ERR_SSL_PROTOCOL_ERROR on EC2 Instance

marcocamejo · February 27, 2017, 8:54pm

Hi everybody,

I have used cert-bot to obtain my certificates, but I still get ERR_SSL_PROTOCOL_ERROR when trying to access via https to my site.

I have an Amazon EC2 Instance running Ubuntu 14.04 with apache 2.4.7
I updated my security group to accept inbound traffic on port 443.

I used cert-bot as described here:

After running cert-bot I got:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/[MYSUBDOMAIN]/fullchain.pem. Your
cert will expire on 2017-05-28. To obtain a new or tweaked version
of this certificate in the future, simply run certbot-auto again.
To non-interactively renew all of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

I have: cert.pem, chain.pem, fullchain.pem and privkey.pem

On my default-ssl.conf I have:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/[MYSUBDOMAIN]/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[MYSUBDOMAIN]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[MYSUBDOMAIN]/chain.pem

However I still get the ERR_SSL_PROTOCOL_ERROR

After restarting apache, I get no errors on apache /var/log/apache2/error.log

When checking In ssllabs.com I get:
Assessment failed: No secure protocols supported

In sslshopper.com:
No SSL certificates were found on [MYSUBDOMAIN]. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server’s firewall.

Any ideas?

Osiris · February 27, 2017, 9:14pm

Is default-ssl.conf enabled? I’m not that familiar with Debian-based Apache configurations, but there are two directories in /etc/apache2/ AFAIK:

/sites-available/
/sites-enabled/

And with a2ensite you can enable the sites listed in /sites-available/ (it’ll make symbolic links to the /sites-enabled/ directory).

So: is default-ssl.conf listed in /etc/apache2/sites-enabled/?

marcocamejo · February 27, 2017, 9:16pm

Hi Osiris, thanks for helping. And yes, it is enabled

I executed:
sudo a2enmod ssl
sudo a2ensite default-ssl.conf
sudo service apache2 restart

jsha · February 28, 2017, 2:51am

Can you provide your domain name? That way we can run some easy checks on it and get you the answer quickly.

marcocamejo · February 28, 2017, 10:49am

Sure, it is: consultores.darwined.cl

Here is more info about certificates I’m using:
https://crt.sh/?id=97438398

jmorahan · February 28, 2017, 11:30am

You seem to be running an SSH server on port 443. Perhaps you accidentally mapped 443 to 22 in your security group configuration?

marcocamejo · February 28, 2017, 1:00pm

This was the problem. My ssh server was listening on port 443 (for some unknown reason). Changed my sshd_config, restarted the service and it worked. Thank you so much for your help!

system · March 30, 2017, 1:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.