I ran this command: sudo certbot certonly --standalone --preferred-challenges http -d dm1.vpcy.co.uk
It produced this output: Certificates generated successful.
My web server is (include version): Standalone
The operating system my web server runs on is (include version): Oracle Linux 8
My hosting provider, if applicable, is: names.co.uk
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2.6.0
Generated the certificates for the LoadBalancer which has an apache server running as backend set(no link to the server and certficates as certificate is generated for the load balancer).
Error when trying to ping the server: https://dm1.vpcy.co.uk:443
This site can’t provide a secure connection dm1.vpcy.co.uk uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
Help me to eliminate this error as I am using the latest chrome browser and latest certbot version
Hi Osiris,
Thanks for your reply.
There is an another domain configured to the load balancer https://test.vpcy.co.uk:443
The letsencrypt certificates are generated via sslforweb.com for (test.vpcy.co.uk) which is working smoothly.
Tried generating the certificates for another domain via certbot. same issue with that aswell.
But there are other domains associated with the load balancer from other certificate providers which works smoothly when using your command (openssl s_client -connect 152.70.73.253:443 -servername other.domain) with them.
unfortunately I can't post the ip and the domain URL as they are confidential.
May I know are there any bugs with certbot 2.6.0 version? as certificates prompts the UNSUPPORTED PROTOCOL error when generated.
Tried assigning the certificates to a apache server earlier(without loadbalancer) but same error(with certbot 2.6.0 generated certificates)
It would be a great help if somebody assist me regarding this.
No. This is your service configuration that's broken, specifically the service that is responding for the given SNI name dm1.vpcy.co.uk has no TLS support configured. Does your load balancer terminate TLS, if so have you setup this SNI name there? Which load balancer system is it and how is it configured?
The IP address itself does have a working TLS configuration:
sslscan 152.70.73.253
Version: 2.0.7
OpenSSL 3.0.2 15 Mar 2022
Connected to 152.70.73.253
Testing SSL server 152.70.73.253 on port 443 using SNI name 152.70.73.253
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 disabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support
Heartbleed:
TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 4096 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 4096 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 4096 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 4096 bits
Server Key Exchange Group(s):
TLSv1.2 141 bits sect283k1
TLSv1.2 141 bits sect283r1
TLSv1.2 204 bits sect409k1
TLSv1.2 204 bits sect409r1
TLSv1.2 285 bits sect571k1
TLSv1.2 285 bits sect571r1
TLSv1.2 128 bits secp256k1
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits brainpoolP256r1
TLSv1.2 192 bits brainpoolP384r1
TLSv1.2 256 bits brainpoolP512r1
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 4096
Subject: test.vpcy.co.uk
Altnames: DNS:test.vpcy.co.uk
Issuer: R3
Not valid before: Jul 25 06:53:10 2023 GMT
Not valid after: Oct 23 06:53:09 2023 GMT
Your best solution is to assume the problem is in your own configuration, and nothing to do with certbot. Review your service configuration to ensure you have TLS enabled for this SNI name.
That only happens when the web server [load balancer] tries to serve that one specific site.
I suspect the problem to be within that specific vhost configuration; As all others work OK - even when using certs from LE.