ERR_SSL_PROTOCOL_ERROR after using certbot-auto

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.kellyscleanbees.com

I ran this command:

It produced this output:

My web server is (include version):

Apache2
The operating system my web server runs on is (include version):

Debain 8

My hosting provider, if applicable, is:

OVH VPS

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.33.1


I currently have several sites on the same server using certbot and all work fine, but the domain www.kellyscleanbees.com just wont work with https.

The Apache VirtualHosts are as follows:

<VirtualHost *:80>
        ServerName kellyscleanbees.com
        ServerAlias www.kellyscleanbees.com
        DocumentRoot /var/www/www.kellyscleanbees.com/htdocs/
        SetEnv URL_BASE http://www.kellyscleanbees.com/
        SetEnv APP_BASE /var/www/www.kellyscleanbees.com/htdocs/

        <directory /var/www/www.kellyscleanbees.com/htdocs/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </directory>
</VirtualHost>

<VirtualHost *:443>
        ServerName kellyscleanbees.com
        ServerAlias www.kellyscleanbees.com
        DocumentRoot /var/www/www.kellyscleanbees.com/htdocs/
        SetEnv APP_BASE /var/www/www.kellyscleanbees.com/htdocs/
        SetEnv URL_BASE http://www.kellyscleanbees.com/
        <directory /var/www/www.kellyscleanbees.com/htdocs/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </directory>
SSLCertificateFile /etc/letsencrypt/live/www.kellyscleanbees.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.kellyscleanbees.com-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

This actually mirrors another vhost for another domain which works fine.

Hi @cshaw

there is no public visible ip address defined ( https://check-your-website.server-daten.de/?q=kellycleanbees.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
kellycleanbees.com Name Error yes 1 0
www.kellycleanbees.com Name Error yes 1 0

Not ipv4, not ipv6.

And there is no certificate.

@JuergenAuer
Sorry it was a typo in the domain name, the domain is www.kellyscleanbees.com

There is a Grade Q - http over port 443.

What says

apachectl configtest
apachectl fullstatus
apachectl -S

@JuergenAuer

root@vps425446:~# apachectl configtest
Syntax OK
root@vps425446:~# apachectl fullstatus
Apache Server Status for localhost (via 127.0.0.1)

Server Version: Apache/2.4.10 (Debian) OpenSSL/1.0.1t
Server MPM: prefork
Server Built: Feb 24 2017 18:40:28

-------------------------------------------------------------------------------

Current Time: Wednesday, 01-May-2019 09:53:42 UTC
Restart Time: Tuesday, 30-Apr-2019 15:57:09 UTC
Parent Server Config. Generation: 2
Parent Server MPM Generation: 1
Server uptime: 17 hours 56 minutes 33 seconds
Server load: 0.00 0.00 0.00
Total accesses: 4021 - Total Traffic: 6.7 MB
CPU Usage: u1.42 s.18 cu0 cs0 - .00248% CPU load
.0623 requests/sec - 109 B/second - 1758 B/request
1 requests currently being processed, 9 idle workers

___..___.._.._.W......_.........................................
................................................................
......................

Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

Srv   PID  Acc M CPU   SS   Req Conn Child Slot     Client            VHost                   Request
           0/2
0-1  15316 /   _ 0.02 123   25  0.0  0.00  0.36 141.101.77.59  vps425446.ovh.net:80 NULL
           272
           0/6
1-1  15231 /   _ 0.09 315   18  0.0  0.01  0.32 162.158.150.43 vps425446.ovh.net:80 NULL
           181
           0/2
2-1  15309 /   _ 0.04 316   19  0.0  0.00  0.49 162.158.150.7  vps425446.ovh.net:80 NULL
           178
           0/0
3-1  -     /   . 0.00 310   0   0.0  0.00  0.29 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           263
           0/0
4-1  -     /   . 0.00 315   0   0.0  0.00  0.23 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           170
           0/2
5-1  15312 /   _ 0.04 315   22  0.0  0.00  0.32 162.158.150.43 vps425446.ovh.net:80 NULL
           187
           0/1
6-1  15319 /   _ 0.01 311   18  0.0  0.00  0.27 108.162.229.37 vps425446.ovh.net:80 NULL
           167
           0/
7-1  14999 11/ _ 0.17 315   20  0.0  0.02  0.55 162.158.150.43 vps425446.ovh.net:80 NULL
           274
           0/0
8-1  -     /   . 0.00 312   0   0.0  0.00  0.23 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           149
           0/0
9-1  -     /   . 0.00 313   0   0.0  0.00  0.25 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           159
           0/2
10-1 15313 /   _ 0.02 132   0   0.0  0.00  0.39 172.68.244.147 vps425446.ovh.net:80 NULL
           171
           0/0
11-1 -     /   . 0.15 308   0   0.0  0.00  0.36 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           151
           0/0
12-1 -     /   . 0.18 311   0   0.0  0.00  0.32 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           253
           0/2
13-1 15314 /   _ 0.04 128   22  0.0  0.00  0.57 172.68.11.254  vps425446.ovh.net:80 NULL
           260
           0/0
14-1 -     /   . 0.12 309   0   0.0  0.00  0.34 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           149
           0/1
15-1 15315 /   W 0.02 0     0   0.0  0.00  0.15 127.0.0.1      vps425446.ovh.net:80 GET /server-status HTTP/1.0
           122
16-1 -     0/0 . 0.00 314   0   0.0  0.00  0.10 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /92
           0/0
17-1 -     /   . 0.00 821   0   0.0  0.00  0.14 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           158
18-1 -     0/0 . 0.00 820   0   0.0  0.00  0.17 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /97
19-1 -     0/0 . 0.00 818   0   0.0  0.00  0.09 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /86
20-1 -     0/0 . 0.00 819   0   0.0  0.00  0.19 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /95
21-1 -     0/0 . 0.00 817   0   0.0  0.00  0.07 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /84
22-1 15244 0/6 _ 0.08 315   21  0.0  0.01  0.09 162.158.150.43 vps425446.ovh.net:80 NULL
           /80
23-1 -     0/0 . 0.02 808   0   0.0  0.00  0.28 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /78
24-1 -     0/0 . 0.00 812   0   0.0  0.00  0.12 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /94
25-0 -     0/0 . 0.00 24561 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /1
26-0 -     0/0 . 0.00 24562 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /1
27-0 -     0/0 . 0.14 22535 0   0.0  0.00  0.01 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /9
28-0 -     0/0 . 0.16 22529 0   0.0  0.00  0.01 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /9
29-0 -     0/0 . 0.10 23030 0   0.0  0.00  0.01 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /7
30-0 -     0/0 . 0.00 24560 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /1
31-0 -     0/0 . 0.04 23676 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /4
32-0 -     0/0 . 0.00 24559 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /1
33-0 -     0/0 . 0.03 23675 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /4
34-0 -     0/0 . 0.02 24056 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /2
35-0 -     0/0 . 0.00 24556 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /1
36-0 -     0/0 . 0.00 24558 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /1
37-0 -     0/0 . 0.00 24557 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /1
38-0 -     0/0 . 0.00 24554 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /1
39-0 -     0/0 . 0.00 24553 0   0.0  0.00  0.00 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /1
40-0 -     0/0 . 0.11 23570 0   0.0  0.00  0.01 ::1            vps425446.ovh.net:80 OPTIONS * HTTP/1.0
           /7

-------------------------------------------------------------------------------

 Srv  Child Server number - generation
 PID  OS process ID
 Acc  Number of accesses this connection / this child / this slot
  M   Mode of operation
 CPU  CPU usage, number of seconds
 SS   Seconds since beginning of most recent request
 Req  Milliseconds required to process most recent request
Conn  Kilobytes transferred this connection
Child Megabytes transferred this child
Slot  Total megabytes transferred this slot

-------------------------------------------------------------------------------
SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current entries: 0
subcaches: 32, indexes per subcache: 88
index usage: 0%, cache usage: 0%
total entries stored since starting: 0
total entries replaced since starting: 0
total entries expired since starting: 0
total (pre-expiry) entries scrolled out of the cache: 0
total retrieves since starting: 0 hit, 0 miss
total removes since starting: 0 hit, 0 miss
-------------------------------------------------------------------------------

