ERR_SSL_PROTOCOL_ERROR only in Chrome and mobile browser


#1

Hi everyone!

My domain is:
embracetherain.at / www.embracetherain.at

I got the Let’s Encrypt certificates with certbot for both domains.

the www domain redirect via DNS-CNAME to the non-www domain
also there is a 301 redirect in the nginx/conf.d/.

In Safari and Firefox (on Mac) everything works great. Chrome, when going to the non-www domain shows the ERR_SSL_PROTOCOL_ERROR. But if I go first to the www-domain then it redirect correctly to the non-www domain and everything works great.
On mobile (android) browser Firefox the same behavior.
On mobile browser Chrome both the www and the non-www domain show the ERR_SSL_PROTOCOL_ERROR.

My web server is (include version):
Ghost 2.1 on Ubuntu 16.04 with nginx

My hosting provider, if applicable, is:
digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes


#2

I have solved it.

It was the redirect.conf file that caused this misbehaviour. After I deleted it everything worked fine.


#3

Hi @rauschilein

I saw the error, but had no idea. Can you share your wrong redirect.conf?


#4

Well. It was not the complete solution. I had to add some lines to the nginx config because there were some problems when accessing the www-domain via http.

the old (and now deleted) redirect.conf:

server {
        if ($host = www.embracetherain.at) {
            return 301 https://$host$request_uri;
        } # managed by Certbot

        server_name www.embracetherain.at;
        listen 80;
        return 404; # managed by Certbot
    }

the updated embracetherain.at.conf:

server {
    server_name www.embracetherain.at;
    return 301 $scheme://embracetherain.at$request_uri;
 } # this block was added

server {
    if ($host = embracetherain.at) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;

    server_name embracetherain.at;
    root /var/www/ghost/system/nginx-root;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2369;
    } 

    location ~ /.well-known {
        allow all;
    }

    proxy_set_header Host $http_host;
    proxy_pass http://127.0.0.1:2369;

    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;

}

#5

I don’t see why that produces an error. I saw a “ERR_SSL_PROTOCOL_ERROR”, so your server sends data Chrome doesn’t understand.

Is it possible that one of your headers

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;

are not set? My Chrome said:

at

The connection-part

Connection - secure (strong TLS 1.2) The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-384 (a strong key exchange), and AES_128_GCM (a strong cipher).

is missing. So Chrome loads the certificate, but isn’t able to create a TLS.1.2 connection.

SSLLabs

https://www.ssllabs.com/ssltest/analyze.html?d=embracetherain.at&hideResults=on

had (this morning) a curious error:

So it looks that your http - connection is broken, Chrome needs that to establish a https - connection.

PS: “below” - there is nothing. Only

https://embracetherain.at/ (Request failed)

A windows-tool couldn’t open a https - connection.


#6

Yeah, I don’t really understand the code. I am just tinkering around with some basic knowledge.

Now everything works fine

Maybe because this broken http-connection is now correctly redirected? I have no idea.


#7

Yes, now it works fine. In the morning:

download https://embracetherain.at/ -h
Error (1): Die Anfrage wurde abgebrochen: Es konnte kein geschützter SSL/TLS-Kanal erstellt werden…
SecureChannelFailure
3

Now:

download https://embracetherain.at/ -h
SSL-Zertifikat is valide
Connection: keep-alive
Vary: Accept-Encoding
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Length: 26106
Cache-Control: public, max-age=0
Content-Type: text/html; charset=utf-8
Date: Wed, 12 Sep 2018 14:56:17 GMT
ETag: W/“65fa-x79dagbXzvo8uZZR5fiVPucpiq8”
Server: nginx/1.10.3 (Ubuntu)
X-Powered-By: Express

Status: 200 OK

I didn’t see such an error before. First call - error, www + redirect - no error.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.