SSL23_GET_SERVER_HELLO:unknown protocol when trying to access HTTPS URL

apache2 ssl openssl wordpress
30,095

Solution 1

My bad, I had ssl.conf in /etc/apache2 instead of /etc/apache2/sites-enabled

after moving the file and restarting apache2 service apache2 restart it all worked fine.

Solution 2

In my case I had not enabled the site 'default-ssl'. Only '000-default' was listed in the /etc/apache2/sites-enabled folder.

Enable SSL site on Ubuntu 14 LTS, Apache 2.4.7:

a2ensite default-ssl
service apache2 reload
Share:
30,095

Related videos on Youtube

zabumba
Author by

zabumba

Updated on September 18, 2022

Comments

  • zabumba
    zabumba over 1 year

    While trying to create a staging environment for my WORDPRESS website, I am not quite able to setup the HTTPS configuration.

    I copied the wordpress folder and backed up Mysql database and was able to have a copy of my website, but whenever I click on any link, it will take me to HTTPS url and shows me a SSL connection error.

    Environment

    • Vagrant VM Ubuntu server Precise64
    • Chef to configure my host
    • Apache2 w/ SSL mod
    • Wordpress

    UNAME

    uname -a
Linux test-www 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

    SSL Configuration

    vagrant@test-www:/etc/apache2$ more ssl.conf 
<VirtualHost 192.168.33.10:443>
    DocumentRoot /var/www
    ServerName test-www.domain.com
    ErrorLog /var/log/apache2/error_secure.log
        LogLevel info

    SSLEngine on

    SSLCertificateFile /etc/ssl/wildcard.domain.com/certificate.crt
    SSLCertificateKeyFile /etc/ssl/wildcard.domain.com/server.key
    SSLCACertificateFile /etc/ssl/wildcard.domain.com/test-www.domain.com.ca.crt
</VirtualHost>

    OPENSSL

    vagrant@test-www:/etc/apache2$ openssl s_client -connect 192.168.33.10:443
CONNECTED(00000003)
139816269579936:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 213 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

    WGET HTTP:443

    vagrant@test-www:/etc/apache2$ wget http://192.168.33.10:443
--2015-02-02 17:24:31--  http://192.168.33.10:443/
Connecting to 192.168.33.10:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2015-02-02 17:24:31 ERROR 404: Not Found.

    WGET HTTPS

    vagrant@test-www:/etc/apache2$ wget https://192.168.33.10
--2015-02-02 17:25:23--  https://192.168.33.10/
Connecting to 192.168.33.10:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
vagrant@test-www:/etc/apache2$

    APACHE2.CONF

    #
# Generated by Chef
#
# Based on the Ubuntu apache2.conf

ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
LockFile /var/lock/apache2/accept.lock

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile /var/run/apache2.pid

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5

##
## Server-Pool Size Regulation (MPM specific)
##

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
    StartServers          1
    MinSpareServers       1
    MaxSpareServers       2
    ServerLimit           5
    MaxClients            3
    MaxRequestsPerChild   0
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
    StartServers          1
    ServerLimit           3
    MaxClients            3
    MinSpareThreads       10
    MaxSpareThreads       20
    ThreadsPerChild       64
    MaxRequestsPerChild   0
</IfModule>

User www-data
Group www-data

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#

AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain


#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog /var/log/apache2/error.log

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

# COOK-1021: Dummy LoadModule directive to aid module installations
#LoadModule dummy_module modules/mod_dummy.so

# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf


# Include ports listing
Include /etc/apache2/ports.conf

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
#

# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# Putting this all together, we can internationalize error responses.
#
# We use Alias to redirect any /error/HTTP_<error>.html.var response to
# our collection of by-error message multi-language collections.  We use
# includes to substitute the appropriate text.
#
# You can modify the messages' appearance without changing any of the
# default HTTP_<error>.html.var files by adding the line:
#
#   Alias /error/include/ "/your/include/path/"
#
# which allows you to create your own set of files by starting with the
# /usr/share/apache2/error/include/ files and copying them to /your/include/path/,
# even on a per-VirtualHost basis.  The default include files will display
# your Apache version number and your ServerAdmin email address regardless
# of the setting of ServerSignature.
#
# The internationalized error documents require mod_alias, mod_include
# and mod_negotiation.  To activate them, uncomment the following 30 lines.

