Server or Certificate issue?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mydomainName:443

I ran this command:
in firefox : mydomainName:443
It produced this output: SSL_ERROR_NO_CYPHER_OVERLAP

I ran this command:
in cmd : openssl s_client -connect mydomainName:443 -servername mydomainName -msg
It produced this output:

CONNECTED(000001D8)
>>> TLS 1.0, RecordHeader [length 0005]
    16 03 01 01 43
>>> TLS 1.3, Handshake [length 0143], ClientHello
    01 00 01 3f 03 03 05 8b 9e 17 48 35 f5 40 2a a2
    18 0d 9b fd c1 d0 e9 e3 92 dd cb f1 f7 f7 1d f0
    c2 89 c1 5d 01 5b 20 8b f5 9f 49 b0 28 57 59 f6
    56 c2 f2 79 5a 7d 2b 51 cc e1 a0 0b ee 56 53 92
    cd a0 1b c5 1b 93 56 00 3e 13 02 13 03 13 01 c0
    2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00
    9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0
    14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00
    3c 00 35 00 2f 00 ff 01 00 00 b8 00 00 00 1b 00
    19 00 00 16 62 6f 72 6f 77 6b 61 63 68 61 6c 75
    70 79 2e 64 75 63 6b 64 6e 73 00 0b 00 04 03 00
    01 02 00 0a 00 16 00 14 00 1d 00 17 00 1e 00 19
    00 18 01 00 01 01 01 02 01 03 01 04 00 23 00 00
    00 16 00 00 00 17 00 00 00 0d 00 2a 00 28 04 03
    05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04
    08 05 08 06 04 01 05 01 06 01 03 03 03 01 03 02
    04 02 05 02 06 02 00 2b 00 09 08 03 04 03 03 03
    02 03 01 00 2d 00 02 01 01 00 33 00 26 00 24 00
    1d 00 20 e8 fa ca a1 e2 3a 39 86 eb 8e c7 f2 ac
    9d 72 5e 12 8a 74 26 a9 92 de de e0 97 c1 2b 0c
    73 26 74
<<< TLS 1.2, RecordHeader [length 0005]
    15 03 03 00 02
<<< TLS 1.3, Alert [length 0002], fatal handshake_failure
    02 28
145E0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1586:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 328 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

My web server is (include version): QtHttpServer api (uses openssl 3.0.11 19 Sep 2023)

The operating system my web server runs on is (include version 22H2): Windows 11 pro

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

My QtHttpserver app api runs successfull when using port 80.
I try to fix my ssl connection over two monthes and at this point I do not know if it is server or certificate problem????
Look here: QHttpServer, api, https, openssl, LetsEncrypt, sslv3 alert handshake failure-alert number 40 | Qt Forum
Thanks in advance

Nope.

Please share any relevant information here on this forum.

My hosting provider, if applicable, is: My PC(on which QtHttpserver app api runns) machine is the host.
I can login to a root shell on my machine (yes or no, or I don't know): do not know

I ran this command:
was :
in cmd : openssl s_client -connect mydomainName:443 -servername mydomainName -msg
should be: openssl s_client -connect mydomainName:443 -servername mydomainName -msg

How did you configure the QHttpServer class for TLS?

Please put any source code between three backticks ("```", on a separate line above and below the code).

first solution which didn't work:

 QSslConfiguration sslConfig;
 sslConfig.setCaCertificates(sslCertificateChain);
 sslConfig.setPrivateKey(privateKey);
 sslConfig.setProtocol(QSsl::TlsV1_0OrLater);
 httpServer.sslSetup(sslConfig);

another one: (failed too)

QHttpServer httpServer; 
httpServer.sslSetup(sslCertificateChain.front(), QSslKey(&privateKeyFile, QSsl::Rsa), QSsl::TlsV1_0OrLater);

Your most recent certificate isn't RSA, but ECDSA. It might work if you changed QSsl::Rsa to QSsl::Ec.

Leaving this here:

❯ nmap -p 8443 --script ssl-enum-ciphers example.org -Pn -A
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-19 16:15 CET
Nmap scan report for example.org (*snip*)
Host is up (0.12s latency).
rDNS record for *snip*: example.org

PORT     STATE SERVICE        VERSION
8443/tcp open  ssl/https-alt?
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 (dh 1024) - A
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_PSK_WITH_AES_256_CBC_SHA384 - unknown
|       TLS_PSK_WITH_AES_256_CBC_SHA - unknown
|       TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_PSK_WITH_AES_128_CBC_SHA256 - unknown
|       TLS_PSK_WITH_AES_128_CBC_SHA - unknown
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 (dh 1024) - A
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_PSK_WITH_AES_256_CBC_SHA384 - unknown
|       TLS_PSK_WITH_AES_256_CBC_SHA - unknown
|       TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_PSK_WITH_AES_128_CBC_SHA256 - unknown
|       TLS_PSK_WITH_AES_128_CBC_SHA - unknown
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 (dh 1024) - A
|       TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_PSK_WITH_AES_256_GCM_SHA384 - unknown
|       TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - unknown
|       TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_PSK_WITH_AES_128_GCM_SHA256 - unknown
|       TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 (dh 1024) - A
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_PSK_WITH_AES_256_CBC_SHA384 - unknown
|       TLS_PSK_WITH_AES_256_CBC_SHA - unknown
|       TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_PSK_WITH_AES_128_CBC_SHA256 - unknown
|       TLS_PSK_WITH_AES_128_CBC_SHA - unknown
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.11 seconds

