ERR_SSL_PROTOCOL_ERROR after updating certbot (nginx)

My domain is: lamamama.org

I ran this command: Other's tried to open the webpage

It produced this output: "This site can't provide a secure connection ... sent an invalid response ... ERR_SSL_PROTOCOL_ERROR"

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

The version of my client is: certbot 1.12.0

I recently updated certbot from a very old version after receiving the ACMEv1 email. I can still access the webpage, but several others cannot and receive the error above.

give an error: SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.

Looking at the error log, I see: SSL: error:14094085:SSL

options-ssl-nginx.conf:

# This file contains important security parameters. If you modify this file.
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

Hi @hadas

please read the #comments - part, there is your answer:

Error creating a TLS-Connection: TLSv1.2 and Cipher Suite ECDHE-RSA-AES128-GCM-SHA256 found. This tool uses TLSv1.2, but not that Cipher Suite. Add additional Cipher Suites.

Windows systems don't have that RSA GCM Cipher suite.

Add more Cipher suites.

Thanks, I was just getting there

1. Is there a list of acceptable Cipher suites?
2. The options-ssl-nginx.conf header says that modifying the file manually will prevent automatic upgrades. How concerned should I be about this?

I've been googling around, and can't figure out what value I should put in options-ssl-nginx.conf? I also didn't make any manual changes to this file, so I'm wondering how this is not a more common problem?

Depends on your preference. certbot uses one of the Mozilla SSL configurator (I think intermediate? Not sure..) settings. If one of those recommended settings used by certbot change, but you manually edited the configuration file, you won't get those updates. However, that's not the end of the world of course, you can also manage it yourself by hand in time.

You must allow some RSA CBC suites. Windows has only RSA CBC.

Or switch to an EC certificate.

Ssllabs has a client check.

PS: Checked with my old IE11 + Windows 10: There is no connection possible.

PPS: Curious: The Edge with Chromium shows the same error.

Oh - Chrome + Windows 10 has the same problem. Only FireFox is able to connect your site.

So your Cipher suites are really a little bit too limited.

PPPS: Found your check SSL Server Test: lamamama.org (Powered by Qualys SSL Labs)

That's curious. A lot of clients are able to connect your site. Why I am unable? There are a lot of CBC suites. And why is there a

HTTP request to this server failed,

Ah - now it works with Chrome, Edge (Chromium) and the old IE11.

Okay, I think that I got it.

The nginx site config had two separate server blocks, with the first block redirecting from www.lamamama.org to lamamama.org. It appears that when I updated certbot from the very old version I used, it added include /etc/letsencrypt/options-ssl-nginx.conf; to the first server block and not the second. Instead it had include /etc/nginx/snippets/ssl-params.conf;

When I replaced that include with the letsencrypt include, things seem to be working well with the default cypher list.

Thanks @JuergenAuer and @Osiris!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.