Port 443 is serving http, not https


#1

I’ve been running an Apache server on Ubuntu 16.04 for some time now. Just tried to add my first secure site using a LetsEncrypt certificate. That part went well, but then I got every browser complaining about trying to access the https version of my website (vintageapple.org).

Upon further investigation, I was able to confirm using wget that port 443 is serving up regular http, not https.

$ wget http://vintageapple.org:443 PR3-98758 ~
–2019-02-07 10:03:51-- http://vintageapple.org:443/
Resolving vintageapple.org… 45.56.87.249
Connecting to vintageapple.org|45.56.87.249|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5885 (5.7K) [text/html]
Saving to: ‘index.html.6’

index.html.6 100%[========================================================================================>] 5.75K --.-KB/s in 0s

2019-02-07 10:03:51 (175 MB/s) - ‘index.html.6’ saved [5885/5885]

Further confirmed by trying to get https with wget:

$ wget https://vintageapple.org:443 PR3-98758 ~
–2019-02-07 10:04:09-- https://vintageapple.org/
Resolving vintageapple.org… 45.56.87.249
Connecting to vintageapple.org|45.56.87.249|:443… connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

I’ve been all through the Apache and site settings, to make sure everything is set up to support https.

ports.conf:

Listen 80

Listen 443 https Listen 443 https

sites-enabled conf file for the ssl version:

SSLEngine On ServerAdmin info@24sevenhosting.net ServerName www.vintageapple.org ServerAlias vintageapple.org DocumentRoot /srv/www/vintageapple.org/public_html/ ErrorLog /srv/www/vintageapple.org/logs/vintageapple.org-error.log CustomLog /srv/www/vintageapple.org/logs/vintageapple.org-access.log combined RewriteEngine On RewriteOptions Inherit Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/vintageapple.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/vintageapple.org/privkey.pem

Note that I commented out the IfModule to try and see if that was preventing the secure version of the site from loading. No difference. I also added the extra SSLEngine On even though it is included in options-ssl-apache.conf just to see if it needed to be earlier in the configurations settings.

OpenSSL version:

OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1a 20 Nov 2018)

In the Apache error log:

[Thu Feb 07 09:41:06.460657 2019] [mpm_prefork:notice] [pid 23566] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured – resuming normal operations

I noticed the version of OpenSSL being reported by Apache is rather old. I have not been able to find out how to upgrade that to a newer version. I don’t know if that is my problem.

Any ideas? This has me stumped.

This was a pretty plain vanilla new 16.04LTS install from a few years back with nothing special done to it. I religiously update and upgrade twice a month, to all updates available through apt-get upgrade are installed as of Feb 1st.


#2

Also apache2ctl -M shows the ssl_module is installed, and apache2ctl -S shows:

     port 443 namevhost www.vintageapple.org (/etc/apache2/sites-enabled/vintageapple.org-le-ssl.conf:3)
             alias vintageapple.org

     port 80 namevhost www.vintageapple.org (/etc/apache2/sites-enabled/vintageapple.org.conf:1)
             alias vintageapple.org

#3

It’s possible you have a VirtualHost for port 443 that doesn’t include SSLEngine On. Could you post your whole set of Apache config files for checking? Or just grep for VirtualHost.*443 and check that each of those config sections has SSLEngine On?


#4

Holy cow, that was it. I had two misconfigured port 443 virtual hosts. I tried adding SSLEngine On to both of them with no avail. But when I commented out the sections of those config files (both had both port 80 and port 443 virtual hosts in one file) then my original site work.

Thanks!


#5

Congratulations!
https://www.ssllabs.com/ssltest/analyze.html?d=vintageapple.org&latest

Rip


#6

I used the certbot on Ubuntu to add security to those two additional sites and they work now too. Gotta love how easy it was.