ERR_SSL_PROTOCOL_ERROR chrome only

Sometime today several domains that I host on an old server all started having the same issue on Chrome Only. I have tried all of the online instructions for purging ssl from internet options, checking firewall, etc. I am a graphic artist and not a server guru so bear with me on any help or instructions as they might not make sense to me at first. I very much need to move everything off of this old server. Just hoping to figure this out for now. I found some of the answers to the below questions in my Plesk panel.

My domain is: I have several domains that are having this issue but for the sake of posting one of them https://www.thedesignersjourney.com/

My web server is (include version):
Not sure

The operating system my web server runs on is (include version):
Centos 6.30

My hosting provider, if applicable, is:
GoDaddy now but formerly MediaTemple.

I can login to a root shell : Yes

I'm using a control panel to manage my site:
Plesk Onyx - Version 17.8.11 Update #94, last updated on July 13, 2023 11:18 PM

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Not using Certbot

Chrome version:
Version 117.0.5938.150 (Official Build) (64-bit)

Operating System: Windows 10

This is NOT currently happening for one of my sites on the same server:
shanemielke dotcom

Welcome to the Community:
Server is nginx

What ACME client are you using...
shanemielke.com has a valid certificate.

2 Likes

This is because Chrome has recently disabled the obsolete Sha-1 algorithm. You can fix this by upgrading OpenSSL. It isn’t a problem with the certificate so there’s nothing Let’s Encrypt can do to help here.

5 Likes

There is no such version of CentOS, but the 6.x series has been EOL for over five years. You really shouldn't be exposing something that's been unsupported for that long to the public Internet.

3 Likes

I have just been using the Let's Encrypt plugins in Plesk every 90 days.

Thank you. I will look into how hard this is. Preliminary search says it might be more than I'm capable of or possibly because of the OS that I'm on and breaking things.

Curious that one cert is working but the rest are not on the same server. Would it have to do with the date that I last renewed things through the Let's Encrypt plugins in Plesk?

1 Like

It has nothing to do with the certificate at all, but rather the version of OpenSSL software that is installed on the server.

2 Likes

@mcpherrinm Can you perhaps share some info about that? The only thing I could find was old and about certificates: A further update on SHA-1 certificates in Chrome

1 Like

Understood from your comments. I just found it weird that one of my sites on the same server still views correctly but several others do not. Which is why I was asking if time of certificate creation had anything to do with it.

https://chromestatus.com/feature/4832850040324096

1 Like

Thanks!

So that would mean the ciphers are affected, right?

But the server does have two good and a few other weak non-SHA-1 ciphers configured :thinking:

Oh, and vulnerable to OpenSSL Padding Oracle vulnerability (CVE-2016-2107)..

See SSL Server Test: www.thedesignersjourney.com (Powered by Qualys SSL Labs)

1 Like

It’s not the ciphers either; it’s in the actual signature from the server's cert in the handshake. I don’t think that’s configurable or visible anywhere, so the only option is upgrading the software. Only very old OpenSSL is likely to run into this afaik, but without good tools I don’t have any measurements independent of what Chrome said.

This whole situation is terribly under documented so I’ll have a blog post up soon to help with this.

6 Likes

Hm, I always thought that was what the SHA meant in a cipher suite. :thinking:

1 Like

@Osiris I think it's a similar problem to Chrome not accepting new cert - #32 by webprofusion whereby old versions of OpenSSL might say one thing, and do another, regarding handshakes.

1 Like

Right now I'm in the same boat.
Very similar situation as yours @shanemielke . Were you able to solve this issue ? If yes, how ?

I have some sites (plain HTML, Wordpress, Joomla) that are not loading correctly in Chrome. Other browsers are good. But one site (with Wordpress), in the same server, is loading fine on all browsers.

Chrome says:

This site can’t provide a secure connection
mywebsite.net sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Same hosting provider as yours...

Server specs:

  • CentOS 6.4 (Final)‬
  • Plesk Onyx Version 17.8.11 Update #94, last updated on July 11, 2023

What version of OpenSSL is installed?

Can you provide an example of a working site and a non-working site on the same server so I can look at the problem and see what is different?

4 Likes

Hi @mcpherrinm
Is there a way to privately message you the domain addresses ?

Edit: I realize i'm hijacking @shanemielke thread, and I will post a new separate thread.

2 Likes

You are fine. I've moved on by moving almost all of my sites to a new server. But it sounds like your situation is exactly like mine and almost the exact same configurations. I had a site that had no problems and several sites that had the issue. The only difference was when the cert was issued (maybe)

1 Like

Hi @shanemielke

Did you even try to update the OpenSSL software? This article explains how How to Install and Update OpenSSL on CentOS | Linux Tutorials for Beginners

I haven't tried it yet.

From what I've read on Chromium bugs forum, old versions of OpenSSL have bugs. And this is where the problem might be.

Btw, which hosting service are you using now? I'm curious. (PM if you prefer).

Edit: added link to article

1 Like

We've found another potential workaround:

This only seems to affect RSA certificates, so switching to ECDSA will help because it was never used in conjunction with SHA-1. That's why only some of @IAR's sites are broken.

I don't know about other systems like Plesk, as I don't use them.

(Editing in case you are reading this later; ignore the ECDSA stuff in this thread; I was wrong)

4 Likes