Port 443 is serving http, not https


I’ve been running an Apache server on Ubuntu 16.04 for some time now. Just tried to add my first secure site using a LetsEncrypt certificate. That part went well, but then I got every browser complaining about trying to access the https version of my website (vintageapple.org).

Upon further investigation, I was able to confirm using wget that port 443 is serving up regular http, not https.

$ wget http://vintageapple.org:443 PR3-98758 ~
–2019-02-07 10:03:51-- http://vintageapple.org:443/
Resolving vintageapple.org…
Connecting to vintageapple.org||:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5885 (5.7K) [text/html]
Saving to: ‘index.html.6’

index.html.6 100%[========================================================================================>] 5.75K --.-KB/s in 0s

2019-02-07 10:03:51 (175 MB/s) - ‘index.html.6’ saved [5885/5885]

Further confirmed by trying to get https with wget:

$ wget https://vintageapple.org:443 PR3-98758 ~
–2019-02-07 10:04:09-- https://vintageapple.org/
Resolving vintageapple.org…
Connecting to vintageapple.org||:443… connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

I’ve been all through the Apache and site settings, to make sure everything is set up to support https.


Listen 80

Listen 443 https Listen 443 https

sites-enabled conf file for the ssl version:

SSLEngine On ServerAdmin info@24sevenhosting.net ServerName www.vintageapple.org ServerAlias vintageapple.org DocumentRoot /srv/www/vintageapple.org/public_html/ ErrorLog /srv/www/vintageapple.org/logs/vintageapple.org-error.log CustomLog /srv/www/vintageapple.org/logs/vintageapple.org-access.log combined RewriteEngine On RewriteOptions Inherit Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/vintageapple.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/vintageapple.org/privkey.pem

Note that I commented out the IfModule to try and see if that was preventing the secure version of the site from loading. No difference. I also added the extra SSLEngine On even though it is included in options-ssl-apache.conf just to see if it needed to be earlier in the configurations settings.

OpenSSL version:

OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1a 20 Nov 2018)

In the Apache error log:

[Thu Feb 07 09:41:06.460657 2019] [mpm_prefork:notice] [pid 23566] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured – resuming normal operations

I noticed the version of OpenSSL being reported by Apache is rather old. I have not been able to find out how to upgrade that to a newer version. I don’t know if that is my problem.

Any ideas? This has me stumped.

This was a pretty plain vanilla new 16.04LTS install from a few years back with nothing special done to it. I religiously update and upgrade twice a month, to all updates available through apt-get upgrade are installed as of Feb 1st.


Also apache2ctl -M shows the ssl_module is installed, and apache2ctl -S shows:

     port 443 namevhost www.vintageapple.org (/etc/apache2/sites-enabled/vintageapple.org-le-ssl.conf:3)
             alias vintageapple.org

     port 80 namevhost www.vintageapple.org (/etc/apache2/sites-enabled/vintageapple.org.conf:1)
             alias vintageapple.org

It’s possible you have a VirtualHost for port 443 that doesn’t include SSLEngine On. Could you post your whole set of Apache config files for checking? Or just grep for VirtualHost.*443 and check that each of those config sections has SSLEngine On?

1 Like

Holy cow, that was it. I had two misconfigured port 443 virtual hosts. I tried adding SSLEngine On to both of them with no avail. But when I commented out the sections of those config files (both had both port 80 and port 443 virtual hosts in one file) then my original site work.





1 Like

I used the certbot on Ubuntu to add security to those two additional sites and they work now too. Gotta love how easy it was.

closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.