ERR_SSL_PROTOCOL_ERROR after Cert Renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:stxdigitizing.com

I ran this command: n/a

It produced this output: www.stxdigitizing.com sent an invalid response (err_ssl_protocol_error)
after server update/upgrade and certbot renew command. Server is behind HaProxy.

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
ubuntu 18.04.5 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

You maybe just need to restart apache but you should also check your openssl ciphers: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#ciphers

Yeah, something is not right.
http to www works, but base domain has issues:

curl -Iki http://www.stxdigitizing.com/
HTTP/1.1 301 Moved Permanently
Date: Wed, 30 Sep 2020 04:21:25 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://www.stxdigitizing.com/
Content-Type: text/html; charset=iso-8859-1

curl -Iki http://stxdigitizing.com/
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html

and the https side seems to be serving http content.
You might be missing "sslengine on".

sslengine on i'm assuming is in the virtual host file or should be in the host file?

Yes, it goes in the server block with the 443 listener and cert files.

so i decided to run wireshark to see what was going on. I fat fingered the destination port on the NAT to the proxy so it was incorrect. it's working now. But not sure on how the Https is serving up Http Content. Would it have to do with the Rewrite Engine on.

If you care to show your HTTPS block maybe I can see what is wrong there.

If you're unsure about which file it is in, try first showing the output of:
sudo apachectl -S

VirtualHost configuration:
*:443 stxdigitizing.com (/etc/apache2/sites-enabled/stxdigitizing-le-ssl.conf:2)
*:80 stxdigitizing.com (/etc/apache2/sites-enabled/stxdigitizing.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Please show this file with:
cat /etc/apache2/sites-enabled/stxdigitizing-le-ssl.conf

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com
    ServerAdmin webmaster@stxdigitizing.com
    ServerName stxdigitizing.com
    ServerAlias www.stxdigitizing.com
    DocumentRoot /var/www/stxdigitizing/
    Protocols h2 http/1.1
    Header always set Strict-Transport-Security "max-age=63072000"
    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
    #SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

#SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/stxdigitizing.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/stxdigitizing.com/privkey.pem

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305$
SSLHonorCipherOrder off
SSLSessionTickets off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Why is that off?

1 Like

i just turned it back on now. probably didn't save file when i backed out of vim

Restart Apache and let's see...

Much better now:

curl -Iki https://www.stxdigitizing.com/
HTTP/1.1 200 OK
Date: Wed, 30 Sep 2020 05:37:45 GMT
Server: Apache/2.4.29 (Ubuntu)
Strict-Transport-Security: max-age=63072000
Upgrade: h2
Connection: Upgrade
Last-Modified: Mon, 24 Feb 2020 05:04:05 GMT
ETag: "2073-59f4b4cf3173a"
Accept-Ranges: bytes
Content-Length: 8307
Vary: Accept-Encoding
Content-Type: text/html

That is odd I remember SSLEngine being in the Virtual Host file and after an update it was missing and i didn't even notice it. Have you seen that happen before? Anywho, Thanks for the Help!

1 Like

Never seen that happen on it's own...
It's not even Halloween!

Glad to see that all is well.
Cheers from Miami :beers:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.