I'm using Let's Encrypt via a tool called Lets Proxy which automatically sets up certificates.
This works as expected on www .barkestoneassociates.com but not on barkestoneassociates.com (non-www) - just giving the ERR_SSL_PROTOCOL_ERROR error?
Can anyone offer any insight as to what may be wrong here please?
Thanks for you help.
My domain is:barkestoneassociates.com
It produced this output:connectionbarkestoneassociates.com sent an invalid response.
My web server is (include version):
The operating system my web server runs on is (include version):
1 Like
The server barkestoneassociates.com does not send certificate:
$ openssl s_client -connect barkestoneassociates.com:443
CONNECTED(00000003)
3069296656:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1544:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 316 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
You may want to check the configuration of the apache web server. It is worthwhile to have a look at the error log as well.
1 Like
Thanks for your input.
Do you think it could be a case of having to try and re-issue the certificate.
Although, I'm pretty sure that is what Lets Proxy tries to do anyway.
It's odd because I have other domains on the same server working n bot www and non-ww with the same config.
At first I wondered if there could be an issue with AAAA records but don't think the domain has any of these.
It's a strange one.
Osiris
March 8, 2021, 3:09pm
4
This is not a certificate issue, but a server configuration issue. Re-issuing the certificate will most likely not fix the configuration issue at hand.
That said, after looking a little bit closer:
Your Lets Proxy-instance isn't able to get a certificate for your apex domain at all recently. So there lies your problem: without a valid certificate, Lets Proxy is refusing any connection.
Please check the Lets Proxy logs for any reason why it might fail to get a certificate for barkestoneassociates.com
1 Like
Thanks for your reply and info.
I've checked the logs and there a lot of entries referring to this domain.
It mentions "Can't get certificate from local state" for example:
2021-03-08T15:15:48.737Z info tlslistener/tlslistenershandler.go:231 TLS Handshake {"connection_id": "a3ebd36c-3b97-480b-b52c-a57fd412f171", "error": "have no certificate for domain"}
2021-03-08T15:15:48.811Z info cert_manager/manager.go:156 Get certificate {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "original_domain": "barkestoneassociates.com"}
2021-03-08T15:15:48.812Z error cert_manager/manager.go:233 Can't get certificate from local state {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "cert_name": "barkestoneassociates.com.ecdsa", "error": "x509: certificate is valid for www.barkestoneassocia$
github.com/rekby/lets-proxy2/internal/log.levelParam
/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:203
github.com/rekby/lets-proxy2/internal/log.LevelParam
/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:193
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).getCertificate
/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:233
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).GetCertificate
/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:165
crypto/tls.(*Config).getCertificate
/home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/common.go:870
crypto/tls.(*serverHandshakeStateTLS13).pickCertificate
/home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:364
crypto/tls.(*serverHandshakeStateTLS13).handshake
/home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:52
crypto/tls.(*Conn).serverHandshake
/home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server.go:53
crypto/tls.(*Conn).Handshake
/home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/conn.go:1342
github.com/rekby/lets-proxy2/internal/tlslistener.(*ListenersHandler).handleTCPTLSConnection
/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/tlslistener/tlslistenershandler.go:230
2021-03-08T15:15:48.812Z info cert_manager/manager.go:166 Got certificate {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "certificate": "tls nil", "error": "have no certificate for domain"}
2021-03-08T15:15:48.812Z info cert_manager/manager.go:171 ECDSA certificate was failed, try to get RSA certificate {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)"}
2021-03-08T15:15:48.812Z error cert_manager/manager.go:233 Can't get certificate from local state {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "retry_type": "rsa", "cert_name": "barkestoneassociates.com.rsa", "error": "x509: certificate is valid for ww$
github.com/rekby/lets-proxy2/internal/log.levelParam
/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:203
github.com/rekby/lets-proxy2/internal/log.LevelParam
/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:193
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).getCertificate
/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:233
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).GetCertificate
/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:173
crypto/tls.(*Config).getCertificate
/home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/common.go:870
crypto/tls.(*serverHandshakeStateTLS13).pickCertificate
/home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:364
crypto/tls.(*serverHandshakeStateTLS13).handshake
/home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:52
crypto/tls.(*Conn).serverHandshake
/home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server.go:53
crypto/tls.(*Conn).Handshake
/home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/conn.go:1342
github.com/rekby/lets-proxy2/internal/tlslistener.(*ListenersHandler).handleTCPTLSConnection
/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/tlslistener/tlslistenershandler.go:230
It's not clear to me as to why this may be.
1 Like
Osiris
March 8, 2021, 4:57pm
6
To me, it looks like those are errors of the part of lets-proxy which is trying to access an already stored certificate, but failing. I don't see any error regarding a request for such a certificate to the Let's Encrypt ACME server.
Perhaps you can file an issue at the lets-proxy2 github page?
1 Like
Thanks for your reply.
Yes, I will put in an issue at lets proxy and see where that gets me.
1 Like
system
April 8, 2021, 8:57am
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.