~ took 29s

I don't see any obvious reason for no_cipher_overlap

I have changed for QSslEc

 httpServer.sslSetup(sslCertificateChain.front(), QSslKey(&privateKeyFile, QSsl::Ec), QSsl::TlsV1_0OrLater);

Now I got :
I ran this command:
in firefox : mydomainName:443
It produced this output: PR_END_OF_FILE_ERROR

I ran this command:
in cmd : openssl s_client -connect mydomainName:443 -mydomainName: -msg
It produced this output:

CONNECTED(000001DC)
>>> TLS 1.0, RecordHeader [length 0005]
    16 03 01 01 43
>>> TLS 1.3, Handshake [length 0143], ClientHello
    01 00 01 3f 03 03 c8 52 a5 33 8c a1 d7 aa c1 95
    42 af 49 f1 ca 35 dd 73 01 f7 6a df c7 c2 b0 ec
    06 f5 de da 43 90 20 fa 79 c9 7f 3d 62 e6 1f 90
    a7 2e e1 ee 2d aa de b5 dc 76 bd 98 36 32 28 91
    4c ea d2 a9 2e 8d dc 00 3e 13 02 13 03 13 01 c0
    2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00
    9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0
    14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00
    3c 00 35 00 2f 00 ff 01 00 00 b8 00 00 00 1b 00
    19 00 00 16 62 6f 72 6f 77 6b 61 63 68 61 6c 75
    70 79 2e 64 75 63 6b 64 6e 73 00 0b 00 04 03 00
    01 02 00 0a 00 16 00 14 00 1d 00 17 00 1e 00 19
    00 18 01 00 01 01 01 02 01 03 01 04 00 23 00 00
    00 16 00 00 00 17 00 00 00 0d 00 2a 00 28 04 03
    05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04
    08 05 08 06 04 01 05 01 06 01 03 03 03 01 03 02
    04 02 05 02 06 02 00 2b 00 09 08 03 04 03 03 03
    02 03 01 00 2d 00 02 01 01 00 33 00 26 00 24 00
    1d 00 20 45 1c f0 5d d7 1a a9 c4 fa a9 bb ee 52
    4f 22 cc 1f aa 3b e8 af 39 06 e9 83 fd 8b 8f 64
    8b 4f 58
>>> TLS 1.0, RecordHeader [length 0005]
    15 03 01 00 02
>>> TLS 1.3, Alert [length 0002], fatal decode_error
    02 32
C85B0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl\record\rec_layer_s3.c:304:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 335 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

I also used nap to check it ...but anyway in firefox this is the error.
On Chrome I got: ERR_CONNECTION_CLOSED

What does that sslCertificateChain.front() do? I can't find it in List of All Members for QSslCertificate | Qt Network 6.6.0.

To load fullchain.pem :

const auto sslCertificateChain =
        QSslCertificate::fromPath(QStringLiteral("C:/Certbot/live/myDomainName/fullchain.pem"), QSsl::EncodingFormat::Pem);

const auto sslCertificateChain is QList which have certificates so:

httpServer.sslSetup(sslCertificateChain.front(), QSslKey(&privateKeyFile, QSsl::Ec), QSsl::TlsV1_0OrLater);

returns const_reference. see here: QList Class | Qt Core 6.6.0
QList::const_reference const_reference-typedef) QList::front() const
When I use commends:

const auto certs = QSslCertificate::fromPath("C:/Certbot/live/mydomainName.*.pem",
                                                 QSsl::Pem, QSslCertificate::PatternSyntax::FixedString);
for (const QSslCertificate &cert : certs) {
        qDebug() << cert.issuerInfo(QSslCertificate::Organization);
    }

I got:
QList("Let's Encrypt")
QList("Internet Security Research Group")
QList("Digital Signature Trust Co.")

Hmkay. Well, I'm out of ideas, sorry. Maybe someone else with actual Qt experience can chip in.

Thanks anyway
But tell me do you think is it the cert problem or the server???

Most likely a QtHttpServer (configuration) issue. Looks like your certificate is fine, glancing at the cert.issuerInfo info you've provided. And as QSsl has a QEc option, Qt should be perfectly fine with an ECDSA certificate.

