This site can’t provide a secure connection ERR_SSL_PROTOCOL_ERROR

I'm using Let's Encrypt via a tool called Lets Proxy which automatically sets up certificates.

This works as expected on www.barkestoneassociates.com but not on barkestoneassociates.com (non-www) - just giving the ERR_SSL_PROTOCOL_ERROR error?

Can anyone offer any insight as to what may be wrong here please?

Thanks for you help.

My domain is:
barkestoneassociates.com

It produced this output:
This site can’t provide a secure connectionbarkestoneassociates.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

My web server is (include version):
Apache/2.4.29

The operating system my web server runs on is (include version):
Ubuntu 18.04.5

1 Like

The server barkestoneassociates.com does not send certificate:

$ openssl s_client -connect barkestoneassociates.com:443
CONNECTED(00000003)
3069296656:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1544:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 316 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

You may want to check the configuration of the apache web server. It is worthwhile to have a look at the error log as well.

1 Like

Thanks for your input.

Do you think it could be a case of having to try and re-issue the certificate.

Although, I'm pretty sure that is what Lets Proxy tries to do anyway.

It's odd because I have other domains on the same server working n bot www and non-ww with the same config.

At first I wondered if there could be an issue with AAAA records but don't think the domain has any of these.

It's a strange one.

This is not a certificate issue, but a server configuration issue. Re-issuing the certificate will most likely not fix the configuration issue at hand.

That said, after looking a little bit closer:

https://crt.sh/?Identity=barkestoneassociates.com&deduplicate=Y

Your Lets Proxy-instance isn't able to get a certificate for your apex domain at all recently. So there lies your problem: without a valid certificate, Lets Proxy is refusing any connection.

Please check the Lets Proxy logs for any reason why it might fail to get a certificate for barkestoneassociates.com

1 Like

Thanks for your reply and info.

I've checked the logs and there a lot of entries referring to this domain.

It mentions "Can't get certificate from local state" for example:

2021-03-08T15:15:48.737Z        info    tlslistener/tlslistenershandler.go:231  TLS Handshake   {"connection_id": "a3ebd36c-3b97-480b-b52c-a57fd412f171", "error": "have no certificate for domain"}
2021-03-08T15:15:48.811Z        info    cert_manager/manager.go:156     Get certificate {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "original_domain": "barkestoneassociates.com"}
2021-03-08T15:15:48.812Z        error   cert_manager/manager.go:233     Can't get certificate from local state  {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "cert_name": "barkestoneassociates.com.ecdsa", "error": "x509: certificate is valid for www.barkestoneassocia$
github.com/rekby/lets-proxy2/internal/log.levelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:203
github.com/rekby/lets-proxy2/internal/log.LevelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:193
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).getCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:233
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).GetCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:165
crypto/tls.(*Config).getCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/common.go:870
crypto/tls.(*serverHandshakeStateTLS13).pickCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:364
crypto/tls.(*serverHandshakeStateTLS13).handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:52
crypto/tls.(*Conn).serverHandshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server.go:53
crypto/tls.(*Conn).Handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/conn.go:1342
github.com/rekby/lets-proxy2/internal/tlslistener.(*ListenersHandler).handleTCPTLSConnection
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/tlslistener/tlslistenershandler.go:230
2021-03-08T15:15:48.812Z        info    cert_manager/manager.go:166     Got certificate {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "certificate": "tls nil", "error": "have no certificate for domain"}
2021-03-08T15:15:48.812Z        info    cert_manager/manager.go:171     ECDSA certificate was failed, try to get RSA certificate        {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)"}
2021-03-08T15:15:48.812Z        error   cert_manager/manager.go:233     Can't get certificate from local state  {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "retry_type": "rsa", "cert_name": "barkestoneassociates.com.rsa", "error": "x509: certificate is valid for ww$
github.com/rekby/lets-proxy2/internal/log.levelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:203
github.com/rekby/lets-proxy2/internal/log.LevelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:193
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).getCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:233
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).GetCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:173
crypto/tls.(*Config).getCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/common.go:870
crypto/tls.(*serverHandshakeStateTLS13).pickCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:364
crypto/tls.(*serverHandshakeStateTLS13).handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:52
crypto/tls.(*Conn).serverHandshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server.go:53
crypto/tls.(*Conn).Handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/conn.go:1342
github.com/rekby/lets-proxy2/internal/tlslistener.(*ListenersHandler).handleTCPTLSConnection
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/tlslistener/tlslistenershandler.go:230

It's not clear to me as to why this may be.

1 Like

To me, it looks like those are errors of the part of lets-proxy which is trying to access an already stored certificate, but failing. I don't see any error regarding a request for such a certificate to the Let's Encrypt ACME server.

Perhaps you can file an issue at the lets-proxy2 github page?

1 Like

Thanks for your reply.

Yes, I will put in an issue at lets proxy and see where that gets me.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.