Err_ssl_protocol_error

0rcaCPA · December 10, 2022, 2:58am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: orcacomputers.com

I ran this command: sudo certbot then selected 25: orcacomputers.com
26: www.orcacomputers.com
to reinstall ssl

It produced this output:

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/orcacomputers.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/httpd/conf.d/orcacomputers.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/orcacomputers.com-le-ssl.conf
Enhancement redirect was already set.
Enhancement redirect was already set.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://orcacomputers.com and
https://www.orcacomputers.com

Looks good but when I load orcacomputers.com in incogneto tab getting ERR_SSL_PROTOCOL_ERROR
My web server is (include version):

The operating system my web server runs on is (include version): rhel

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

rg305 · December 10, 2022, 3:21am

Let's have a look at the Apache configuration:
Starting with:
apachectl -t -D DUMP_VHOSTS

0rcaCPA · December 10, 2022, 9:18pm

[Neptune@0rcan0mic conf.d]$ httpd -t -D DUMP_VHOSTS
AH00526: Syntax error on line 18 of /etc/httpd/conf.d/oceanahomes.org-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/www.oceanahomes.org/cert.pem' does not exist or is empty
[Neptune@0rcan0mic conf.d]$ cat oceanahomes.org-le-ssl.conf

<VirtualHost *:443>

    ServerName oceanahomes.org
    ServerAlias www.oceanahomes.org
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/oceanahomes.org/public_html
    ErrorLog /var/log/httpd/oceanahomes.org-error.log
    CustomLog /var/log/httpd/oceanahomes.org-access.log combined


    <Directory "/var/www/oceanahomes.org/public_html">
      AllowOverride All
	</Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.oceanahomes.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.oceanahomes.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.oceanahomes.org/chain.pem

MikeMcQ · December 10, 2022, 10:30pm

Try with sudo

MikeMcQ · December 10, 2022, 10:37pm

Hmm. It is unusual to have the www subdomain point to a different IP than its apex. Can you explain why you do that?

dig +noall +answer www.orcacomputers.com
www.orcacomputers.com.  104     IN      A       24.109.185.150

dig +noall +answer orcacomputers.com
orcacomputers.com.      300     IN      A       34.102.136.180

0rcaCPA · December 10, 2022, 11:31pm

[Neptune@0rcan0mic conf.d]$ sudo httpd -t -D DUMP_VHOSTS
[sudo] password for Neptune:
VirtualHost configuration:
*:443 is a NameVirtualHost
default server jesusjesse.org (/etc/httpd/conf.d/jesusjesse.org-le-ssl.conf:2)
port 443 namevhost jesusjesse.org (/etc/httpd/conf.d/jesusjesse.org-le-ssl.conf:2)
alias www.jesusjesse.org
port 443 namevhost oceanahomes.org (/etc/httpd/conf.d/oceanahomes.org-le-ssl.conf:2)
alias www.oceanahomes.org
port 443 namevhost orcacomputers.com (/etc/httpd/conf.d/orcacomputers.com-le-ssl.conf:2)
alias www.orcacomputers.com
port 443 namevhost a4ec4c6ea1c92e2e6.awsglobalaccelerator.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost thepowerhousemethod.org (/etc/httpd/conf.d/thepowerhousemethod.org-le-ssl.conf:2)
alias www.thepowerhousemethod.org
*:80 is a NameVirtualHost
default server a4ec4c6ea1c92e2e6.awsglobalaccelerator.com (/etc/httpd/conf.d/00-default.conf:1)
port 80 namevhost a4ec4c6ea1c92e2e6.awsglobalaccelerator.com (/etc/httpd/conf.d/00-default.conf:1)
port 80 namevhost 0rcan0mic.com (/etc/httpd/conf.d/0rcan0mic.com.conf:1)
alias www.0rcan0mic.com
port 80 namevhost constantcounselling.com (/etc/httpd/conf.d/constantcounselling.com.conf:1)
alias www.constantcounselling.com
port 80 namevhost couponfreegiveaway.com (/etc/httpd/conf.d/couponfreegiveaway.com.conf:1)
alias www.couponfreegiveaway.com
port 80 namevhost greatresultsbusinesscoaching.com (/etc/httpd/conf.d/greatresultsbusinesscoaching.com.conf:1)
alias www.greatresultsbusinesscoaching.com
port 80 namevhost hopetonmedia.com (/etc/httpd/conf.d/hopetonmedia.com.conf:1)
alias www.hopetonmedia.com
port 80 namevhost internetpowerhouse.org (/etc/httpd/conf.d/internetpowerhouse.org.conf:1)
alias www.internetpowerhouse.org
port 80 namevhost jessemacdougall.com (/etc/httpd/conf.d/jessemacdougall.com.conf:1)
alias www.jessemacdougall.com
port 80 namevhost jesusjesse.org (/etc/httpd/conf.d/jesusjesse.org.conf:1)
alias www.jesusjesse.org
port 80 namevhost macdougall.ninja (/etc/httpd/conf.d/macdougall.ninja.conf:1)
alias www.macdougall.ninja
port 80 namevhost martial-arts-of-health.com (/etc/httpd/conf.d/martial-arts-of-health.com.conf:1)
alias www.martial-arts-of-health.com
port 80 namevhost mybestfriendsarecats.com (/etc/httpd/conf.d/mybestfriendsarecats.com.conf:1)
alias www.mybestfriendsarecats.com
port 80 namevhost oceanahomes.org (/etc/httpd/conf.d/oceanahomes.org.conf:1)
alias www.oceanahomes.org
port 80 namevhost orcacomputers.com (/etc/httpd/conf.d/orcacomputers.com.conf:1)
alias www.orcacomputers.com
port 80 namevhost orcahelpdesk.com (/etc/httpd/conf.d/orcahelpdesk.com.conf:1)
alias www.orcahelpdesk.com
port 80 namevhost themartialartsofmoney.com (/etc/httpd/conf.d/themartialartsofmoney.com.conf:1)
alias www.themartialartsofmoney.com
port 80 namevhost thepowerhousemethod.org (/etc/httpd/conf.d/thepowerhousemethod.org.conf:1)
alias www.thepowerhousemethod.org
port 80 namevhost thesuperioreatingsystem.com (/etc/httpd/conf.d/thesuperioreatingsystem.com.conf:1)
alias www.thesuperioreatingsystem.com
port 80 namevhost troymacnaughton.com (/etc/httpd/conf.d/troymacnaughton.com.conf:1)
alias www.troymacnaughton.com
port 80 namevhost womenwhohelpmen.org (/etc/httpd/conf.d/womenwhohelpmen.org.conf:1)
alias www.womenwhohelpmen.org

