SSL error blocks access from certain browsers/networks using apache2

More information:

curl -Ii4 https://www.pastlife.works/
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

curl -Ii4 http://www.pastlife.works:443/
HTTP/1.1 200 OK
Date: Thu, 17 Feb 2022 01:29:02 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Mon, 07 Feb 2022 17:34:34 GMT
ETag: "11c6-5d7710392990f"
Accept-Ranges: bytes
Content-Length: 4550
Vary: Accept-Encoding
Content-Type: text/html
1 Like

Thank you for the reply and for pointing this out.
So is this a client side problem with their browsers or operating systems or is it something that I can change in my .htaccess file or config files that would force my server to use IPv6?

Here is the output of apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
45.79.80.227:80        45.79.80.227 (/etc/apache2/sites-enabled/lexrex.xyz.conf:1)
45.79.80.227:443       45.79.80.227 (/etc/apache2/sites-enabled/lexrex.xyz.conf:12)
*:443                  is a NameVirtualHost
         default server lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz-le-ssl.conf:2)
         port 443 namevhost lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz-le-ssl.conf:2)
                 alias www.lexrex.xyz
         port 443 namevhost pastlife.works (/etc/apache2/sites-enabled/pastlife.works-le-ssl.conf:2)
                 alias www.pastlife.works
         port 443 namevhost starseedgrowers.org (/etc/apache2/sites-enabled/starseedgrowers.org-le-ssl.conf:2)
                 alias www.starseedgrowers.org
*:80                   is a NameVirtualHost
         default server lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz.conf:19)
         port 80 namevhost lexrex.xyz (/etc/apache2/sites-enabled/lexrex.xyz.conf:19)
                 alias www.lexrex.xyz
         port 80 namevhost pastlife.works (/etc/apache2/sites-enabled/pastlife.works.conf:1)
                 alias www.pastlife.works
         port 80 namevhost starseedgrowers.org (/etc/apache2/sites-enabled/starseedgrowers.org.conf:1)
                 alias www.starseedgrowers.org

No, server side problem.

1 Like

Please show the outputs of:

ifconfig | grep -Ei 'add|inet'
sudo netstat -pant | grep -i listen
curl -4 ifconfig.co
curl -6 ifconfig.co
cat /etc/apache2/sites-enabled/pastlife.works-le-ssl.conf
grep -Ri listen /etc/apache2

1 Like

-bash: ifconfig: command not found

sudo netstat -pant | grep -i listen

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      480/sshd            
tcp        0      0 0.0.0.0:8767            0.0.0.0:*               LISTEN      490/ravend          
tcp6       0      0 :::80                   :::*                    LISTEN      492/apache2         
tcp6       0      0 :::22                   :::*                    LISTEN      480/sshd            
tcp6       0      0 :::443                  :::*                    LISTEN      492/apache2         
tcp6       0      0 :::65532                :::*                    LISTEN      560/murmurd         
tcp6       0      0 :::8766                 :::*                    LISTEN      490/ravend          
tcp6       0      0 :::8767                 :::*                    LISTEN      490/ravend 

curl -4 ifconfig.co
45.79.80.227

curl -6 ifconfig.co
2600:3c01::f03c:92ff:fef4:a0df

cat /etc/apache2/sites-enabled/pastlife.works-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerAdmin contact@pastlife.works
        ServerName pastlife.works
        ServerAlias www.pastlife.works
        DocumentRoot /var/www/pastlife.works

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

	SSLCertificateFile /etc/letsencrypt/live/pastlife.works/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/pastlife.works/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>

grep -Ri listen /etc/apache2

/etc/apache2/ports.conf:Listen 80
/etc/apache2/ports.conf:	Listen 443
/etc/apache2/ports.conf:	Listen 443
/etc/apache2/apache2.conf:#   supposed to determine listening ports for incoming connections which can be
/etc/apache2/apache2.conf:# Include list of ports to listen on

hmm...
Very interesting.

What shows:
openssl version

Is there any IPS, or layer 7 firewall, involved?

