Apache2 SSL isn't using certificate

RiversideRocks · September 10, 2021, 3:45pm

I’m changing hosts and in the process I’m moving all of my server config and remaking SSL certificates. I just created one with let’s encrypt and it is in my /etc/letsencrypt directory. I have that all set up in my Apache config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin trent@riverside.rocks
ServerName riverside.rocks
ServerAlias https://riverside.rocks
DocumentRoot /var/www/new
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RemoteIPHeader CF-Connecting-IP

SSLCertificateFile /etc/letsencrypt/live/riverside.rocks/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/riverside.rocks/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

However, when I visit https://riverside.rocks:

ERR_SSL_PROTOCOL_ERROR

I don’t get whats going wrong, I’ve check all on the SSL certificate files (they all exist) and the include file exists. OpenSSL’s checker shows that Apache isn’t serving the cert:

# openssl s_client -connect localhost:443
CONNECTED(00000003)
140380571874688:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

(if you are trying to visit riverisde.rocks now it may be on my other vps and that is why it is working)

rpkamp · September 10, 2021, 5:47pm

Your configuration is missing SSLEngine on so it’s still serving using HTTP rather than HTTPS.

For info, just serving on port 443 isn’t enough, you need to tell Apache you want SSL enabled. That 443 is running SSL is a convention, not a hard rule.

RiversideRocks · September 10, 2021, 10:56pm

Thanks for the advice, I added that to my sites-available config and checked that mod_ssl is enabled, (it is) and still no luck.

John_Betong · September 11, 2021, 1:14am

When changing domains I prefer to:

delete the /etc/apache2/sites-available/domain-name-SSL.conf file
remove all references to SSL in the http conf file
systemctl reload apache2
call certbot —apache2 to renew the SSL certificate.

RiversideRocks · September 11, 2021, 9:20pm

I suppose I could still do that, but if there a way to recreate the cert instead?

John_Betong · September 11, 2021, 9:44pm

Try installing certbot from the following tutorial and calling “certbot —apache ” lists all available server domains. Certbot can then be passed parameters to reload or reinstall certificates.

system · December 12, 2021, 4:44am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.