Previously-working certificates stopped working after renewal/replacement

After issuing sudo certbot renew without any errors, all of my domain certificates that were due for renewal stopped working.

In Chrome:

This site can’t provide a secure connection
hughguiney.com sent an invalid response.
Try running Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

In Firefox:

Secure Connection Failed

An error occurred during a connection to hughguiney.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

• The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
• Please contact the website owners to inform them of this problem.

Apache logs don’t show any SSL errors even on LogLevel debug.

After this, I tried replacing my certificates with even newer ones both yesterday and today, to no avail.

My domain is: https://hughguiney.com

I ran this command: sudo certbot certonly --webroot -w /path/to/webroot -d hughguiney.com -d www.hughguiney.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/hughguiney.com.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hughguiney.com
http-01 challenge for www.hughguiney.com
Using the webroot path /path/to/webroot for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hughguiney.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hughguiney.com/privkey.pem
   Your cert will expire on 2018-04-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version): Apache/2.4.29 (Unix)

The operating system my web server runs on is (include version): Arch Linux (Kernel 4.14.12-x86_64-linode92)

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The web server is running HTTP on port 443, instead of HTTPS.

http://hughguiney.com:443/ “works”, for example.

Those Certbot commands don’t modify the Apache configuration, so they shouldn’t be able to do much harm.

Could you post the Apache configuration?

In particular, check if the port 443 virtual hosts don’t have any SSL configuration, or if “SSLEngine on” is missing somehow.

SSL is configured and SSLEngine on is present. This config was working fine before; I didn’t touch it before or after installing the cert.

<VirtualHost *:443>
  ServerAdmin server@admin.com
  DocumentRoot "/path/to/webroot/"
  ServerName hughguiney.com:443
  ServerAlias www.hughguiney.com:443
  SuexecUserGroup user group
  ErrorLog "/path/to/logs/error.log"
  LogLevel debug
  CustomLog "/path/to/logs/access.log" combined

  SSLEngine On
  # SSLCertificateFile "/etc/letsencrypt/live/hughguiney.com/cert.pem"
  SSLCertificateFile "/etc/letsencrypt/live/hughguiney.com/fullchain.pem"
  SSLCertificateKeyFile "/etc/letsencrypt/live/hughguiney.com/privkey.pem"
  # SSLCACertificateFile 
  # SSLCertificateChainFile "/etc/letsencrypt/live/hughguiney.com/fullchain.pem"

  <Directory /path/to/webroot>
    AllowOverride All
    Options Indexes FollowSymLinks MultiViews
    Require all granted

    # not doing anything...
    # SSLRequireSSL
  </Directory>

  # http://www.linode.com/forums/viewtopic.php?t=2982
  <IfModule !mod_php5.c>
  <IfModule !mod_php5_filter.c>
  <IfModule !mod_php5_hooks.c>
  <IfModule mod_actions.c>
  <IfModule mod_alias.c>
  <IfModule mod_mime.c>
  <IfModule mod_fcgid.c>
    AddHandler php-fcgi .php
    Action php-fcgi /fcgi-bin/php-fcgid-wrapper
    Alias /fcgi-bin/ /path/to/fcgi-bin/
    FcgidMaxRequestLen 31457280
    FcgidIOTimeout 7200

    <Location /fcgi-bin/>
      SetHandler fcgid-script
      Options +ExecCGI
      Require all granted
    </Location>

    ReWriteEngine On
    ReWriteRule ^/fcgi-bin/[^/]*$ / [L,PT]
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
</VirtualHost>

I also have a Port 80 config but it’s virtually identical and is being skipped over with a 301 redirect to HTTPS anyway.

Hi @hugh,

As far as I know, you shouldn’t put the port on ServerAlias directive. Remove the :443 part, restart Apache and try again.

If that doesn’t work, remove :443 part in ServerName directive, it should be valid in this directive… but just in case…

Cheers,
sahsanu

Oh? My configuration with the port specified has worked for years. But I did just try removing it in both places and neither helped.

Here’s what happens when I try wget:

$ wget hughguiney.com
--2018-01-28 14:41:01--  http://hughguiney.com/
Resolving hughguiney.com (hughguiney.com)... 97.107.129.26
Connecting to hughguiney.com (hughguiney.com)|97.107.129.26|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://hughguiney.com/ [following]
--2018-01-28 14:41:01--  https://hughguiney.com/
Connecting to hughguiney.com (hughguiney.com)|97.107.129.26|:443... connected.
OpenSSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Unable to establish SSL connection.

I Googled this and it looks like there might be a protocol mismatch between client and server, i.e. Google Chrome expects a certain SSL or TLS version, and my server only speaks something else. openssl version on my server reports OpenSSL 1.1.0g 2 Nov 2017. How do I troubleshoot from here?

The server is running HTTP on the HTTPS port. Clients usually give weird, unclear error messages when that happens.

If you load http://hughguiney.com:443/ it “works”, for example.

Edit: Oh, I said some of that before.

I don’t know what to do with that information. Like I said, I didn’t change my Apache config at all, and before renewing my certs, HTTPS worked as expected. So it’s not as if I can modify my httpd.conf or VirtualHosts to enable serving HTTPS, because it’s already enabled. Which leads me to believe there is something wrong on the Let’s Encrypt side rather than the configuration side. I don’t suppose the LE servers are returning bad certs, or a lot more people would be having this issue. Perhaps there is a compatibility issue with the latest version of Apache or mod_ssl or something? I did perform a system upgrade recently, but I checked and my httpd.conf and VirtualHost configs are exactly the same as they were before the upgrade.

Hi @hugh,

If you can tar the contents of /etc/httpd/:

tar zcvf /tmp/httpd-hugh.tar.gz /etc/httpd/

and upload it or leave it on your own web server and share a link to download it, I could download and test it on my own VM.

Cheers,
sahsanu

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.