Please show the output of:
ps -ef | grep -i apache | grep -v grep

1 Like

OpenSSL 1.1.1d 10 Sep 2019

Not sure about IPS. I am using ufw with standard rules allowing http and https. I also have ports open for my mumble server, which is on the mumble public servers list also using the SSL certificate, and port open for the ravencoin node

I also have fail2ban running

root       492     1  0 15:51 ?        00:00:00 /usr/sbin/apache2 -k start
www-data   498   492  0 15:51 ?        00:00:01 /usr/sbin/apache2 -k start
www-data   499   492  0 15:51 ?        00:00:00 /usr/sbin/apache2 -k start

Thanks for your help

1 Like

Have you restarted the server?
I don't see anything obviously wrong.
[running out of options...]

1 Like

Is it possible Apache is only listening on ipv6?

Judging from the netstat output, I mean.

No, when it shows tcp6, tcp4 is implied.
Notice how IPv4:80 nor IPv4:443 aren't listed, and yet it works for HTTP (on port 443):

curl -Ii4 http://www.pastlife.works:443/
HTTP/1.1 200 OK
Date: Thu, 17 Feb 2022 01:29:02 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Mon, 07 Feb 2022 17:34:34 GMT
ETag: "11c6-5d7710392990f"
Accept-Ranges: bytes
Content-Length: 4550
Vary: Accept-Encoding
Content-Type: text/html

It's like "SSLEngine on" is only being enabled for IPv6 (not for IPv4).

3 Likes

I'm also getting help from Linode.

Just rebooted. I noticed my /etc/hosts is a bit weird.

127.0.0.1	localhost
127.0.1.1	genesis.pastlife.works genesis
	
45.79.80.227	pastlife.works
	
45.79.80.227	www.pastlife.works
	
45.79.80.227	starseedgrowers.org
	
45.79.80.227	www.starseedgrowers.org

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

not sure if it's supposed to look like that.

There is some ipv4-exclusive config.

Can you show us that file?

it looks fine. (it can probably do without, bit some software needs those lines.)

1 Like

Wow I think you may have found the issue but IDK why I did this or what to do about it. :sweat_smile:

<VirtualHost 45.79.80.227:80>
	ServerName 45.79.80.227
	ServerAlias pastlife.works
	DocumentRoot /var/www/pastlife.works
RewriteEngine on
RewriteCond %{SERVER_NAME} =pastlife.works [OR]
RewriteCond %{SERVER_NAME} =www.pastlife.works
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

<VirtualHost 45.79.80.227:443>
        ServerName 45.79.80.227
        ServerAlias pastlife.works
        DocumentRoot /var/www/pastlife.works
</VirtualHost>


<VirtualHost *:80>
        ServerAdmin contact@pastlife.works
        ServerName lexrex.xyz
        ServerAlias www.lexrex.xyz
        DocumentRoot /var/www/lexrex.xyz
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =lexrex.xyz [OR]
RewriteCond %{SERVER_NAME} =www.lexrex.xyz
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Delete that whole section.

2 Likes

Also delete the other section with the full IP address. Merge its content in the <VirtualHost *:80> section if necessary.

2 Likes

I think you both helped me fix it, cant tell though because it always "worked" on my end:
https://www.ssllabs.com/ssltest/analyze.html?d=pastlife.works

IPv6 always worked.

2 Likes

Ehm... If you don't have a specific reason to keep TLS 1.0 and 1.1 enabled, turn them off.

Check https://ssl-config.mozilla.org

2 Likes

what is the significance of turning them off compared to what I have running now?

I entered my settings in the form there and it produced this

# generated 2022-02-17, Mozilla Guideline v5.6, Apache 2.4.38, OpenSSL 1.1.1d, modern configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.38&config=modern&openssl=1.1.1d&guideline=5.6

# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs
    SSLCertificateKeyFile   /path/to/private_key

    # enable HTTP/2, if available
    Protocols h2 http/1.1

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

# modern configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Not sure what to do with that data or how to turn off TLS 1.0 & 1.1

There are some vulnerabilities. I wouldn't turn off TLS 1.2.

(I'd use the intermediate config, only use the modern one you you know your clients very well)

Don't enable http strict transport security until you understand what it does, please.

2 Likes