SSL error blocks access from certain browsers/networks using apache2

Help
1

Can someone help me figure out why there is a SSL error on my website?
I'll do my best to explain. Certain people have told me that mysite is inaccessible. I cant reproduce it because from my end (home network and cell network) it loads fine. I have tested it in firefox, chrome, and brave from all my devices. I'm sorry but I cant print out the error because no one has helped me by sending a screen shot of what the error says.

My apache2 .conf files and .htaccess file is posted here:
https://pastebin.com/riVMcwYN
The first section in the paste is actually the regular .conf, not the le-ssl.conf. sorry about that
Thank you so much for your time and efforts.

My domain is: https://pastlife.works

My web server is : apache2 2.4.38-3+deb10u7 amd64

The operating system is: Debian 10 4.19.208-1 (2021-09-29) x86_64 GNU/Linux

My hosting provider is: Linode.com

I can login to a root shell?: yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot/oldstable,now 0.31.0-1+deb10u1 all [installed]
python-certbot-apache/oldstable,now 0.31.0-1 all [installed]
python3-certbot/oldstable,now 0.31.0-1+deb10u1 all [installed,automatic]
python3-certbot-apache/oldstable,now 0.31.0-1 all [installed,automatic]

update Someone did report they get an error with curl:
(35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

2

Hi @pastlife and welcome to the LE community forum :slight_smile:

The problem seems to be only with IPv4:

curl -Ii4 https://www.pastlife.works
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

curl -Ii6 https://www.pastlife.works
HTTP/1.1 200 OK
Date: Thu, 17 Feb 2022 01:24:48 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Mon, 07 Feb 2022 17:34:34 GMT
ETag: "11c6-5d7710392990f"
Accept-Ranges: bytes
Content-Length: 4550
Vary: Accept-Encoding
Content-Type: text/html
2 Likes
3

You can start to unravel the mystery with the output of:
apachectl -t -D DUMP_VHOSTS

1 Like
4

More information:

curl -Ii4 https://www.pastlife.works/
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

curl -Ii4 http://www.pastlife.works:443/
HTTP/1.1 200 OK
Date: Thu, 17 Feb 2022 01:29:02 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Mon, 07 Feb 2022 17:34:34 GMT
ETag: "11c6-5d7710392990f"
Accept-Ranges: bytes
Content-Length: 4550
Vary: Accept-Encoding
Content-Type: text/html
1 Like
5

Thank you for the reply and for pointing this out.
So is this a client side problem with their browsers or operating systems or is it something that I can change in my .htaccess file or config files that would force my server to use IPv6?

Here is the output of apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
45.79.80.227:80        45.79.80.227 (/etc/apache2/sites-enabled/lexrex.xyz.conf:1)
45.79.80.227:443       45.79.80.227 (/etc/apache2/sites-enabled/lexrex.xyz.conf:12)
*:443                  is a NameVirtualHost
         default server lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz-le-ssl.conf:2)
         port 443 namevhost lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz-le-ssl.conf:2)
                 alias www.lexrex.xyz
         port 443 namevhost pastlife.works (/etc/apache2/sites-enabled/pastlife.works-le-ssl.conf:2)
                 alias www.pastlife.works
         port 443 namevhost starseedgrowers.org (/etc/apache2/sites-enabled/starseedgrowers.org-le-ssl.conf:2)
                 alias www.starseedgrowers.org
*:80                   is a NameVirtualHost
         default server lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz.conf:19)
         port 80 namevhost lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz.conf:19)
                 alias www.lexrex.xyz
         port 80 namevhost pastlife.works (/etc/apache2/sites-enabled/pastlife.works.conf:1)
                 alias www.pastlife.works
         port 80 namevhost starseedgrowers.org (/etc/apache2/sites-enabled/starseedgrowers.org.conf:1)
                 alias www.starseedgrowers.org
6

No, server side problem.

1 Like
8

Please show the outputs of:

ifconfig | grep -Ei 'add|inet'
sudo netstat -pant | grep -i listen
curl -4 ifconfig.co
curl -6 ifconfig.co
cat /etc/apache2/sites-enabled/pastlife.works-le-ssl.conf
grep -Ri listen /etc/apache2

