Gnutls_handshake() failed: An unexpected TLS packet was received

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
buzzcloud.global

I ran this command:
curl -iv https://buzzcloud.global/

It produced this output:

  • Trying 212.56.93.53…
  • Connected to buzzcloud.global (212.56.93.53) port 443 (#0)
  • found 148 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 614 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • gnutls_handshake() failed: An unexpected TLS packet was received.
  • Closing connection 0
    curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

My web server is (include version):
Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04 Linux buzzcloud 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

I recently renewed Letsencrypt certificates and tested as usual using curl (thus avoiding any browser issues) and all looked fine. Yesterday I noticed my website was unavailable - oops!

Any pointers as to what has gone wrong much appreciated!

2

Your site is speaking HTTP on port 443, not HTTPS.

1 Like
3

Thanks for your response. I have no need for HTTP, should I remove the HTTP related config files in /etc/apache2/sites-available ?

4

I don’t think you need to delete anything, there’s something wrong with the configuration you need to fix. Besides, most likely you’d want to have a HTTP to HTTPS redirect.

5

Please tell me how you found its trying to talk HTTP on port 443. Also any pointers to concise, logical docs for setting up SSL on ubuntu 16.04 under Apache2 would be much appreciated.

6 
osiris@desktop ~ $ telnet buzzcloud.global 443
Trying 212.56.93.53...
Connected to buzzcloud.global.
Escape character is '^]'.
GET / HTTP/1.1
Host: buzzcloud.global

HTTP/1.1 403 Forbidden
Date: Sun, 17 Dec 2017 16:43:26 GMT
Server: Apache
Content-Length: 209
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>
Connection closed by foreign host.
osiris@desktop ~ $

That’s how :slight_smile:

I don’t run Ubuntu and I don’t know any docs for it. I suppose it isn’t any different than just setting up TLS on Apache.

But I’m more interested in how it could have been broken all the sudden.

7

nice simple test - I’ll use that in future. AFAIK it got broken by auto software updates - I almost never log in to this server as its a production environment. I will have to read up a bit more…

8

I have removed old http config files and issued apache2ctl graceful

Running this:
openssl s_client -connect localhost:443 -state -debug

Gives me this:
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x1a15d40 [0x1a16a90] (305 bytes => 305 (0x131))
0000 - 16 03 01 01 2c 01 00 01-28 03 03 49 9f 15 4a 93 ....,...(..I..J.
0010 - 7a f1 57 8f c7 da 76 63-d4 52 8b 23 94 ad 04 05 z.W...vc.R.#....
0020 - a9 bc 82 36 be 40 22 9c-07 cd 4a 00 00 aa c0 30 ...6.@"...J....0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43 .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-c0 11 c0 07 c0 0c c0 02 .<./...A........
00c0 - 00 05 00 04 c0 12 c0 08-00 16 00 13 00 10 00 0d ................
00d0 - c0 0d c0 03 00 0a 00 ff-01 00 00 55 00 0b 00 04 ...........U....
00e0 - 03 00 01 02 00 0a 00 1c-00 1a 00 17 00 19 00 1c ................
00f0 - 00 1b 00 18 00 1a 00 16-00 0e 00 0d 00 0b 00 0c ................
0100 - 00 09 00 0a 00 23 00 00-00 0d 00 20 00 1e 06 01 .....#..... ....
0110 - 06 02 06 03 05 01 05 02-05 03 04 01 04 02 04 03 ................
0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01 ................
0130 - 01 .
SSL_connect:SSLv2/v3 write client hello A
read from 0x1a15d40 [0x1a1bff0] (7 bytes => 7 (0x7))
0000 - 48 54 54 50 2f 31 2e HTTP/1.
SSL_connect:error in SSLv2/v3 read server hello A
139916743157400:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 305 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1513530793
Timeout : 300 (sec)
Verify return code: 0 (ok)

I see it complains about:

0000 - 48 54 54 50 2f 31 2e HTTP/1.

SSL_connect:error in SSLv2/v3 read server hello A
139916743157400:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:

no peer certificate available

No client certificate CA names sent

What should I expect to see as a response, I guess means my server is still speaking HTTP not HTTPS?

