I issued three Let’s Encrypt certificates with certbot (two of them were renewed, one is completely new). When I load the page everything works fine. After reloading the site a few times the website throws an SSL Exception: ERR_SSL_PROTOCOL_ERROR (Chrome) / SSL_ERROR_INTERNAL_ERROR_ALERT (FireFox)
When I reload the page again it gets back working sometimes (and sometimes not). This appears for all of the tree domains. Sometimes they work, and sometimes they don’t. I haven’t found any regularity in this behaviour.
It seems as it apache is confused by the setup.
I checked the logs and found the following error code in apache’s error.log: AH01990: PRNG still contains insufficient entropy!
You shouldn’t need to use things like haveged on a modern Linux kernel, it’s capable of using hardware events as entropy these days.
The only time you should be seeing that warning is if OpenSSL can’t initialize it’s internal RNG, it should use the kernel RNG by default which should mean that should never happen. Is SSLRandomSeed being set to something different in any of the Apache config files?
If it’s not being set anywhere, another option is to try this in a global configuration area