Err_ssl_protocol_error

SteveRMann · August 2, 2023, 7:25pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
mannmade.duckdns.org
I ran this command:
https://mannmade.duckdns.org
It produced this output:
This site can’t provide a secure connectionmannmade.duckdns.org sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR
My web server is (include version):
Apache2
The operating system my web server runs on is (include version):
Ubuntu 20.04
My hosting provider, if applicable, is:
Self-hosted
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.6.0

Summary:
I want to be able to reach family web pages on Apache on my Ubuntu Desktop. I did the Certbot Apache install and now I can't get into the site through DuckDns.

# This site can’t provide a secure connection

**mannmade.duckdns.org** sent an invalid response.
* [Try running Windows Network Diagnostics](javascript:diagnoseErrors()).
ERR_SSL_PROTOCOL_ERROR

I can get into the site locally. When I enter "https://192.168.1.64", I get:
This server could not prove that it is 192.168.1.64; its security certificate is from mannmade.duckdns.org. This may be caused by a misconfiguration or an attacker intercepting your connection. and the browser drops into http:

Any tips would be appreciated.

Osiris · August 2, 2023, 7:43pm

This might be due to Apache being configured to provide HTTP instead of HTTPS on port 443.

This makes sense, as the IP address wouldn't be part of the certificate.

It actually doesn't: it still shows https:// in the address bar. Just with a big warning that it isn't secure due to the aforementioned IP/hostname mismatch.

That said, I have a lot of trouble connecting to your website, as a large part of the DuckDNS nameservers seem to be unresponsive. See e.g. mannmade.duckdns.org | DNSViz.

But if I hardcode your IP address 173.76.164.94 to the hostname in /etc/hosts, I see that your Apache is currently not listening at port 443 at all. While port 80 works fine, connecting on port 443 results in a connection refused.

SteveRMann · August 2, 2023, 9:42pm

Thanks for the insight. I see that when CertBot installed on my Apache system, it created a file:
/etc/apache2/sites-available/mannmade-le-ssl.conf

This file (Comments removed):

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerName mannmade.duckdns.org
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


SSLCertificateFile /etc/letsencrypt/live/mannmade.duckdns.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mannmade.duckdns.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

It also generated four .pem files in /etc/letsencrypt/live/mannmade.duckdns.org

I ran sudo a2ensite mannmade.conf then restarted Apache2. The response was: "... already enabled".

Do I need to port forward 443 in my router?
So, please, what did I miss? How do I make Apache listen on Port 443?

rg305 · August 2, 2023, 10:49pm

Do you want the Internet to reach your server via port 443?
[I would think so]

SteveRMann · August 3, 2023, 1:11am

Then, I have a problem. Port 443 is already forwarded to my Home Assistant server.

webprofusion · August 3, 2023, 2:30am

You can run sites on different ports that you choose, so for instance https://<yourdomain>:8443/ could forward to port 443 on your other server. The port 80/port 443 stuff used for http and https is just the default convention, but you can use pretty much whatever you choose as long as that what's in your configuration and you specify it in the URL when accessing the service.

rg305 · August 3, 2023, 4:34am

You can also use one of the two [on port 443] as a proxy for the other.

Osiris · August 3, 2023, 6:02am

Then your Home Assistant server isn't running I presume? Because of the "Connection refused" on port 443.

Agreed, I'd opt for setting up one of the webservers as a reverse proxy for Home Assistant.

SteveRMann · August 3, 2023, 10:06am

The HomeAssistant server on 192.168.1.57 runs fine when I https into it. The Apache server on 192.168.1.64 refuses the connection over https.

Time to learn more... Thanks for the tips.

webprofusion · August 3, 2023, 10:58am

Not sure if it's already mentioned by certs from Let's Encrypt can't be for IP addresses, so you need to use fully qualified dns hostnames when accessing these services via https with an LE cert.

Osiris · August 3, 2023, 4:36pm

Well, currently I don't see any Let's Encrypt certificate at crt.sh | mannmade.duckdns.org

MikeMcQ · August 3, 2023, 5:02pm

I see one using censys.io. Well, two if you count the staging cert

Osiris · August 3, 2023, 5:05pm

Uch, is crt.sh backlogged again...?

Hmm, jup, backlog of multiple days for some logs: crt.sh | monitored-logs

system · September 2, 2023, 5:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ERR_SSL_PROTOCOL_ERROR after using certbot-auto Help	12	1454	June 2, 2019
LetsEncrypt error Help	16	4178	May 28, 2020
Error With Website Certificate Help	7	1295	April 15, 2022
SSL Issue - DNS settings Help	9	1087	July 21, 2019
Certbot failed to authenticate some domains Help	15	5361	February 16, 2024

Err_ssl_protocol_error

Related topics