Enabling SSL on Debian

Question

I want enable SLL on my Debian / Apache & Letsencrypt (by Certbot).

On ports.conf, both ports 80 & 443 are listening:

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

SSL is enabled:

> a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled

And my VirtualHosts are configured as follow: my-host.conf

    <VirtualHost XX.XX.XX.XX:80>
        ServerName www.myhost.com
        ServerAlias myhost.com
        Redirect / https://www.myhost.com
        DocumentRoot /home/myhost/www/public/
        CustomLog /var/log/apache2/myhost.com-access.log combined
        ErrorLog /var/log/apache2/lmyhost.com-error.log
        LogLevel warn
        <Directory "/home/myhost/www/public/">
                Require all granted
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

myhost.com-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost XX.XX.XX.XX:443>
        ServerName www.myhost.com
        ServerAlias myhost.com
#       Redirect / https://www.myhost.com
        DocumentRoot /home/myhost/www/public/
        CustomLog /var/log/apache2/myhost.com-access.log combined
        ErrorLog /var/log/apache2/myhost.com-error.log
        LogLevel warn
        <Directory "/home/myhost/www/public/">
                Require all granted
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
SSLCertificateFile /etc/letsencrypt/live/www.myhost.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.myhost.com-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

When I try to got to http:///www.myhost.com:443, it works. But with https:///www.myhost.com I have an error on Chrome:

ERR_SSL_PROTOCOL_ERROR

On my server, when I check with:

openssl s_client -crlf -debug -connect www.myhost.com:443 -status -servername www.myhost.com

I get this:

...
124222757861008:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 323 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1494247901
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

And finally, when in my Apache error log, I can see this:

[Sun May 07 20:06:53.419500 2017] [core:debug] [pid 18433] protocol.c(1275): [client xx.xx.xx.xx:52254] AH00566: request failed: malformed request line

In short, SSL is enabled, the port is correct and Apache can go through when I call it by its hosts:port. But, this port cannot calls my certificate and opens my host by https. It's like SSL is disabled...!

Can you give me some ways to resolve this? Thanks to all!

Answer 1

I had the same problem as you did and this was how I solved it but the tl;dr is that:

1. the vhost configuration file must end in .conf
2. you have to put it in the sites-available directory, and then
3. you have to run a2ensite to enable the site.

Answer 2

This issue for me anyway typically is a config mistake or happens during migrations of servers. eg: The DNS is pointing to the wrong IP. Check your DNS A record closely.

Happens to me frequently on DNS migrations when the stale DNS record TTL has not expired (pointing to the old IP with the invalid cert), once it does expire the DNS A record flicks over to the new IP address & the error no longer occurs.