0rcaCPA · December 10, 2022, 11:33pm

Good question. On Godaddy I am setting up subdomains using their control panel to make urls like unifytheminds.thepowerhousemethod.org so Godaddy places the 34.102.136.180

MikeMcQ · December 11, 2022, 2:30pm

There are a couple problems. The first is you need to fix the DNS for orcacomputers.com and maybe its www. Those IP addresses should point to your server. The IP for www seems correct as an Apache server responds to that domain name. The .180 IP points to some landing page served by openresty.

I'll note the Apache that responds to the www domain is very old. It is version 2.4.6 with PHP version 5. Is this your Apache system?

Let's also look at your Apache config for orca. Please show the contents of these two files. Put 3 backticks before and after the content so we don't lose key info.

/etc/httpd/conf.d/orcacomputers.com.conf
/etc/httpd/conf.d/orcacomputers.com-le-ssl.conf

0rcaCPA · December 11, 2022, 4:40pm

I updated the A Record @ with 24.109.185.150.
A with www has 24.109.185.150

> /etc/httpd/conf.d/orcacomputers.com.conf

> [Neptune@0rcan0mic conf.d]$ cat orcacomputers.com.conf
> <VirtualHost *:80>
>         ServerName orcacomputers.com
>         ServerAlias www.orcacomputers.com
>         ServerAdmin webmaster@localhost
>         DocumentRoot /var/www/orcacomputers.com/public_html
>         ErrorLog /var/log/httpd/orcacomputers.com-error.log
>         CustomLog /var/log/httpd/orcacomputers.com-access.log combined
> 	DirectoryIndex index.html index.php
> 	<Directory "/var/www/orcacomputers.com/public_html">
> 	LimitRequestBody 102400
> 
>     	</Directory>
> 
> RewriteEngine on
> RewriteCond %{SERVER_NAME} =www.orcacomputers.com [OR]
> RewriteCond %{SERVER_NAME} =orcacomputers.com
> RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
> </VirtualHost>
/

> /etc/httpd/conf.d/orcacomputers.com-le-ssl.conf
> 
> [Neptune@0rcan0mic conf.d]$ cat orcacomputers.com-le-ssl.conf
> <IfModule mod_ssl.c>
> <VirtualHost *:443>
>         ServerName orcacomputers.com
>         ServerAlias www.orcacomputers.com
>         ServerAdmin webmaster@localhost
>         DocumentRoot /var/www/orcacomputers.com/public_html
>         ErrorLog /var/log/httpd/orcacomputers.com-error.log
>         CustomLog /var/log/httpd/orcacomputers.com-access.log combined
> 	DirectoryIndex index.html index.php
> 	<Directory "/var/www/orcacomputers.com/public_html">
> 	LimitRequestBody 102400
> 
>     	</Directory>
> 
> Include /etc/letsencrypt/options-ssl-apache.conf
> SSLCertificateFile /etc/letsencrypt/live/orcacomputers.com/cert.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/orcacomputers.com/privkey.pem
> SSLCertificateChainFile /etc/letsencrypt/live/orcacomputers.com/chain.pem
> </VirtualHost>
> </IfModule>