Using this configuration:

QSslKey privateKey(&privateKeyFile, QSsl::Ec, QSsl::Pem, QSsl::PrivateKey);
    QSslConfiguration sslConfig;  
    sslConfig.setCaCertificates(sslCertificateChain);    
    sslConfig.setPrivateKey(privateKey);
    sslConfig.setProtocol(QSsl::TlsV1_0OrLater);
    //sslConfig.setPeerVerifyMode(QSslSocket::VerifyPeer);

    //httpServer.sslSetup(sslCertificateChain.front(), QSslKey(&privateKeyFile, QSsl::Ec), QSsl::TlsV1_0OrLater);
   httpServer.sslSetup(sslConfig);
    privateKeyFile.close();

Not that one:

httpServer.sslSetup(sslCertificateChain.front(), QSslKey(&privateKeyFile, QSsl::Ec), QSsl::TlsV1_0OrLater);

I got:

CONNECTED(000001D8)
>>> TLS 1.0, RecordHeader [length 0005]
    16 03 01 01 43
>>> TLS 1.3, Handshake [length 0143], ClientHello
    01 00 01 3f 03 03 26 63 4d 99 cc 03 c6 0e 6f 39
    6d bb 3c ba ce 93 a6 82 d7 0f 0e db f2 f6 2e fc
    33 46 44 71 1f e0 20 eb ae 8a d0 5c ec 3e 94 df
    e2 50 98 89 03 c4 a1 eb c9 75 7d ee 74 e9 81 d9
    5b c2 fb bb b3 51 4d 00 3e 13 02 13 03 13 01 c0
    2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00
    9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0
    14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00
    3c 00 35 00 2f 00 ff 01 00 00 b8 00 00 00 1b 00
    19 00 00 16 62 6f 72 6f 77 6b 61 63 68 61 6c 75
    70 79 2e 64 75 63 6b 64 6e 73 00 0b 00 04 03 00
    01 02 00 0a 00 16 00 14 00 1d 00 17 00 1e 00 19
    00 18 01 00 01 01 01 02 01 03 01 04 00 23 00 00
    00 16 00 00 00 17 00 00 00 0d 00 2a 00 28 04 03
    05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04
    08 05 08 06 04 01 05 01 06 01 03 03 03 01 03 02
    04 02 05 02 06 02 00 2b 00 09 08 03 04 03 03 03
    02 03 01 00 2d 00 02 01 01 00 33 00 26 00 24 00
    1d 00 20 a6 27 50 8b e9 d3 19 51 35 36 72 d6 56
    f8 24 b5 14 30 7e bc 25 1f a1 08 c8 7b 1d 83 b2
    61 1e 6f
<<< TLS 1.2, RecordHeader [length 0005]
    15 03 03 00 02
<<< TLS 1.3, Alert [length 0002], fatal handshake_failure
    02 28
283B0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1586:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 328 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

So it looks like it is a server issue ...
but in Windows cert store:
DST Root CA X3 cert is not valid anymore end date is 30.09.2021. I have removed it but somehow it come back to Windows cert store somehow????

^^ What's the point of setting the cert chain?

^^ What does the server do with the first cert from that chain?

In Qt docks links:
"QSslConfiguration Class | Qt Network 6.6.0"
What does the server do with the first cert from that chain? - do not know
and here: Secure Sockets Layer (SSL) Classes | Qt Network 6.6.0

Hm, weird that QSsl::Pem, QSsl::PrivateKey would be required. If I read QSslKey Class | Qt Network 6.6.0 correctly (with a good possibility I don't..), those two options would already default to what you've set currently?:

QSslKey(const QByteArray &encoded, QSsl::KeyAlgorithm algorithm, QSsl::EncodingFormat encoding = QSsl::Pem, QSsl::KeyType type = QSsl::PrivateKey, const QByteArray &passPhrase = QByteArray())

Not sure why it would suddenly work if you provide the same as the defaults

Ah well, luckily you've got it working, that's what matters

As you said these params are set as default. I put it in the function for I saw the same params in the first cofig:

SslKey privateKey(&privateKeyFile, QSsl::Ec, QSsl::Pem, QSsl::PrivateKey);

It is realy strange but I removed these params from that function and It is still working?????????????

You have noticed that I have Ec not Rsa cert. With Rsa I got error:

94640000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl\record\rec_layer_s3.c:304:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 335 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

So it looks like You Help me not I myself.
It is good that you have checked it because now I realy know what it was about.
I need to change my post on Qt forum - what was the real issue.
Very thanks again and check the last post on:

PS I am still confused why it was not working at once when I changed QSsl::Rsa to QSsl:Ec ... I was realy in a hurry doing this that probably I did not restart my server app that's why there was still error after change Rsa to Ec - I think this is the reason.

Can You alter my real domainname in your post for " mydomainName:443 " -I ask because security resons
Thanks in advance