Hello!, I'm running into this error with Let's Encrypt (default settings, Apache 2):

german_on_line · December 8, 2017, 8:24am

AH02261: Re-negotiation handshake failed - it not accepted by client!?

My domain is:https://www.tokakoka.ru
The operating system my web server runs on is: ubuntu (linux mint 18.1 Serena)
I can login to a root shell on my machine - yes
I’m using a control panel to manage my site - no

sahsanu · December 8, 2017, 10:17am

Hi @german_on_line,

Usually, that error message appears when you are using SSLVerifyClient directive in your conf to validate the client (user connecting to your site) using a ssl certificate. I don't know what you tried but maybe you don't want this.

If you paste the apache conf for your site we could see what is wrong.

Also, keep in mind that you have issued 2 certificates, one valid only for www.tokakoka.ru and one valid only for tokakoka.ru...

CRT ID     DOMAIN (CN)      VALID FROM             VALID TO               EXPIRES IN  SANs
260354004  tokakoka.ru      2017-Nov-20 20:24 UTC  2018-Feb-18 20:24 UTC  72 days     tokakoka.ru
260353875  www.tokakoka.ru  2017-Nov-20 20:23 UTC  2018-Feb-18 20:23 UTC  72 days     www.tokakoka.ru

...but you are not configuring your apache server to serve the right certificate for tokakoka.ru, only for www.tokakoka.ru

$ echo | openssl s_client -connect tokakoka.ru:443 -servername tokakoka.ru 2>/dev/null | openssl x509 -noout -text | grep DNS:
                DNS:www.tokakoka.ru
$ echo | openssl s_client -connect tokakoka.ru:443 -servername www.tokakoka.ru 2>/dev/null | openssl x509 -noout -text | grep DNS:
                DNS:www.tokakoka.ru

The first command should return DNS:tokakoka.ru instead of DNS:www.tokakoka.ru so that means that the cert server from your apache is not valid for tokakoka.ru.

I'm saying this because your site shows a warning about mixed content, that is, your site is https but you are trying to load something (javascript, an image, etc.) from an insecure site, in your case you are trying to load a gif from http://tokakoka.ru/kon.gif which it is wrong. Your web server has a redirect to https://tokakoka.ru/kon.gif which is also wrong because the certificate served for that url is only valid for www.tokakora.ru but not tokakora.ru so you should check that too.

Cheers,
sahsanu

german_on_line · December 8, 2017, 10:42am

tokakoka.ru-le-ssl.conf:
<VirtualHost *:443>
ServerName tokakoka.ru
ServerAlias www.tokakoka.ru
ServerAdmin info@tokakoka.ru
DocumentRoot /var/www/tokakoka.ru/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/www.tokakoka.ru/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.tokakoka.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

tokakoka.ru.conf:
<VirtualHost *:80>
ServerName tokakoka.ru
ServerAlias www.tokakoka.ru
ServerAdmin info@tokakoka.ru
DocumentRoot /var/www/tokakoka.ru/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

sahsanu · December 8, 2017, 10:57am

Hi,

The conf posted doesn’t explain this error message AH02261: Re-negotiation handshake failed so maybe you have defined the SSLVerifyClient in another conf file:

grep -ri 'SSLVerifyClient' /etc/apache2/*

but the conf posted explains the reason you are serving the wrong certificate for tokakoka.ru.

As you have 2 independent certificates, 1 only valid for tokakoka.ru and 1 only valid for www.tokakoka.ru you need to create a new virtualhost covering tokakoka.ru and modify the one serving tokakoka.ru to remove ServerAlias directive…

So, tokakoka.ru-le-ssl.conf file should look like this:

<VirtualHost *:443>
ServerName tokakoka.ru
ServerAdmin info@tokakoka.ru
DocumentRoot /var/www/tokakoka.ru/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/tokakoka.ru/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tokakoka.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

<VirtualHost *:443>
ServerName www.tokakoka.ru
ServerAdmin info@tokakoka.ru
DocumentRoot /var/www/tokakoka.ru/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/www.tokakoka.ru/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.tokakoka.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Note: I’m assuming the right cert covering tokakoka.ru is located at /etc/letsencrypt/live/tokakoka.ru/ path but maybe it is in another place so you should double check that the path is the correct one and modify it in the apache conf I posted above if it is not the correct one.

Note 2: Always perform a backup of the files you are modifying and remember to reload/restart apache so it can load the new modified conf.

Cheers,
sahsanu

german_on_line · December 8, 2017, 11:06am

I had some craziness with the settings of the virtual hosts, but the rooming has passed. Now there are no problems with mixed content.
But in the server's logs there are still errors - AH02261: Re-negotiation handshake failed

sahsanu · December 8, 2017, 11:25am

But your server is still not serving the right cert for tokakoka.ru.

$ echo | openssl s_client -connect tokakoka.ru:443 -servername tokakoka.ru 2>/dev/null | openssl x509 -noout -text | grep DNS:
                DNS:www.tokakoka.ru

Did you modify your conf file as I said above and reload/restart your apache web server?.

Show the output of the command I posted above:

grep -ri 'SSLVerifyClient' /etc/apache2/*

german_on_line · December 8, 2017, 11:28am

$ grep -ri ‘SSLVerifyClient’ /etc/apache2/sites-available/*
/etc/apache2/sites-available/default-ssl.conf: #SSLVerifyClient require

bytecamp · December 8, 2017, 11:39am

This does not search the whole configuration tree.

system · January 7, 2018, 11:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.