9

   
Yes.

Deleting old stuff probably isn't helpful, you need to check your current working configuration files.

10

my current HTTPS config file looks like this:

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com 
    ServerAdmin webmaster@buzzcloud.global
    ServerName buzzcloud.global
    ServerAlias www.buzzcloud.global buzzcloud.local
    DocumentRoot /webserver/buzzcloud.global/public_html/

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    LogLevel debug ssl:debug

    ErrorLog /webserver/buzzcloud.global/logs/buzzcloud-HTTPS-error.log
    CustomLog /webserver/buzzcloud.global/logs/buzzcloud-HTTPS-access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

    <Directory />
      Options FollowSymLinks
      AllowOverride None
    </Directory>

    <Directory /webserver/buzzcloud.global/public_html>
      Options Indexes FollowSymLinks MultiViews
      AllowOverride All
      Require all granted
    </Directory>

SSLCertificateFile /etc/ssl/certs/buzzcloud.global.crt

SSLCertificateKeyFile /etc/ssl/certs/buzzcloud.global.key

SSLCertificateChainFile /etc/ssl/certs/server-ca.crt

SSLCertificateChainFile /etc/letsencrypt/live/buzzcloud.global/fullchain.pem

    Include /etc/apache2/options-ssl-apache.conf

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile      /etc/letsencrypt/live/buzzcloud.global/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/buzzcloud.global/privkey.pem

Include /etc/letsencrypt/options-ssl-apache.conf

This hasn’t been changed for > 1 year, only relevant changes were renewing SSL certs using certbot renew. I tested HTTPS access and left it in working condition only to find out by chance the web server was down.

11

Is this all in one file? I’m not seeing the <VirtualHost> sections.

Why so many, multiple SSL-directives? Why three includes, which most likely do exactly the same?

12

I used this file for HTTPS config, and a separate file for HTTP config. There is a single clause

Would it be better to have both HTTPS and HTTP VirtualHost clauses in a single file?

13

OK I have included both HTTP & HTTPS sections in a single config file as show below, no difference to the original problem it is still serving HTTP over port 443.

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com 
    ServerAdmin webmaster@buzzcloud.global
    ServerName buzzcloud.global
    ServerAlias www.buzzcloud.global buzzcloud.local
    DocumentRoot /webserver/buzzcloud.global/public_html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    LogLevel debug ssl:debug

    ErrorLog /webserver/buzzcloud.global/logs/buzzcloud-HTTPS-error.log
    CustomLog /webserver/buzzcloud.global/logs/buzzcloud-HTTPS-access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

    <Directory />
      Options FollowSymLinks
      AllowOverride None
    </Directory>

    <Directory /webserver/buzzcloud.global/public_html>
      Options Indexes FollowSymLinks MultiViews
      AllowOverride All
      Require all granted
    </Directory>

    SSLCertificateFile      /etc/letsencrypt/live/buzzcloud.global/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/buzzcloud.global/privkey.pem
    Include                 /etc/letsencrypt/options-ssl-apache.conf
    </VirtualHost>

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. ServerName buzzcloud.global ServerAlias www.buzzcloud.global buzzcloud.local buzzcloud Redirect permanent / https://buzzcloud.global 
    ServerAdmin webmaster@buzzcloud.global

DocumentRoot /webserver/buzzcloud.global/public_html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn
    <Directory /webserver/buzzcloud.global/public_html>
    Options -Indexes -FollowSymLinks +MultiViews

AllowOverride none

    Require all granted
    </Directory>

    ErrorLog /webserver/buzzcloud.global/logs/buzzcloud-HTTP-error.log
    CustomLog /webserver/buzzcloud.global/logs/buzzcloud-HTTP-access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

So far as I can see the first section covers HTTPS and it has port 443, the second section is for HTTP and it provides port 80. Are there any other files that might override this .conf file under default apache2 distributions?

14

OK I nailed it. I saw another site.conf file which did not have a hostname in the VirtualHost section header and changed mine to:

I originally set it to hostname because I understood this was needed for multiple VirtualHost sections so that they could be matched up to incoming http headers.

The site is up and running now, thanks for your help.

1 Like
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.