This site can’t provide a secure connection dm1.vpcy.co.uk uses an unsupported protocol

My domain is: dm1.vpcy.co.uk

I ran this command: sudo certbot certonly --standalone --preferred-challenges http -d dm1.vpcy.co.uk

It produced this output: Certificates generated successful.

My web server is (include version): Standalone

The operating system my web server runs on is (include version): Oracle Linux 8

My hosting provider, if applicable, is: names.co.uk

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2.6.0

Generated the certificates for the LoadBalancer which has an apache server running as backend set(no link to the server and certficates as certificate is generated for the load balancer).

Error when trying to ping the server:
https://dm1.vpcy.co.uk:443
This site can’t provide a secure connection dm1.vpcy.co.uk uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.

Help me to eliminate this error as I am using the latest chrome browser and latest certbot version

It seems your load balancer refuses every SSL/TLS protocol in (current) existence:

osiris@erazer ~ $ sslscan dm1.vpcy.co.uk
Version: 2.0.11-static
OpenSSL 1.1.1m  14 Dec 2021

Connected to 152.70.73.253

Testing SSL server dm1.vpcy.co.uk on port 443 using SNI name dm1.vpcy.co.uk

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

(...)

Which is weird. But it looks more like a load balancer configuration than a certificate issue.

3 Likes

Hi Osiris,
Thanks for your reply.
There is an another domain configured to the load balancer https://test.vpcy.co.uk:443
The letsencrypt certificates are generated via sslforweb.com for (test.vpcy.co.uk) which is working smoothly.
Tried generating the certificates for another domain via certbot. same issue with that aswell.

I concur:
openssl s_client -connect 152.70.73.253:443 -servername dm1.vpcy.co.uk

CONNECTED(000000DC)
548:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1362:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 199 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1691651044
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

openssl s_client -connect 152.70.73.253:443 -servername test.vpcy.co.uk

CONNECTED(0000019C)
depth=0 CN = test.vpcy.co.uk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = test.vpcy.co.uk
verify error:num=21:unable to verify the first certificate
verify return:1
Server did acknowledge servername extension.
---
Certificate chain
 0 s:/CN=test.vpcy.co.uk
   i:/C=US/O=Let's Encrypt/CN=R3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgISBN7NHkuRpp6uc0H/SFnercb2MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA3MjUwNjUzMTBaFw0yMzEwMjMwNjUzMDlaMBoxGDAWBgNVBAMT
D3Rlc3QudnBjeS5jby51azCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
ANiX+9DYhfUIQRpuVxeeMQ38eIPn5qDk/sd2NIutBKDZD2Q9vXmKtwtr6q91DIZ9
0P2jrZRYgI0e6U066KHMkL30qAaHcJ7BF0qzi2XP0ds2Cfst/5LOJGmIOurHjsBJ
wkzlAcS9kIwIVExtoBB9CAGQed/EbBNJ4Uv0c/9rFCkYBhIBIIvFW07EcJnbtdd7
nu8HZFfq5dozDRGv0G4HIZJdCgpXkYEeYOGWgN4dQtEBmv20adnv5qphJ3rJb6Jc
SvlI/bsiPmcd9RZOy8jP+6xP7xJHu1ZWqfyj14Zg0sXrt932NmW0ORnj0UDgM1D0
tkleT1ezgH2/s21xYm2ZxJOil8CTSgCvYrOP2z8Fe+CagZ5BajQX6e+pN5LoFRIe
lCjFyR6hz8GeHxub2TRtd0W7uOTn/VibI2tGYrFFp5G4tb6hqnVWyviabwZPDovK
C7KMnrtr7I7NLgi7S4y7IoUf+DsoROHUmlY6B/CtKjqxzzXwMi1PVgyyCIYNP3hu
JZGtpM/pJw6U0ek58pfdlEfPPBrfcIFamlZev12pQcUXJRAveMDcFZby5gL1jUvb
4aQ3fTa1nQEYNUvGbF3J11m1V49xiLkA6umW7kqXvaOcy8jFGWF24qu4rydHOu/R
tEPSv4JY1urOTNnKjIeIIZlmE2gbsBVlZDYo4XSYu7X3AgMBAAGjggISMIICDjAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFPfmG32gEtCehO5wDrTHamNDK956MB8GA1Ud
IwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggr
BgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRw
Oi8vcjMuaS5sZW5jci5vcmcvMBoGA1UdEQQTMBGCD3Rlc3QudnBjeS5jby51azAT
BgNVHSAEDDAKMAgGBmeBDAECATCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AHoy
jFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABiYwJqkcAAAQDAEgwRgIh
AMpRDlMdtz3Zrotj7fSqJKzNMkT6Wx9t1r8V2pelw2lTAiEA3QqOosZFFMsU4GXJ
UYRmBHxiKmd6unubHd7YmDdkl8cAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTK
hYY069yCigAAAYmMCapvAAAEAwBHMEUCIHbFq83/oPe4dHiQyujpvv67I21HZvMx
qAriaHNdRwgHAiEAoS4mgVaptqPBqVEq1Avv1dADwyGYvT+Lko5RXm/18AUwDQYJ
KoZIhvcNAQELBQADggEBAI3Rqa/OdaI4LYMcvg51qR+y5dzso2V+nunNfB9p/DMx
3Da+4i0KkWqvuoytD3KcOO98iutpTrL6eLWy0RFyxuyOC4l4qukwSmlha4JwazUR
yMjErPX0KJziVtzxAEfI7+LDJu6VSYilkyLCM4Onxjb4qYa1D26NkgcLS7RhNJJy
FFxJ/79gCTYMkIpt6FmoCmBreHbUq58SEqFma2QgHHB1mrUMXoBgN6/RUP5OJsn4
Og9cL/2xYUDKOq3HQZlLeI+RzP/YPVJDyC7Qgl/jdWiXZuih8ISL5cF2vxJErrVs
Cf2PLVFnnmfz2t10hT6L20bb7C9aFJqr3Gw6jLXDgVM=
-----END CERTIFICATE-----
subject=/CN=test.vpcy.co.uk
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2466 bytes and written 326 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: A940A1F89D34FF9433E421A72CD5111AFA935807A93BF110548CC37F1D573073
    Session-ID-ctx:
    Master-Key: 1BF235DF1C5E0940BECF62B52F7ABFF44402F6F49D68FA4E9E80A1DB9DF45A44E8A83F68C6606D8EA3A360248D53A19C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - e3 a8 27 bb f9 8e eb 6e-19 e9 ea 9b 9d f5 81 35   ..'....n.......5
    0010 - ad a3 d5 1b 08 cb a0 4a-30 d9 49 13 04 d1 e2 2b   .......J0.I....+
    0020 - 15 8a b6 86 b8 3e e2 aa-ab 4c 53 61 76 bf 94 08   .....>...LSav...
    0030 - 1c eb f3 1d 6f 1f 9b 37-1b 93 23 92 8f 87 06 e4   ....o..7..#.....
    0040 - 40 42 42 b8 96 77 fb dc-8f 6b 8c 98 27 01 fc 2a   @BB..w...k..'..*
    0050 - 1e a3 24 83 d1 aa 47 7d-05 34 8f e8 79 8e ee 60   ..$...G}.4..y..`
    0060 - 9f e9 ca 44 2f 54 04 a2-18 f7 e0 85 fa b2 0c 87   ...D/T..........
    0070 - d2 be 09 a4 ce 50 17 13-45 a1 7a 6e 6e a3 be d8   .....P..E.znn...
    0080 - 28 7d 43 1c fa e6 76 eb-7d 77 7e e4 d2 51 58 ba   (}C...v.}w~..QX.
    0090 - 15 fc e8 2b e0 de 99 3b-72 f7 e4 6c cd 43 72 9a   ...+...;r..l.Cr.
    00a0 - 90 e3 44 7f 3c b2 b0 1a-a0 38 7b 66 bf 52 39 58   ..D.<....8{f.R9X
    00b0 - 2f a6 8f 63 32 53 f6 11-2f a9 03 b0 3e 0f b5 b1   /..c2S../...>...

