Apache2 SSL isn't using certificate

I’m changing hosts and in the process I’m moving all of my server config and remaking SSL certificates. I just created one with let’s encrypt and it is in my /etc/letsencrypt directory. I have that all set up in my Apache config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin trent@riverside.rocks
ServerName riverside.rocks
ServerAlias https://riverside.rocks
DocumentRoot /var/www/new
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RemoteIPHeader CF-Connecting-IP

SSLCertificateFile /etc/letsencrypt/live/riverside.rocks/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/riverside.rocks/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

However, when I visit https://riverside.rocks:

ERR_SSL_PROTOCOL_ERROR

I don’t get whats going wrong, I’ve check all on the SSL certificate files (they all exist) and the include file exists. OpenSSL’s checker shows that Apache isn’t serving the cert:

# openssl s_client -connect localhost:443
CONNECTED(00000003)
140380571874688:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

(if you are trying to visit riverisde.rocks now it may be on my other vps and that is why it is working)

Your configuration is missing SSLEngine on so it’s still serving using HTTP rather than HTTPS.

For info, just serving on port 443 isn’t enough, you need to tell Apache you want SSL enabled. That 443 is running SSL is a convention, not a hard rule.

Thanks for the advice, I added that to my sites-available config and checked that mod_ssl is enabled, (it is) and still no luck.

When changing domains I prefer to:

  1. delete the /etc/apache2/sites-available/domain-name-SSL.conf file
  2. remove all references to SSL in the http conf file
  3. systemctl reload apache2
  4. call certbot —apache2 to renew the SSL certificate.

I suppose I could still do that, but if there a way to recreate the cert instead?

Try installing certbot from the following tutorial and calling “certbot —apache ” lists all available server domains. Certbot can then be passed parameters to reload or reinstall certificates.