/
> [Neptune@0rcan0mic conf.d]$ httpd -v
> Server version: Apache/2.4.6 (CentOS)
> Server built:   Mar 24 2022 14:57:57
> [Neptune@0rcan0mic conf.d]$ php -v
> PHP 5.4.16 (cli) (built: Apr  1 2020 04:07:17) 
> Copyright (c) 1997-2013 The PHP Group
> Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
/

MikeMcQ · December 11, 2022, 5:06pm

The DNS looks good so now need to sort out why the SSL (TLS) config fails.

Can you show contents of these two files

/etc/letsencrypt/options-ssl-apache.conf
/etc/httpd/conf.d/ssl.conf

0rcaCPA · December 11, 2022, 5:31pm

/etc/letsencrypt/options-ssl-apache.conf
https://termbin.com/p1tvd

/etc/httpd/conf.d/ssl.conf

https://termbin.com/kjon

Here is the output of the two commands,

MikeMcQ · December 11, 2022, 6:21pm

I don't see anything wrong with those 2 configs. But, all your domains fail an HTTPS connection for the same reason.

What does this command show? And, please just copy/paste the results it is much harder to work with images on a 3rd party site.

sudo httpd -t -D DUMP_MODULES | grep -Ei 'ssl|core'

Below shows two things. One, that HTTP works to port 443. Also, HTTP to port 80 responds with a redirect but to port 443 shows success. That means the requests are reaching different VirtualHosts in Apache. This may not mean anything to you but it will to other volunteers here.

(this should not work but does)
curl -I http://orcacomputers.com:443
HTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16

(this should work but does not)
curl -I https://orcacomputers.com
curl: (35) error:0A00010B:SSL routines::wrong version number

(this works fine)
curl -I http://orcacomputers.com
HTTP/1.1 301 Moved Permanently
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
Location: https://orcacomputers.com/

0rcaCPA · December 12, 2022, 7:07am

[Neptune@0rcan0mic conf.d]$ sudo httpd -t -D DUMP_MODULES | grep -Ei 'ssl|core'
[sudo] password for Neptune:
core_module (static)
authn_core_module (shared)
authz_core_module (shared)
ssl_module (shared)

MikeMcQ · December 12, 2022, 12:45pm

Can you show result of this (from other thread):

curl -I --resolve orcacomputers.com:443:127.0.0.1 https://orcacomputers.com

0rcaCPA · December 12, 2022, 6:23pm

[Neptune@0rcan0mic conf.d]$ curl -I --resolve orcacomputers.com:443:127.0.0.1 https://orcacomputers.com
curl: (35) SSL received a record that exceeded the maximum permissible length.
[Neptune@0rcan0mic conf.d]$ curl -I --resolve thepowerhousemethod.org:443:127.0.0.1 https://thepowerhousemethod.org
curl: (35) SSL received a record that exceeded the maximum permissible length.

MikeMcQ · December 12, 2022, 7:07pm

That confirms what we see from my curl tests a couple posts back. Basically, your Apache config is not supporting HTTPS

You have been getting certs for a long time and I assume this was working at one time.

What did you change before it went wrong?

One idea from google was to rename your ssl.conf to something like 0-default-ssl.conf. This file has many SSL options in it and possibly needs to be seen by Apache before any other port 443 VirtualHosts. A leading 0 in the name will do that. This seems unlikely but I don't have any other ideas. Your mod_ssl was enabled that was my best guess.

/etc/httpd/conf.d/ssl.conf

You might need to start asking about this on an Apache forum.

0rcaCPA · December 12, 2022, 8:30pm

The only thing I can think of is these subdomains I am setting up with Godaddy could be an issue.

Example, I set church.thepowerhousemethod.org and it adds A record ip with 3.33.152.147. Could this be the conflict?

MikeMcQ · December 12, 2022, 8:41pm

No, it is not a DNS problem. We can contact your server it just doesn't properly handle HTTPS requests. The curl with --resolve doesn't even use DNS

Have you recently moved to GoDaddy?

You might want to ask them about it.

0rcaCPA · December 12, 2022, 8:46pm

okay thanks. Now that I ruled out the subdomain variable I will get some httpd help, not sure what has changed.

MikeMcQ · December 12, 2022, 8:47pm

Did you try renaming your default ssl conf file? Were the file names changed at all?