#    Alias /error/ "/usr/share/apache2/error/"
#
#    <Directory "/usr/share/apache2/error">
#        AllowOverride None
#        Options IncludesNoExec
#        AddOutputFilter Includes html
#        AddHandler type-map var
#        Order allow,deny
#        Allow from all
#        LanguagePriority en cs de es fr it nl sv pt-br ro
#        ForceLanguagePriority Prefer Fallback
#    </Directory>
#
#    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
#    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
#    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
#    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
#    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
#    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
#    ErrorDocument 410 /error/HTTP_GONE.html.var
#    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
#    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
#    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
#    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
#    ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
#    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
#    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
#    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
#    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
#    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var



# Include generic snippets of statements
Include /etc/apache2/conf.d/*.conf

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/

    PORTS.CONF

    $ more ports.conf 
# This file was generated by Chef for my-vm-precise64.
# Do NOT modify this file by hand!

Listen *:80
NameVirtualHost *:80

    then I also tried adding these into the ports.conf

    <IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

    mods ssl.conf

    vagrant@test-www:/etc/apache2$ grep "SSLv" -r *

mods-available/ssl.conf:#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
mods-available/ssl.conf:# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
mods-available/ssl.conf:SSLProtocol all -SSLv2   <=== ?
mods-enabled/ssl.conf:#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
mods-enabled/ssl.conf:# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
mods-enabled/ssl.conf:SSLProtocol all -SSLv2    <=== ?
    • Thomas Ward
      Thomas Ward over 9 years
      Somewhere along the line, you're trying to negotiate in SSLv2/SSLv3, based on those errors. In most cases, SSLv3 is now dead and you should be instead using TLSv1/TLSv1.1/TLSv1.2. This is because SSLv2 is now LONG dead, and SSLv3 is dead recently due to the POODLE vulnerability. Provide us a copy of the Apache2 site configurations.
    • philippe lhardy
      philippe lhardy over 9 years
      ERROR 404: Not Found. => looks like you are not doing ssl at all. did you try a wireshark to see what is actualy flowing ?
    • philippe lhardy
      philippe lhardy over 9 years
      and is there something within /var/log/apache2/error_secure.log ? or /var/log/apache2/access.log /var/log/apache2/error.log ?
    • zabumba
      zabumba over 9 years
      @ThomasW. I added the apache2.conf produced by my Chef config. I will also add port.conf
    • zabumba
      zabumba over 9 years
      @ThomasW. how do I configure Apache2 to use TLSv1/TLSv1.1/TLSv1.2 instead?
    • zabumba
      zabumba over 9 years
      @philippelhardy if I try to access https://192.168.33.10/wp-admin/update-core.php, I am getting [Tue Feb 03 14:16:47 2015] [error] [client 192.168.33.1] Invalid method in request \x16\x03\x01 and access.log doesn't show anything (??). I will update my question with these details.
    • zabumba
      zabumba over 9 years
      @ThomasW. I have run a grep "SSLv" -r * from /var/apache2 and found out that SSLProtocol all -SSLv2, could that be the problem?
    • zabumba
      zabumba over 9 years
      issue resolved, my ssl.conf was in the wrong location. It should have been in sites-enabled folder. Thanks for the help
  • Kingsley
    Kingsley almost 7 years
    Had exactly this problem after upgrading Ubuntu versions.
  • Kingsley
    Kingsley almost 7 years
    SSL enabled and working before upgrade, failure after upgrade. Firefox said: SSL_ERROR_RX_RECORD_TOO_LONG; wget said SSL23_GET_SERVER_HELLO.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How force that all connections to my Apache use TLSv1.1 or TLSv1.2?
How to make & install self signed certificate in apache ubuntu 16.04?
How to debug curl? gnutls_handshake failed -unexpected TLS packet (OpenSSL)
Enabling SSL breaks apache
Apache/2.4.29 (Ubuntu) Server at Port 443 for wordpress
Apache2 SSL Certificate/Key mismatch
How to convert .pem into .key?
Cannot connect to wss with Flutter
LetsEncrypt SSL Error - SSL routines:ssl3_get_record:wrong version number
Laravel Guzzle : curl error 77 error setting certificate verify locations