1 Like
9

-bash: ifconfig: command not found

sudo netstat -pant | grep -i listen

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      480/sshd            
tcp        0      0 0.0.0.0:8767            0.0.0.0:*               LISTEN      490/ravend          
tcp6       0      0 :::80                   :::*                    LISTEN      492/apache2         
tcp6       0      0 :::22                   :::*                    LISTEN      480/sshd            
tcp6       0      0 :::443                  :::*                    LISTEN      492/apache2         
tcp6       0      0 :::65532                :::*                    LISTEN      560/murmurd         
tcp6       0      0 :::8766                 :::*                    LISTEN      490/ravend          
tcp6       0      0 :::8767                 :::*                    LISTEN      490/ravend

curl -4 ifconfig.co
45.79.80.227

curl -6 ifconfig.co
2600:3c01::f03c:92ff:fef4:a0df

cat /etc/apache2/sites-enabled/pastlife.works-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerAdmin contact@pastlife.works
        ServerName pastlife.works
        ServerAlias www.pastlife.works
        DocumentRoot /var/www/pastlife.works

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

	SSLCertificateFile /etc/letsencrypt/live/pastlife.works/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/pastlife.works/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>

grep -Ri listen /etc/apache2

/etc/apache2/ports.conf:Listen 80
/etc/apache2/ports.conf:	Listen 443
/etc/apache2/ports.conf:	Listen 443
/etc/apache2/apache2.conf:#   supposed to determine listening ports for incoming connections which can be
/etc/apache2/apache2.conf:# Include list of ports to listen on
10

hmm...
Very interesting.

What shows:
openssl version

Is there any IPS, or layer 7 firewall, involved?

Please show the output of:
ps -ef | grep -i apache | grep -v grep

1 Like
11

OpenSSL 1.1.1d 10 Sep 2019

Not sure about IPS. I am using ufw with standard rules allowing http and https. I also have ports open for my mumble server, which is on the mumble public servers list also using the SSL certificate, and port open for the ravencoin node

I also have fail2ban running

root       492     1  0 15:51 ?        00:00:00 /usr/sbin/apache2 -k start
www-data   498   492  0 15:51 ?        00:00:01 /usr/sbin/apache2 -k start
www-data   499   492  0 15:51 ?        00:00:00 /usr/sbin/apache2 -k start

Thanks for your help

1 Like
12

Have you restarted the server?
I don't see anything obviously wrong.
[running out of options...]

1 Like
13

Is it possible Apache is only listening on ipv6?

Judging from the netstat output, I mean.

14

No, when it shows tcp6, tcp4 is implied.
Notice how IPv4:80 nor IPv4:443 aren't listed, and yet it works for HTTP (on port 443):

curl -Ii4 http://www.pastlife.works:443/
HTTP/1.1 200 OK
Date: Thu, 17 Feb 2022 01:29:02 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Mon, 07 Feb 2022 17:34:34 GMT
ETag: "11c6-5d7710392990f"
Accept-Ranges: bytes
Content-Length: 4550
Vary: Accept-Encoding
Content-Type: text/html

It's like "SSLEngine on" is only being enabled for IPv6 (not for IPv4).

3 Likes
15

I'm also getting help from Linode.

Just rebooted. I noticed my /etc/hosts is a bit weird.

127.0.0.1	localhost
127.0.1.1	genesis.pastlife.works genesis
	
45.79.80.227	pastlife.works
	
45.79.80.227	www.pastlife.works
	
45.79.80.227	starseedgrowers.org
	
45.79.80.227	www.starseedgrowers.org

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

not sure if it's supposed to look like that.

16

There is some ipv4-exclusive config.

Can you show us that file?

it looks fine. (it can probably do without, bit some software needs those lines.)

1 Like
17

Wow I think you may have found the issue but IDK why I did this or what to do about it. :sweat_smile:

<VirtualHost 45.79.80.227:80>
	ServerName 45.79.80.227
	ServerAlias pastlife.works
	DocumentRoot /var/www/pastlife.works
RewriteEngine on
RewriteCond %{SERVER_NAME} =pastlife.works [OR]
RewriteCond %{SERVER_NAME} =www.pastlife.works
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

<VirtualHost 45.79.80.227:443>
        ServerName 45.79.80.227
        ServerAlias pastlife.works
        DocumentRoot /var/www/pastlife.works
</VirtualHost>


<VirtualHost *:80>
        ServerAdmin contact@pastlife.works
        ServerName lexrex.xyz
        ServerAlias www.lexrex.xyz
        DocumentRoot /var/www/lexrex.xyz
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =lexrex.xyz [OR]
RewriteCond %{SERVER_NAME} =www.lexrex.xyz
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
18

Delete that whole section.

2 Likes
19

Also delete the other section with the full IP address. Merge its content in the <VirtualHost *:80> section if necessary.

2 Likes
20

I think you both helped me fix it, cant tell though because it always "worked" on my end:
https://www.ssllabs.com/ssltest/analyze.html?d=pastlife.works

21

IPv6 always worked.

2 Likes