Getting ERR_SSL_PROTOCOL_ERROR

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bridgesintounity.org

I ran this command: sudo certbot --apache -d bridgesintounity.org -d www.bridgesintounity.org

It produced this output: Congratulations! Your certificate and chain have been saved

My web server is (include version) Apache/2.4.18 (Ubuntu)
I am seeing this error from apachectl:
AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/bridgesintounity.org-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/bridgesintounity.org/fullchain.pem’ does not exist or is empty
…HOWEVER: the file does exist (via softlink) and it isn’t empty.
I have three other domains on the same server and they are working.

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: my own VPS on Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

MORE INFORMATION:
I had this problem previously, couldn’t debug it, so I disabled the certificate, removed even the apache virtual host files (for the site and le ) under sites-available/ and sites-enabled/, then re-did the apache virtual hosts configuration and re-ran the above certbot command …it ran well but then when I tried to navigate to the site in a browser I got the ssl protocol error.

Thanks in advance for the help!

1 Like

Your Apache is speaking HTTP on port 443. See the following (working) URL closely: http://bridgesintounity.org:443/

Your Apache configuration must be very strange, because normally certbot doesn’t have any trouble with installing the cert.

What’s the output of sudo apachectl -S ?

1 Like

THE OUTPUT IS:
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/OTHERDOMAINNAME.org.conf:1
VirtualHost configuration:
*:443 is a NameVirtualHost
<…snip…>

     port 443 namevhost bridgesintounity.org (/etc/apache2/sites-enabled/bridgesintounity.org-le-ssl.conf:2)
             alias www.bridgesintounity.org

<…snip…>

     port 80 namevhost bridgesintounity.org (/etc/apache2/sites-enabled/bridgesintounity.org.conf:3)
             alias www.bridgesintounity.org

<…snip…>

ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

AMAZING ABOUT THE OUTPUT WITH the 443. That page saying “this domain is inactive” is exactly what I would expect to see right now.

I’d be happy/willing to send you the two files for this host/domain under apache2/sites-available/ if that would help to debug it.

1 Like

Before running the certbot command mentioned in my original post, my virtual host file looks like this:

<VirtualHost *:80>
ServerAdmin benjaminfranklin@yahoo.com
ServerName bridgesintounity.org
ServerAlias www.bridgesintounity.org

DirectoryIndex index.html index.php
DocumentRoot /var/www/html/bbbb/public_html

LogLevel warn
ErrorLog /var/www/html/bbbb/log/error.log
CustomLog /var/www/html/bbbb/log/access.log combined

(it has a closing VirtualHost line but the editor doesn’t show it)

1 Like

There is nothing strange about my Apache configuration. It’s just a straightforward Apache installation with no changes to the default configuration.

1 Like

This is all fixed now. The problem was apparently caused by some apache virtual hosts files that had very unorthodox configurations in them to (try to) get the host to go to https. At one time it may have worked …originally I had been following recipes on the web …before I had realized that the proper way to do it was to let the certbot tool take care of it.

So I solved it as follows:

  1. Used “certbot delete …” to undo the mess for each corrupted/questionable domain.
  2. Then I did an “a2disite …” for all of the domains that had the questionable virtual hosts. Some manual removal of virtual host files was also necessary to get it squeaky clean.
  3. Then I followed the eff directions to uninstall my old certbot and install a new one.
  4. Then I created fresh clean new simple virtual host files one-by-one for each domain
  5. After creating each new virtual host I enabled it (http) then ran certbot to get a cert for it and verified that it was working correctly (https) before proceeding to the next one.
1 Like