Getting ERR_SSL_PROTOCOL_ERROR

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: os3-328-53799.vs.sakura.ne.jp

My web server is (include version): Apache/2.4.57 (CentOS Stream)

The operating system my web server runs on is (include version): CentOS Stream release 9

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

MORE INFORMATION:
I was able to access my website via https until the day before, but suddenly I can no longer access it. I tried it in both chrome and safari, but both gave the same error. I was able to access it with http without any problems. It seems that some error occurred during the certificate renewal process, but the expiration date was displayed as shown below.

sudo certbot certificates

Found the following certs:
Certificate Name: os3-328-53799.vs.sakura.ne.jp
Serial Number: **********
Key Type: ECDSA
Domains: os3-328-53799.vs.sakura.ne.jp
Expiry Date: 2024-01-17 08:30:36+00:00 (VALID: 33 days)
Certificate Path: /etc/letsencrypt/live/os3-328-53799.vs.sakura.ne.jp/fullchain.pem
Private Key Path: /etc/letsencrypt/live/os3-328-53799.vs.sakura.ne.jp/privkey.pem

Also, I simply set up a virtual host in the Apache settings to use for the certificate renewal , but I thought this was also one of the causes. The Apache configuration was as follows.

<VirtualHost *:80>

ServerAdmin root@hogehoge

DocumentRoot /var/www/html

ServerName hogehoge

Please tell this web server newbie how to solve this problem.

Your Apache VirtualHost is not configured properly. Requests to port 443 should be for HTTPS. But, your Apache is handling it as an HTTP request.

Let's start by having you show us what this says:

sudo apache2ctl -t -D DUMP_VHOSTS

If you have any NAT or port forwarding also review that to ensure port 443 inbound is directed to your server as port 443.

Edit: oh, you probably need httpd in that command instead of apache2ctl

5 Likes

sudo httpd -t -D DUMP_VHOSTS

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf/httpd.conf:363
VirtualHost configuration:
*:80 hogehoge (/etc/httpd/conf/httpd.conf:365)

The result is like this.

Yes, @MikeMcQ nailed it - you have a misconfiguration in your Apache configuration @Kiichi .

If you check the site in Firefox, you will see the issue is "Connection not encrypted":

The "httpd -t -D DUMP_VHOSTS" should list the port 443 virtual host. Instead, you are getting the warning about using the NameVirtualHost directive on line 363 in httpd.conf. You need to have a VirtualHost configured for port 443 for your domain.

The fact that I am getting this response on port 443, means that you are forwarding port 443 to port 80.

3 Likes

First of all, thank you for your reply.

NameVirtualHost *:80 (this was the line 443)

<VirtualHost *:80>

ServerAdmin root@hogehoge

DocumentRoot /var/www/html

ServerName hogehoge

</VirtualHost>

I tried changing or deleting the above part of the Apache configuration file as follows, but the situation did not change.

NameVirtualHost *:443

<VirtualHost *:443>

ServerAdmin root@hogehoge

DocumentRoot /var/www/html

ServerName hogehoge

</VirtualHost>

Those VirtualHosts are completely wrong for the domain os3-328-53799.vs.sakura.ne.jp

I don't see how HTTPS requests ever worked. You must have made some big changes.

Can you show the contents of this file:

/etc/letsencrypt/renewal/os3-328-53799.vs.sakura.ne.jp.conf
4 Likes

This doesn't show it bound to port 443:

This config is likely not enabled:

Please show the output of:
netstat -pant | grep -i listen

3 Likes

Thank you for your reply.

The result of the command cat /etc/letsencrypt/renewal/os3-328-53799.vs.sakura.ne.jp.conf is as follows.

# renew_before_expiry = 30 days
version = 2.6.0
archive_dir = /etc/letsencrypt/archive/os3-328-53799.vs.sakura.ne.jp
cert = /etc/letsencrypt/live/os3-328-53799.vs.sakura.ne.jp/cert.pem
privkey = /etc/letsencrypt/live/os3-328-53799.vs.sakura.ne.jp/privkey.pem
chain = /etc/letsencrypt/live/os3-328-53799.vs.sakura.ne.jp/chain.pem
fullchain = /etc/letsencrypt/live/os3-328-53799.vs.sakura.ne.jp/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 255a8f5b3979900aca8fda472e9f246c
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
installer = apache
1 Like

Thank you for your reply.

netstat -pant | grep -i listen

This command could not be executed. The result of running the alternative command is as follows.

command: ss -pnat

result:


State        Recv-Q       Send-Q             Local Address:Port               Peer Address:Port        Process       
LISTEN       0            128                      0.0.0.0:22                      0.0.0.0:*                         
LISTEN       0            511                      0.0.0.0:80                      0.0.0.0:*                         
LISTEN       0            511                      0.0.0.0:443                     0.0.0.0:*                         
ESTAB        0            80                 49.212.177.53:22               133.31.218.165:48647                     
LISTEN       0            128                         [::]:22                         [::]:*
1 Like

Well... something is bound to port 443.

