Apache Server does not recognize certificates


#1

Dear all,

my Cloud Server is reachable via HTTP. In order to make HTTPS work, I created my own certificate and got the response:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/ericsowncloud.ddns.net/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/ericsowncloud.ddns.net/privkey.pem

In /etc/apache2/sites-available/default-ssl.conf I changed the entries as follows:

SSLCertificateFile /etc/letsencrypt/live/ericsowncloud.ddns.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ericsowncloud.ddns.net/privkey.pem

Then, I did
sudo a2ensite default-ssl.conf and sudo service apache2 restart

With HTTPS, my server however responds with ERR_SSL_PROTOCOL_ERROR. What else do I have to do?


#2

Hi,

Could you please share us the full file of /etc/apache2/sites-available/default-ssl.conf?

Thank you


#3

Hi @Eric-Sommer

there is no https ( https://check-your-website.server-daten.de/?q=ericsowncloud.ddns.net ):

Domainname Http-Status redirect Sec. G
• http://ericsowncloud.ddns.net/
87.78.238.99 200 0.093 H
• http://ericsowncloud.ddns.net/
2001:4dd6:aa54:0:bfea:4b4c:3082:b21f -14 10.016 T
Timeout - The operation has timed out
• https://ericsowncloud.ddns.net/
87.78.238.99 -4 0.157 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
• https://ericsowncloud.ddns.net/
2001:4dd6:aa54:0:bfea:4b4c:3082:b21f -14 10.016 T
Timeout - The operation has timed out
• http://ericsowncloud.ddns.net:443/
87.78.238.99 200 0.080 Q
• http://ericsowncloud.ddns.net:443/
2001:4dd6:aa54:0:bfea:4b4c:3082:b21f -14 10.030 A
Timeout - The operation has timed out

Instead, your port 443 sends a typical error:

The handshake failed due to an unexpected packet format.

And answers with http on port 443, there is a http status 200, if a http query is sent to port 443.

So your default-ssl.conf doesn’t work. Perhaps share the content of the complete file.


#4

Thanks…attached the full ssl_default.conf (renamed here) ssl_default.txt (6.2 KB)


#5

Is mod_ssl loaded?


#6

Entering sudo a2enmod ssl gives me

Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled

So I assume yes.


#7

Perhaps I have an idea.

A few days ago a user had a special problem, I’ve added a check of the Html-content of a page.

Added that to the http - over - 443 - check - https://check-your-website.server-daten.de/?q=ericsowncloud.ddns.net

And the result:

Domainname Http-Status redirect Sec. G
• http://ericsowncloud.ddns.net/
87.78.238.99 200 0.076 H
• http://ericsowncloud.ddns.net/
2001:4dd6:aa54:0:bfea:4b4c:3082:b21f -14 10.030 T
Timeout - The operation has timed out
• https://ericsowncloud.ddns.net/
87.78.238.99 -4 0.127 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
• https://ericsowncloud.ddns.net/
2001:4dd6:aa54:0:bfea:4b4c:3082:b21f -14 10.013 T
Timeout - The operation has timed out
• http://ericsowncloud.ddns.net:443/
87.78.238.99 200 0.093 Q
Visible Content: Index of / NameLast modifiedSizeDescription nextcloud/2018-06-11 10:22 -   Apache/2.4.25 (Raspbian) Server at ericsowncloud.ddns.net Port 80

The “Visible Content” (all Html-elements removed) connecting your server via port 443 - is answered via port 80, not via port 443.

Do you have a router?

Does this router send port 443 to port 80?

Your router must send incoming port 443 to your 443 port of your Apache.


#8

Yes I have a Fritzbox, but Port 443 is routed to Port 443, see attachment. Screenshot_2019-02-28_20-32-37


#9

If your router settings are correct, then you may have an error in your main apache config file.

So your SSL-config isn’t used.

So share that file.


#10

apache2.conf attached. I can’t recall touching this file at all.apache2.txt (7.1 KB)


#11

I don’t see an error. Is ports.conf correct? Is there a second listen 443 directive?

Your SSL-default: Why is Listen 443 outside the <IfModule mod_ssl.c> block? Put it inside.

Perhaps there is another config running -> one reboot.


#12

This is the really important detail—the server is speaking HTTP instead of HTTPS on port 443. You can probably tell whether the problem is on the server or on the router by trying to connect from inside the router.


#13

That’s a good idea.

Use this url:

http://ericsowncloud.ddns.net:443/

#14

(this might cause some difficulties if the server has a different IP address as seen from the inside and outside and if this difference isn’t reflected in DNS records as seen from those perspectives)


#15

After the reboot, the server apparently does not properly boot. Since I’m not at home for the next days, I’ll have to postpone your suggestions :slight_smile:


#16

Oh, that’s bad. But you may have an inconsistent system, so it’s good to fix that.

Sometimes there are users with orphan-Apache-processes. An old Apache process doesn’t terminate and answers, changes are not visible. A reboot stops that.


#17

On a *nix server, it’s almost never required to do a reboot.


#18

I set up everything from scratch again and now it’s working. Thank you all!