    Start Time: 1691651049
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---
^C
3 Likes

Hi rg305,

Thanks for contributing!!

But there are other domains associated with the load balancer from other certificate providers which works smoothly when using your command (openssl s_client -connect 152.70.73.253:443 -servername other.domain) with them.

unfortunately I can't post the ip and the domain URL as they are confidential.

May I know are there any bugs with certbot 2.6.0 version? as certificates prompts the UNSUPPORTED PROTOCOL error when generated.

Tried assigning the certificates to a apache server earlier(without loadbalancer) but same error(with certbot 2.6.0 generated certificates)

It would be a great help if somebody assist me regarding this.

Thank you.

1 Like

No. This is your service configuration that's broken, specifically the service that is responding for the given SNI name dm1.vpcy.co.uk has no TLS support configured. Does your load balancer terminate TLS, if so have you setup this SNI name there? Which load balancer system is it and how is it configured?

The IP address itself does have a working TLS configuration:

sslscan 152.70.73.253
Version: 2.0.7
OpenSSL 3.0.2 15 Mar 2022

Connected to 152.70.73.253

Testing SSL server 152.70.73.253 on port 443 using SNI name 152.70.73.253

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

  Heartbleed:
TLSv1.2 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 4096 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 4096 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 4096 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 4096 bits

  Server Key Exchange Group(s):
TLSv1.2  141 bits  sect283k1
TLSv1.2  141 bits  sect283r1
TLSv1.2  204 bits  sect409k1
TLSv1.2  204 bits  sect409r1
TLSv1.2  285 bits  sect571k1
TLSv1.2  285 bits  sect571r1
TLSv1.2  128 bits  secp256k1
TLSv1.2  128 bits  secp256r1 (NIST P-256)
TLSv1.2  192 bits  secp384r1 (NIST P-384)
TLSv1.2  260 bits  secp521r1 (NIST P-521)
TLSv1.2  128 bits  brainpoolP256r1
TLSv1.2  192 bits  brainpoolP384r1
TLSv1.2  256 bits  brainpoolP512r1

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    4096

Subject:  test.vpcy.co.uk
Altnames: DNS:test.vpcy.co.uk
Issuer:   R3

Not valid before: Jul 25 06:53:10 2023 GMT
Not valid after:  Oct 23 06:53:09 2023 GMT

Your best solution is to assume the problem is in your own configuration, and nothing to do with certbot. Review your service configuration to ensure you have TLS enabled for this SNI name.

3 Likes

That only happens when the web server [load balancer] tries to serve that one specific site.
I suspect the problem to be within that specific vhost configuration; As all others work OK - even when using certs from LE.

3 Likes

Could it be an RSA vs. ECDSA problem?

Both certificates for dm1.vpcy.co.uk are ECDSA. The single cert for test.vpcy.co.uk is RSA.

Perhaps OP should try to get a new cert using --key-type rsa and try that one?

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.