Site doesn't load gives ERR_SSL_PROTOCOL_ERROR from site, browser loads internal IP, Ubuntu, Apache, Wildcard cert

Help
1

I created a wildcard SSL with certbot automatically. I then added the location of the SSL files to my Apache virtualhost files.

My www.bcae.us forwards to our main site.
The mail.bcae.us forwards to a linux Zorin server hosting a mail web app.

When the browser accesses the site, it has no success, I get the ERR_SSL_PROTOCOL_ERROR.

If I hit the same mail web app from my internal ip, it loads with a warning of the site not being secure and displays the wildcard certificate. That "not secure" should be expected because it is the internal IP which isn't associated with the *.bcae.us domain.

My service is seen through the specified port via the internet, so that's good as well.

I'm port forwarding to a specific IP:PORT for this web app.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.bcae.us

I ran this command: *certbot certonly --manual --preferred-challenges=dns --email chris@bcae.us --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d .bcae.us

It produced this output:
"Please deploy a DNS TXT record under the name: ....etc.

Successfully received certificate.
Certificate is saved at /etc/letsencrypt/live/bcae.us/fullchain.pem
Key is saved at: /etc/letsencrypt/live/bcae.us/privkey.pem
This certificate expires on 2023-03-14."

My web server is (include version):

The operating system my web server runs on is (include version):
Zorin (Ubuntu)

My hosting provider, if applicable, is: www.ionos.com

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.32.1

2

Hello @chrisatbcae, welcome to the Let's Encrypt community. :slightly_smiling_face:

I think there is a configuration error on the server for TLS, I suggest only using TLSv1.2 and TLSv1.3

$ curl -I https://www.bcae.us
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

And using this online tool https://check-host.net/ gives similar results
Check website performance and response: Check host - online website monitoring

2 Likes
3

Side notes:
Also a few links on SHA-1 and TLS v1.0/1.1 with requesting certificates from Let's Encrypt.

  1. Rejecting SHA-1 CSRs and validation using TLS 1.0 / 1.1 URLs
  2. Email feedback: TLS 1.0/1.1 deprecation and SHA-1 deprecation
  3. Questions about TLS 1.0 / 1.1 deprecation for ACME requests

Using this online tool https://crt.sh/ here is a list of issued certificates https://crt.sh/?q=bcae.us

1 Like
4

Hi @chrisatbcae you let that blank. Using this online tool Redirect Checker | Check your Statuscode 301 vs 302 I was checking the redirections for http://www.bcae.us/ and obtained these results.
And I see both Apache and nginx knowing which is being used for serving the Certificate is important for other Let's Encrypt community volunteers to know.
Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

>>> http://www.bcae.us/

> --------------------------------------------
> 302 Found
> --------------------------------------------

|**Status:**|302 Found|
| --- | --- |
|**Code:**|302|
|**Content-Type:**|text/html|
|**Content-Length:**|0|
|**Connection:**|close|
|**Date:**|Fri, 16 Dec 2022 00:03:17 GMT|
|**Server:**|Apache|
|**Cache-Control:**|no-cache|
|**Location:**|https://www.brateneconst.com|

>>> https://www.brateneconst.com

> --------------------------------------------
> 200
> --------------------------------------------

|**Status:**|200|
| --- | --- |
|**Code:**|200|
|**server:**|nginx|
|**date:**|Fri, 16 Dec 2022 00:03:18 GMT|
|**content-type:**|text/html;charset=utf-8|
|**d-cache:**|from-cache|
|**strict-transport-security:**|max-age=31536000; preload|
|**x-frame-options:**|SAMEORIGIN|
|**content-security-policy:**|frame-ancestors 'self'|
|**x-content-type-options:**|nosniff|
|**vary:**|user-agent,accept-encoding|
|**d-geo:**|US|
|**connection:**|close|
1 Like
5

I have not set up www.bcae.us with a wildcard cert. It is only set on mail.bcae.us at the moment.

6

I'm using Apache. But again in that search, you're using www.bcae.us, and my wildcard cert is only setup on the mail.bcae.us subdomain at this time

7

Please clarify the issue you are wanting to solve (at least first).

1 Like
8

I'd like not to have the ** ERR_SSL_PROTOCOL_ERROR** when trying to access https://mail.bcae.us

1 Like
9

OK; I am starting to get it, sorry. I was assuming that it wasn't a web based email interface, but a secure SMTP server. Dumb me. :slightly_frowning_face:

Still looks like

$ curl -I https://mail.bcae.us/
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

$ curl -I http://mail.bcae.us/
HTTP/1.1 302 Found
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=15
Date: Fri, 16 Dec 2022 00:21:26 GMT
Server: Apache
Cache-Control: no-cache
Location: https://47.181.175.21:443
1 Like
10

Ok then. That sounds like a possibility to that could make sense from all my troubleshooting.

Where do I change the TLS version in my apache config?

11

And this is where this comes into play.

12

Apache

13

Btw, where do you see "both Apache and nginx"? I did install nginx first but I disabled that web server.

1 Like
14

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

1 Like
15

From here on www.bcae.us; didn't try mail.bcae.us

1 Like
16

Here are the results for mail.bcae.us, no nginx there.

>>> http://mail.bcae.us/

> --------------------------------------------
> 302 Found
> --------------------------------------------

|**Status:**|302 Found|
| --- | --- |
|**Code:**|302|
|**Content-Type:**|text/html|
|**Content-Length:**|0|
|**Connection:**|close|
|**Date:**|Fri, 16 Dec 2022 00:35:32 GMT|
|**Server:**|Apache|
|**Cache-Control:**|no-cache|
|**Location:**|https://47.181.175.21:443|

>>> https://47.181.175.21:443

> --------------------------------------------
> 200 OK
> --------------------------------------------

|**Status:**|200 OK|
| --- | --- |
|**Code:**|200|
|**Date:**|Fri, 16 Dec 2022 00:35:33 GMT|
|**Server:**|Apache/2.4.41 (Ubuntu)|
|**Strict-Transport-Security:**|max-age=31536000|
|**Referrer-Policy:**|no-referrer|
|**X-Content-Type-Options:**|nosniff|
|**Content-Security-Policy:**|base-uri 'self'; default-src 'self'; script-src 'strict-dynamic' 'unsafe-eval' 'nonce-5db904cb-9e80-47c6-b817-12a12a5c659e'; img-src 'self' data: https: http:; style-src 'self' 'unsafe-inline'|
|**X-XSS-Protection:**|1; mode=block|
|**Expires:**|Mon, 26 Jul 1997 05:00:00 GMT|
|**Last-Modified:**|Fri, 16 Dec 2022 00:35:33 GMT|
|**Cache-Control:**|no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0|
|**Pragma:**|no-cache|
|**Vary:**|Accept-Encoding|
|**Connection:**|close|
|**Content-Type:**|text/html; charset=utf-8|
2 Likes
17

@chrisatbcae, I forgot the most obvious. Instructions are here Certbot Instructions | Certbot

1 Like
18

Added a line for SSLProtocol to be +TLSv1.2 +TLSv1.3 and

Now when I run the curl I get a new error...

curl -I https://mail.bcae.us/
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

19

I get this now

$ curl -I https://mail.bcae.us/
curl: (35) error:0A000126:SSL routines::unexpected eof while reading
1 Like
20

Alright so unexpected eof I've seen towards the beginning of install these wildcard certs. Could it be that they are bad certs? How can I verify that I don't have bad certs?

Not sure why there is a EOF there