SSL protocol error when access via local IP

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lochofclunie.org.uk

I ran this command:

It produced this output:

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

This is a strange one, but it might be obvious to you kind folks.

I have installed my certificate in the virtual hosts file, all is working perfectly. No problems there. This is when accessing via anywhere on the itnernet.

However......the webserver itself is on the same network as me. If I update my WIndows laptop HOSTS file and an entry for the private IP, e.g. 192.168.11.15 lochofclunie.org.uk, I get SSL_PROTOCOL_ERROR, and I get entries in /var/log/apache2/other_vhosts_access.log with

"\x16\x03\x01\x02" 400 608 "-" "-"

I recognise those as https being provided on a http port, yet everythign is running fine on 443.

The reason I'm posting this question here, rather than on a general Linux board, is that with the above hosts file changes, I can successfully access my website via http. So Apache is running fine, and connectivity to my server is fine.

To summarise, I get an error when accessing my Let's Encrypt-protected site, via https, when DNS or hosts points to a LAN address instead of the public DNS address.

Can anyone shed any light on why?

Many thanks!

Jim

1 Like
2

Welcome to the community @jimwill

Yes, this is really just an Apache / browser issue really given you got certs and use them fine.

But, I'll try anyway ... the name of the access log is "other_vhosts". Does that mean it is not in your VirtualHost with the name lochofclunie.org.uk? Just seems like a log name you would use in your default VirtualHost rather than one for a specific domain name.

And, are you are making the request for https://lochofclunie.org.uk even for local request.

3 Likes
3

That's the file where all additional vhosts are logged by default on Debian.

4 Likes
4

Thanks for the welcome, Mike, and to both you and linkp for taking time to reply.

Yes, the site is in my virtual hosts file, along witha couple of others (I've included one additional site as an example). This is /etc/apache2/sites-enabled/ssl.conf

<VirtualHost siteABC.co.uk:443>
        ServerName www.siteABC.co.uk
        ServerAlias siteABC.co.uk
        DocumentRoot /var/www/siteABC.co.uk
        ServerAdmin IT@siteABC.co.uk
        SSLEngine On

        # Support HTTP Strict Transport Security with long duration. Requires "a2enmod headers"
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

        ErrorLog /var/log/apache2/siteABC.co.uk_error_log
        CustomLog /var/log/apache2/siteABC.co.uk_access_log combined
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/siteABC.co.uk/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/siteABC.co.uk/privkey.pem
</VirtualHost>

<VirtualHost lochofclunie.org.uk:443>
        ServerName www.lochofclunie.org.uk
        ServerAlias lochofclunie.org.uk
        DocumentRoot /var/www/lochofclunie.org.uk
        ServerAdmin IT@lochofclunie.org.uk
        SSLEngine On

        # Support HTTP Strict Transport Security with long duration. Requires "a2enmod headers"
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

        ErrorLog /var/log/apache2/lochofclunie.org.uk_error_log
        CustomLog /var/log/apache2/lochofclunie.org.uk_access_log combined
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/www.lochofclunie.org.uk/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.lochofclunie.org.uk/privkey.pem
</VirtualHost>

and this is my /etc/apache2/sites-enabled/lochofclunie.org.uk.conf:

<VirtualHost *:80>
  ServerName www.lochofclunie.org.uk
  ServerAlias lochofclunie.org.uk
  DocumentRoot /var/www/lochofclunie.org.uk
  ErrorLog /var/log/apache2/lochofclunie.org.uk_error_log
  CustomLog /var/log/apache2/lochofclunie.org.uk_access_log combined
  RewriteEngine on
  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
  RewriteRule .* - [F]
</VirtualHost>

Whether or not it's right to have the stuff split across multiple config files is another topic by itself, but all this works fine of I use public DNS, and you'll be able to browse to the sites yourselves to confirm. It only stops working if I add a HOSTS or local DNS entry to repoint to the actual server IP (whcih I access via OpenVPN).

