000-default-le-ssl.conf

these are basically symlinks to the files I posted earlier.

post this file, please.

you can use ```pre to start, then newline, then ``` to stop, to post raw files.

That's very true, but without a symbolic link in sites-enabled, the configuration file in sites-available won't do anything.

Why

isn't there an answer? sudo is required.

There

is already a certificate with both domain names.

Perhaps disable your port 443, then use the --reinstall option with both domain names. Certbot should find the certificate and should create a correct vHost.

@JuergenAuer
Sorry for my delayed answer

apachectl -S
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:443 127.0.1.1 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33 not_used
Group: name=“www-data” id=33 not_used

@JuergenAuer

I will try your advice with disabling 443 port and reinstalling it.

There

you see the problem. No port 80 named vHost with your two domain names.

Add such a port 80 vHost with ServerName / ServerAlias, then disable the port 443 vHost and use --reinstall.

https://certbot.eff.org/docs/using.html

What I did so far:

added:
ServerName clash-finder.com
ServerAlias www.clash-finder.com
to 000-default.conf

/etc/apache2/sites-enabled$ sudo a2dissite 000-default-le-ssl.conf
Site 000-default-le-ssl disabled.
To activate the new configuration, you need to run:
systemctl reload apache2

systemctl reload apache2.service

sudo certbot --apache --reinstall
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: clash-finder.com
2: www.clash-finder.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):

Which one am I supposed to choose now?

I’d say both, separated by commas or spaces (leave blank to select all)

(but it’s definitely your choice, which domain[s] you want to enable https for)

Certbot will tell you you already have a certificate, let it use it and tell it to reinstall the current one.

Ok, I choosed both of them.

Which names would you like to activate HTTPS for?


1: clash-finder.com
2: www.clash-finder.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1 2
Cert not yet due for renewal
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Enhancement redirect was already set.
Enhancement redirect was already set.


Congratulations! You have successfully enabled https://clash-finder.com and
https://www.clash-finder.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=clash-finder.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.clash-finder.com

As you can see I also choosed to redirect http to https and it said
Enhancement redirect was already set.
But seems not to redirect http to https. However the ssl certificate works now. Thank you guys.
Can you guys give me a hint where I can fix the http to https redirect?

The port 80 virtualhosts, the redirect is in there. you can probably remove it (it will say # managed by Certbot don't remove the certs, only the redirect) and let certbot reinstall it with certbot enhance --redirect

There is nothing like # managed by certbot on my configuration files. The only redirect I could find in 000-default.conf is this one

RewriteEngine on
RewriteCond %{SERVER_NAME} =clash-finder.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

The other conf file 000-default-le-ssl.conf had these redirects too but they were comments.
So what I did is, I changed the active redirects on 000-default.conf to comments with # and restarted the webserver after that.
Then I run certbot enhance --redirect

sudo certbot enhance --redirect
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator None, Installer apache

Which certificate would you like to use to enhance your configuration?


1: clash-finder.com


Press 1 [enter] to confirm the selection (press ‘c’ to cancel): 1

Which domain names would you like to enable the selected enhancements for?


1: clash-finder.com
2: www.clash-finder.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1 2
Failed redirect for clash-finder.com
Unable to set enhancement redirect for clash-finder.com
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:

  • We were unable to set up enhancement redirect for your server,
    however, we successfully installed your certificate.

Why is there a conflict? As I mentioned this was the only active redirect I could find.

I can post the conf files if it is needed.