Cert issued but can't create secure connection - LibreSSL error:1404B42E

I'm setting up a new Ubuntu 22 box on Azure.

LetsEncrypt is installed and it has issued the certificates for the domain, but browsers can't seem to connect to the domain over https.

ssl.conf and options-ssl-apache.conf have not been modified. (I did try to override a few of the settings in my virtualhosts file for various reasons, but backed them out when they made no difference.)

I had some permissions issues in /etc/letsencrypt/ but this was resolved by changing archive and live to 0755. keys and accounts were likewise set to 0700 but changing those to 0755 didn't help.

Does anyone have any ideas what might be causing my protocol error?


cURL: LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

Domain: https://wol.runcode.run
Web server: Apache 2.4.52
OS: Ubuntu 22.04.3 LTS
Host: Azure
Root: Yes
CertBot Version 1.21.0
VirtualHost File:

<VirtualHost *:80>
	ServerName wol.runcode.run
	ServerAlias www.wol.runcode.run
	DocumentRoot /var/www/wol.runcode.run/live/public
	ErrorLog /var/www/wol.runcode.run/live/logs/www.log

<VirtualHost *:443>
	ServerName wol.runcode.run
	ServerAlias www.wol.runcode.run
	DocumentRoot /var/www/wol.runcode.run/live/public
	ErrorLog /var/www/wol.runcode.run/live/logs/www.log

	<FilesMatch "\.(cgi|shtml|phtml|php)$">
		SSLOptions +StdEnvVars
	<Directory "/var/www/cgi-bin">
		SSLOptions +StdEnvVars

	<Directory /var/www/wol.runcode.run/live/public>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted

### SSL
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateFile /etc/letsencrypt/live/wol.runcode.run/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/wol.runcode.run/privkey.pem

Of course after considering 100 different things that could be going wrong, only after writing all that out did I wonder if a different vhosts file was creating a conflict, which... it was. (Disabling the other vhosts allowed this domain to work.)

I'll update this reply when I know exactly what in case it helps someone else.

As near as I can tell, if you're creating multiple virtual hosts, don't create 'placeholder' tagging for port 443

<VirtualHost *:443>
ServerName www.anything.com

until you're ready to activate the certificate for this domain. The existence of a different domain configured to communicate on port 443, but not having any way to actually encrypt its communications seems to interfere with the traffic on other domains that would otherwise be able to encrypt their traffic (in this case wol.runcode.run).


Apache is notorious for allowing those kinds of overlaps.
Allways always all ways check:
sudo apachectl -t -D DUMP_VHOSTS
[for name:port overlaps]

host -a runcode.run

Trying "runcode.run"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63484
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;runcode.run.                   IN      ANY

runcode.run.            3480    IN      A

Received 45 bytes from in 2 ms
rip:T430 Desktop >>  host wol.runcode.run
Host wol.runcode.run not found: 3(NXDOMAIN)

I don't think DNS is set up for the subdomains.

1 Like

Thanks; It's been resolved (sorry, forgot to flag it as such).
The subdomain was only set up for testing.