5

If this helps?

root@orca:~# curl -v https://localhost:443

  • Trying 127.0.0.1:443...
  • Connected to localhost (127.0.0.1) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • (5454) (IN), , Unknown (72):
  • error:0A00010B:SSL routines::wrong version number
  • Closing connection 0
    curl: (35) error:0A00010B:SSL routines::wrong version number
6

It does. Your Apache VirtualHost for "localhost" does not support https. If you want the VirtualHost for lochofclunie you need to use that name in your https:// request.

What does this show

sudo apache2ctl -t -D DUMP_VHOSTS

Also, you should edit your prior post to use 3 backticks before and after the Apache files as formatting and tags are being lost. Like:
```
apache stuff
```

4 Likes
7

You might also need to change both of those to:

<VirtualHost *:443>

Putting a name in the VirtualHost statement indicates IP selection rather than SNI name based VHost selection. The Apache docs describe this.

4 Likes
8

curl -v https://www.lochofclunie.org.uk:443 is giving me the correct response....so whatever issue I'm having, it doesn't seem to be related to certs. :frowning:

9

Unfortunately that just returns the first virtual host for any SSL request. I do have NameVirtualHost :443 at the top.

Thanks for sticking with me, but I don't want to waste any more of your time. Many thanks for your help, I'll keep plugging away and see if I can find out what's going on.

2 Likes
10

All should be "*:443" so that one of your VirtualHosts does not "latch" inbound requests for a specific IP. Mixing IP and name-based hosts is very complex. And, frankly, trying to use IP based hosts in an SNI world is often tricky.

4 Likes
11

As my vhost management practices evolved over the years, my preference is now to use one .conf file for each vhost. This puts the HTTP and HTTPS for the each domain in its own file. This makes it easy to disable one site without effecting others. If I needed to toggle HTTP and HTTPS versions separately with any degree of frequency, I could see a further split being useful.

4 Likes
12

I think Iā€™d like to move to that model. I have that for port 80 but have somehow evolved to a single file for 443 for some odd reason.

Could I trouble you to share an anonymised example?

13

Would this seem to be a reasonable config?

<VirtualHost *:80>
        ServerName www.lochofclunie.org.uk
        ServerAlias lochofclunie.org.uk
        DocumentRoot /var/www/lochofclunie.org.uk
        ErrorLog /var/log/apache2/lochofclunie.org.uk_error_log
        CustomLog /var/log/apache2/lochofclunie.org.uk_access_log combined
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
</VirtualHost>

<VirtualHost lochofclunie.org.uk:443>
        ServerName www.lochofclunie.org.uk
        ServerAlias lochofclunie.org.uk
        DocumentRoot /var/www/lochofclunie.org.uk
        ServerAdmin IT@lochofclunie.org.uk
        SSLEngine On

        # Support HTTP Strict Transport Security with long duration. Requires "a2enmod headers"
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

        ErrorLog /var/log/apache2/lochofclunie.org.uk_error_log
        CustomLog /var/log/apache2/lochofclunie.org.uk_access_log combined
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/www.lochofclunie.org.uk/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.lochofclunie.org.uk/privkey.pem
</VirtualHost>
14

Why is one using * and the other the domain name?

3 Likes
15

Probably better to make this <VirtualHost *:443>

4 Likes
16

I wrap my SSL configs in <IfModule mod_ssl.c></IfModule> tags, but it isn't strictly necessary. You will want to follow the previous recommendations to use * instead of a hostname.

I also have HTTP to HTTPS redirection in my HTTP configs and exceptions for the .well-known/acme-challenge path.

3 Likes
17

MikeMcQ, linkp, Osiris

THANK YOU!!!! This has been a valuable lesson to me.

I have refactored my config files so that each file handles one site, whether that's on 80 or 443, and I have wrapped the 443 in the IfModule tags. So not only do I have a better structure, but the initial problem I had is also now solved, I can also access the sites via the LAN IP address! Woot!

I think my problem all also ong was the Virtualhost xxxx:443 instead of Virtualhost *:443. What I've discovered is if ANY conf file has the Virtualhost xxxx:443 notation, it causes all the problems I was having. And I had missed updating one file. Now that they all have *:443, everything is working correctly.

Thank you SO much for all your help.

Jim

4 Likes
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.