SSL Certificate generated and seems to be OK, but browser gives ERR_SSL_PROTOCOL_ERROR

I created a certificate for (yet) internal server, the ssl certificate seems to be OK (For example if i use the certificate in my adguard home (for encryption): Adguard home states the following:

And for the key:

  • This is a valid ECDSA private key

However if try to access it via my browser in my network, the browser gives the ERR_SSL_PROTOCOL_ERROR message and will not continue.

If i look at ( | 8739541196) : I see the status is "precertficate". Is that the problem, and if so how can i avoid this.

My domain is: (certificate was generated for

I ran this command:
certbit certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d

It produced this output:
Found the following certs:
Certificate Name:
Serial Number: 49cf47d11fcaf50ec9347ef9e7f742ef951
Key Type: ECDSA
Expiry Date: 2023-05-26 12:34:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

My web server is (include version):
Built in webserver of adguard home

The operating system my web server runs on is (include version):
Arch linux x64

My hosting provider, if applicable, is:
N/A internally hosted

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.3.0

No, that's not the problem. Pre-certs are part of the way LE gets the "Signed Certificate Timestamp" (SCT) from the Certificate Transparancy Log. You were issued a real certificate with the SCTs received from the CT logs using the pre-cert.

That said, I have no clue about Adguard Home and your server is internal, so no way to debug it remotely. Thus, just guessing here, but perhaps it has something to do with the cert being ECDSA instead of RSA? Although you say Adguard Home reports a valid ECDSA key so one should assume Adguard can deal with that..


Thx, I solved the problem (stupid me). In non-https, I configured that for the web interface port 3000 should be used (so I could access it via After I activated the encryption, I only changed the http into https, so the encrypted connection still tried to access via port 3000. This obviously does not work. The moment I leave out the port number (so, it works, as the default 443 is used.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.