Rebuilt Ookla Speedtest Server Failing HTTPS from Certain Browsers

jwhitten3 · October 13, 2021, 2:09pm

I am having a strange issue after rebuilding our speedtest server. The OOKLA client is happy with the renewed certs, but if you navigate to https://speedtest.waveruralconnect.com, sometimes it will work, other times it will display ssl error: "An ssl error has occurred and a secure connection to the server cannot be made". The cert renewal went well according to certbot output and i am pointing to the correct cert. What's got me really stumped is that OOKLA and ssllabs is also happy with the server https. Our server is online according to ookla and being used for tests.

My domain is:
speedtest.waveruralconnect.com

I ran this command:

It produced this output:

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04.3 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.40.0

rg305 · October 13, 2021, 4:51pm

Please check the bindings, IPv4 seems to work while IPv6 seems to always fail:

Name:      speedtest.waveruralconnect.com
Addresses: 2602:fdfc:0:8::2
           170.176.224.5

curl -Iki6 https://speedtest.waveruralconnect.com
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

jwhitten3 · October 13, 2021, 6:45pm

rg305,
thank you! That worked like a champ.

jwhitten3 · October 14, 2021, 3:09am

I did think of one more question. I know that port 80 had to be open to get started, but can it be closed after the https certificate has been issued and the renew continue to work? Or does certbot/letsencrypt have to have port 80 open?

rg305 · October 14, 2021, 3:21am

The next renewal will also be started via port 80 (HTTP).
See:
Best Practice - Keep Port 80 Open - Let's Encrypt (letsencrypt.org)

jwhitten3 · October 14, 2021, 4:15am

Great thank you. I will keep redirect turned on as per the article.

system · November 13, 2021, 4:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error: SSL certificate problem: unable to get local issuer certificate Server	38	27846	April 13, 2019
Ookla Https only on ports 8080 and 5060, not 443 Help	14	4277	September 20, 2019
Ookla Https only does not work on ports 8080 and 5060 Help	5	1815	November 12, 2019
Unable to get https ssl certificate on 8080 and 5060 port for ookla speedtest server Help	17	6657	June 10, 2020
Host a speedtest server on Ookla Help	6	3944	August 20, 2020

Rebuilt Ookla Speedtest Server Failing HTTPS from Certain Browsers

Related topics