What shows?:
ps -ef | grep -v grep | grep -Ei 'apache|nginx|http'

4 Likes

The result of running the command ps -ef | grep -v grep | grep -Ei 'apache|nginx|http'was as follows.

apache       649     618  0 Dec12 ?        00:00:00 php-fpm: pool www
apache       650     618  0 Dec12 ?        00:00:00 php-fpm: pool www
apache       651     618  0 Dec12 ?        00:00:00 php-fpm: pool www
apache       652     618  0 Dec12 ?        00:00:00 php-fpm: pool www
apache       653     618  0 Dec12 ?        00:00:00 php-fpm: pool www
root       33309       1  0 Dec15 ?        00:00:03 /usr/sbin/httpd -DFOREGROUND
apache     33311   33309  0 Dec15 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache     33312   33309  0 Dec15 ?        00:00:13 /usr/sbin/httpd -DFOREGROUND
apache     33313   33309  0 Dec15 ?        00:00:12 /usr/sbin/httpd -DFOREGROUND
apache     33314   33309  0 Dec15 ?        00:00:12 /usr/sbin/httpd -DFOREGROUND
apache     33594   33309  0 Dec15 ?        00:00:12 /usr/sbin/httpd -DFOREGROUND

It is probably Apache listening on port 443 but can you run above command with sudo which will confirm that. Thanks

sudo ss -pnat
4 Likes

the result was this.

State         Recv-Q        Send-Q               Local Address:Port                  Peer Address:Port         Process                                                                                                        
LISTEN        0             128                        0.0.0.0:22                         0.0.0.0:*             users:(("sshd",pid=626,fd=3))                                                                                 
LISTEN        0             511                        0.0.0.0:80                         0.0.0.0:*             users:(("httpd",pid=42305,fd=3),("httpd",pid=41660,fd=3),("httpd",pid=41659,fd=3),("httpd",pid=41658,fd=3),("httpd",pid=41655,fd=3))
LISTEN        0             511                        0.0.0.0:443                        0.0.0.0:*             users:(("httpd",pid=42305,fd=4),("httpd",pid=41660,fd=4),("httpd",pid=41659,fd=4),("httpd",pid=41658,fd=4),("httpd",pid=41655,fd=4))
ESTAB         0             0                    49.212.177.53:22                   167.71.223.33:39328         users:(("sshd",pid=43311,fd=4),("sshd",pid=43310,fd=4))                                                       
ESTAB         0             0                    49.212.177.53:22                    43.153.77.20:53780         users:(("sshd",pid=43313,fd=4),("sshd",pid=43312,fd=4))                                                       
ESTAB         0             0                    49.212.177.53:22                   124.38.79.132:63185         users:(("sshd",pid=43275,fd=4),("sshd",pid=43257,fd=4))                                                       
LISTEN        0             128                           [::]:22                            [::]:*             users:(("sshd",pid=626,fd=4)) 
1 Like

You should create a new VirtualHost for this domain.
It should at least have this much but add others as you need

<VirtualHost *:80>
## ServerAdmin root@hogehoge  # set as needed
ServerName os3-328-53799.vs.sakura.ne.jp
DocumentRoot /var/www/html
</VirtualHost>

Check that this port 80 name is active by running

sudo httpd -t -D DUMP_VHOSTS

If it is, re-run the command you used originally which was

sudo certbot --apache -d os3-328-53799.vs.sakura.ne.jp

It might ask if you want to re-issue or just install. Just installing should work.

You are missing the VirtualHost for this domain to process HTTPS. This certbot command should re-create that for you

4 Likes

I was able to successfully resolve the issue.
Thank you for your cooperation over the past few days in resolving the issue. Now I can resume learning web servers. I'm really thankful to you.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.