ERR_SSL_PROTOCOL_ERROR after adding another subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
(all sub domains)
portal.stcatherines.eu
vle.stcatherines.eu
blogs.stcatherines.eu
I ran this command:

It produced this output:

My web server is (include version):
Apache 2.4.25

The operating system my web server runs on is (include version):
Debian Linux 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.38.0

I’m a total newbie in the field. I don’t know where my problem is. All was running fine until I ran certbot again and added a new subdomain. I use this server to host only my subdomains sites.

When i run apachectl -S

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
default server blogs.stcatherines.eu (/etc/apache2/sites-enabled/blogs.stcatherines.eu.conf:1)
port 443 namevhost blogs.stcatherines.eu (/etc/apache2/sites-enabled/blogs.stcatherines.eu.conf:1)
port 443 namevhost portal.stcatherines.eu (/etc/apache2/sites-enabled/portal.stcatherines.eu.conf:11)
port 443 namevhost vle.stcatherines.eu (/etc/apache2/sites-enabled/vle.stcatherines.eu-ssl.conf:1)
*:80 is a NameVirtualHost
default server blogs.stcatherines.eu (/etc/apache2/sites-enabled/blogs.stcatherines.eu.conf:10)
port 80 namevhost blogs.stcatherines.eu (/etc/apache2/sites-enabled/blogs.stcatherines.eu.conf:10)
port 80 namevhost portal.stcatherines.eu (/etc/apache2/sites-enabled/portal.stcatherines.eu.conf:1)
port 80 namevhost vle.stcatherines.eu (/etc/apache2/sites-enabled/vle.stcatherines.eu.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

Thanks in advance

Hi @mcassar

checked with my browser.

portal works.

vle sends http over port 443.

blogs + http has a redirect loop. blogs + https sends http over port 443.

Ah - I see, there is an older check of the portal - subdomain - https://check-your-website.server-daten.de/?q=portal.stcatherines.eu

There is a Grade Q -> http over port 443.

So no subdomain has a working port 443.

And you have a mix of certificates:

• First, make a backup
• Remove all not working port 443 vHosts
• then use certbot -d portal.stcatherines.eu - Certbot should find the certificate and should ask, if you want to reinstall it -> try to reinstall it, don't create a new certificate

Didn't checked the other subdomains.

Hi,
Thanks for your reply.

As soon as i run

It doesn't let me choose

Blockquote certbot -d portal.stcatherines.eu
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/portal.stcatherines.eu.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): An unexpected error occurred:
EOFError
Please see the logfiles in /var/log/letsencrypt for more details.

Please: That's exact the message I've expected.

Select 1

Or add -vvv to have much more debug messages.

https://certbot.eff.org/docs/using.html

These are the debug messages.

Any clues?

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1089, in run
should_get_cert, lineage = _find_cert(config, domains, certname)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 286, in _find_cert
action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 313, in _find_lineage_for_domains_and_certname
return _find_lineage_for_domains(config, domains)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 264, in _find_lineage_for_domains
return _handle_identical_cert_request(config, ident_names_cert)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 217, in _handle_identical_cert_request
default=0, force_interactive=True)
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 155, in menu
code, selection = self._get_valid_int_ans(len(choices))
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 418, in _get_valid_int_ans
ans = input_with_timeout(input_msg)
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 85, in input_with_timeout
raise EOFError
EOFError
An unexpected error occurred:
EOFError

Thanks so much Jurgen managed to reinstall and its up and running again

Now your portal has the correct certificate - but a http status 500 - https://check-your-website.server-daten.de/?q=portal.stcatherines.eu

blogs has the portal - certificate - https://check-your-website.server-daten.de/?q=blogs.stcatherines.eu

vle has a good Grade B - https://check-your-website.server-daten.de/?q=vle.stcatherines.eu - there is the correct certificate used.

So check your configuration, use the vle - vHost definition as template to find the errors in your blogs - vHost definition.

The http status 500 may be an application problem, not a vHost configuration problem.

Hi,

Could you please guide me how I can give blogs its own certificate like the others?

as soon as i tried this command

certbot -d blogs.stcatherines.eu Saving debug log to /var/log/letsencrypt/letsencrypt.log Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

Thanks
Regards

Create an own default vHost.

Looks like Certbot doesn't understand

that configuration. And compare it with your other vHosts.

I did create a manual vHost but now its telling me that i have a Certificate error: RemoteCertificateNameMismatch.

Should I delete the portal and reinstall it including both domains?

Please read your output. The certificate is wrong.

There is no certificate with only one domain name.

Hi Juergen,

Once again thanks for your guidance. I did recreate the vHost and updated the certificates with the correct domains. It all looks like its working smoothly now.

Thanks once again.

Yep, now it looks good. There is a check, two hours old - https://check-your-website.server-daten.de/?q=blogs.stcatherines.eu

Grade B, one certificate with only one domain name used. That's good.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.