Apache/2.4.10 (Debian) Server at localhost Port 80
root@vps425446:~# apachectl -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server vps425446.ovh.net (/etc/apache2/sites-enabled/dev.chris-shaw.com.conf:1)
         port 80 namevhost vps425446.ovh.net (/etc/apache2/sites-enabled/dev.chris-shaw.com.conf:1)
                 wild alias *.*.*.chris-shaw.com
         port 80 namevhost vps425446.ovh.net (/etc/apache2/sites-enabled/dev.chris-shaw.com.conf:11)
                 wild alias *.*.chris-shaw.com
         port 80 namevhost chris-shaw.com (/etc/apache2/sites-enabled/www.chris-shaw.com.conf:1)
         port 80 namevhost www.chris-shaw.com (/etc/apache2/sites-enabled/www.chris-shaw.com.conf:6)
         port 80 namevhost kellyscleanbees.com (/etc/apache2/sites-enabled/www.kellyscleanbees.com.conf:1)
                 alias www.kellyscleanbees.com
*:443                  is a NameVirtualHost
         default server chris-shaw.com (/etc/apache2/sites-enabled/www.chris-shaw.com-le-ssl.conf:2)
         port 443 namevhost chris-shaw.com (/etc/apache2/sites-enabled/www.chris-shaw.com-le-ssl.conf:2)
         port 443 namevhost www.chris-shaw.com (/etc/apache2/sites-enabled/www.chris-shaw.com-le-ssl.conf:8)
                 alias chris-shaw.com
         port 443 namevhost kellyscleanbees.com (/etc/apache2/sites-enabled/www.kellyscleanbees.com.conf:16)
                 alias www.kellyscleanbees.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="deploy" id=1002
Group: name="deploy" id=1003
root@vps425446:~#

Isn't there a

SSLEngine on

directive required?

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.kellyscleanbees.com-0001/fullchain.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/www.kellyscleanbees.com-0001/privkey.pem

That directive is not in the other virtualhost files, I had just added it and restarted apache2 but still having the same issue.

One other idea.

Is this a home server?

Is there a wrong port forwarding?

So port 443 (external) is forwarded to port 80 (internal)?

Its on a Virtual Private Server in a DataCentre in i believe france or germany. Provided by the firm OVH.

My main website https://www.chris-shaw.com is hosted on the same vps, using letscencrypt and is working fine.

That domain has the same problem. And there is an indicator what maybe wrong.

Domainname Http-Status redirect Sec. G
http://chris-shaw.com/
151.80.234.19 301 http://www.chris-shaw.com/ 0.863 D
http://www.chris-shaw.com/
104.24.122.44 301 https://www.chris-shaw.com/ 0.016 A
http://www.chris-shaw.com/
104.24.123.44 301 https://www.chris-shaw.com/ 0.013 A
https://www.chris-shaw.com/
104.24.122.44 302 https://www.chris-shaw.com/blog 0.257 B
https://www.chris-shaw.com/
104.24.123.44 302 https://www.chris-shaw.com/blog 0.227 B
https://chris-shaw.com/
151.80.234.19 -4 0.096 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
https://www.chris-shaw.com/blog 200 0.264 B
http://chris-shaw.com:443/
151.80.234.19 301 http://www.chris-shaw.com/ 0.053 Q
Visible Content: Moved Permanently The document has moved here . Apache/2.4.10 (Debian) Server at chris-shaw.com Port 80
http://chris-shaw.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
151.80.234.19 301 http://www.chris-shaw.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.053 D
Visible Content: Moved Permanently The document has moved here . Apache/2.4.10 (Debian) Server at chris-shaw.com Port 80
http://www.chris-shaw.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
104.24.122.44 301 https://www.chris-shaw.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.013 A
Visible Content:
http://www.chris-shaw.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
104.24.123.44 301 https://www.chris-shaw.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.017 A
Visible Content:
https://www.chris-shaw.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 200 0.220
Visible Content: ERROR 404

https + non-www has the typical error:

SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.

"unexcpected packet format" - the handshake expects some bytes, but a complete http answer is sent, so my tool checks, if http + port 443 works.

And there you see one error:

Visible Content: Moved Permanently The document has moved here . 
Apache/2.4.10 (Debian) Server at chris-shaw.com Port 80

The request goes to port 443 - but port 80 answers with a http status 301.

The server uses two different ip addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
chris-shaw.com A 151.80.234.19 yes 1 0
AAAA yes
www.chris-shaw.com A 104.24.122.44 yes 1 0
A 104.24.123.44 yes 1 0
AAAA yes

And the 151.80.234.19 is the ip address with the wrong answer, the same has kellyscleanbees.com.

PS: Checking a not existing file in /.well-known/acme-challenge should produce a http status 404 - not found. The last row sends http status 200 with a content

Visible Content: ERROR 404

and

Server: cloudflare

as one header. Looks like this is an incomplete Cloudflare setting.

@JuergenAuer
I have setup a new domain, not touching cloudflare at all and having the same issue.

I have registered www.sha1.tk and pointed it to my vps
Created a singe page site which serves fine over http
used certbot-auto to get the certificate and allowed it to add the redirects to the virtualhost

Can you run your tool on this domain and see what the issue is, since cloudflare is not involved on this domain.

The tool is online. Use it to check your domain if you want.

That's the reason I've created an online tool, not an offline tool (so I would be the only person who could use it).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.