SSL error with Debian 12 (bookworm)

Help
1

Hey everyone,
I wanted to host my own server so I bought a domain (filaamburatori.online) and I have set up a DNS to point to my PC. I am using Apache (apache2) and I have no files at the server now except from default files that come with Apache.
I decided that I should secure connection to my website and I run "sudo certbot --apache" to generate a certificate. I have entered my email, domain and it generated the files, as I was able to see in folders.
now, HTTPS connection won't work. You can access my page on http://filaamburatori.online but as soon as I try to make a https request, I get ERR_SSL_PROTOCOL_ERROR.
I have ensured that my packages are up to date and checked the config and virtual host files where I couldn't see anything that can cause this issue.
If anyone have had a similar issue or knows how to resolve this, I would be grateful.
Also if you have any other questions that can help us resolve this issue, I will be happy to answer them. Thanks in advance!

[edit]
Some more information about my system:
I have ensure to have filaamburatori.online.conf as well as filaamburatori.online-le-ssl.conf linked to
sites-enabled folder.
I have ensured that My server listens to both 80 and 443 port.
I have also confirmed that within my .conf files are correct locations of my fullchain and privkey files and that they are not empty.
Inside VirtualHost *:80 config I comented RewriteEngine to ensure you can access site over http

1 Like
2

Hello @Urkey, welcome to the Let's Encrypt community. :slightly_smiling_face:

I bet the server is serving HTTP on both Port 80 and 443
instead of HTTP on Port 80 and HTTPS on Port 443.

$ curl -Ii http://filaamburatori.online:443
HTTP/1.1 200 OK
Date: Sun, 25 Feb 2024 23:07:56 GMT
Server: Apache/2.4.57 (Debian)
Last-Modified: Sun, 25 Feb 2024 18:53:01 GMT
ETag: "29cd-612394d64ef8c"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html

$ curl -Ii http://filaamburatori.online
HTTP/1.1 200 OK
Date: Sun, 25 Feb 2024 23:08:18 GMT
Server: Apache/2.4.57 (Debian)
Last-Modified: Sun, 25 Feb 2024 18:53:01 GMT
ETag: "29cd-612394d64ef8c"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html

$ curl -k -Ii https://filaamburatori.online
curl: (35) error:0A00010B:SSL routines::wrong version number
2 Likes
3

I have checked my files again, and it should be right.
I see your point but I don't know how to fix it.
I am checking 000-default-le-ssl.conf and 000-default.conf and in first one I have 2 virtual host tags, one listening to 80 and other one on 443. In the second file, I only have virtual host for 80 port.
Also I should have noted that this is my first time trying to deploy a website, as well as use Debian :sweat_smile:

1 Like
4

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

2 Likes
5

Also here is a list of issued certificates crt.sh | filaamburatori.online

Testing and debugging are best done using the Staging Environment.

Also see Rate Limits - Let's Encrypt and Failed Validation Limit - Let's Encrypt

Here details on Apache can be found in documentation and forums:

1 Like
6

Sounds like you're missing this statement in your config:
[and maybe more]

SSLEngine On

1 Like
7

I think I have it on as I have this in my config file:
Include mypath/options-ssl-apache.conf
with inside:
SSL on
followed by configuration
(provided by certbot)
and after that include, I have:
SSLCertificateFile path/fullchain.pem
SSLCertificateKeyFile path/privkey.pem

8

This is not an Apache support forum...
They may be able to give you better support/advice.

All I can say for sure is that your port 443 is NOT speaking HTTPS.

2 Likes
9

I understand the issue. I hope I can debug it or for someone more knowledgeable to see this post. Thanks for the help so far!

10

Is this a residential setup? Have you checked your router to make sure it is forwarding Port 443 to your Apache PC as Port 443

3 Likes
11

It is local setup, and I have configured forwarding to 80>80 and for 443>443.

image
image691×292 5.33 KB

12

If I read that correctly, it should require entries on the external side:
image
[but that side is empty]

3 Likes
13

Wow, that did it! If I understand the issue was my router didn't know how to correctly forward to my 443 port.

3 Likes
15

It is hard to say what it was doing exactly when the external side information was missing.
My best guess...
[since 80 was reaching 80 and 443 was also reaching 80]
Is that it handled those empty fields as if an "*" had been used and thus forwarded ALL ports to 80.
[the first line handled ALL the requests - and the second line never got used]
Once you filled in the missing external port information, it then started doing what you expected.

So... it was never an "SSLEngine On" issue.
But I'm glad we were able to find, and correct, the problem relatively quickly none-the-less :wink:

Cheers from Miami :beers:

4 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.