Why is Apache listening on port 443 with http but not on https?

debian apache-http-server ssl https

6,663

It was a stupid typo in my example.com.conf. I had to change port 433 to 443:

...
# Default-Host
<VirtualHost *:433>
...

...
# Default-Host
<VirtualHost *:443>
...

Now it works.

6,663

Dodo

Hey, I'm a developer for (web-)applications. Actually I love C# but I missed the chance to work for an employer who wants to pay for a C#-Newbie ... So I come to terms with Java now, including JSF, Wicket, XPages, etc. While working with Domino products (Notes Client, Domino Designer, ...) I learned one important lesson, you should also keep in your mind: "Don't try to understand, WHY ... simply accept the Domino charm and go on working!"

Updated on September 18, 2022

Comments

Dodo over 1 year

I have an Apache 2.4 on Debian and configured two VirtualHosts:

The first is listening to port 80 to forward all "unsecure" requests to my secure VirtualHost.
The second is the "secure" VirtualHost and listening to port 443.

Note: I use the "example.com" in my text, but I have a non-fake domain with SSL :-)

When I test the connection to https://example.com I get an error.
"error:1408F10B:SSL routines:ssl3_get_record:wrong version number" on client side with curl / "ERR_SSL_PROTOCOL_ERROR" with Chrome
"AH00566: request failed: malformed request line" at Apache server side

When I test the connection with port 443 https://example.com:443 it also results in same error.

When I test the connection to http://example.com:443 (protocol http and port 443) the default index page of apache is successfully shown. .... Although this is not my own index.html which I actually expected. But this is another issue for later.

Since the last test success I guess that there is no issue with SSL certificate, right?

Apache seams to listen on both ports:

> sudo apache2ctl -S
VirtualHost configuration:
*:80                   example.com (/etc/apache2/sites-enabled/example.com.conf:10)
*:433                  example.com (/etc/apache2/sites-enabled/example.com.conf:21)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

> netstat -tupln
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -
udp6       0      0 fe80::250:56ff:fe20:546 :::*

My "ports.conf":

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 0.0.0.0:80

<IfModule ssl_module>
        Listen 0.0.0.0:443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 0.0.0.0:443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

My "example.com.conf" in sites-enabled:

########
# main config file for my webpage
########

# NameVirtualHost is deprected
#NameVirtualHost *:443

<VirtualHost *:80>
   ServerName example.de
   # this line is masked for superuser.com due to privacy
   ServerAlias XXXXXXX.online-server.cloud www.example.com xxx.xxx.xx.xx
   Redirect permanent / https://example.com
   LogLevel debug
   CustomLog ${APACHE_LOG_DIR}/example-nossl-access.log combined
   ErrorLog ${APACHE_LOG_DIR}/example-nossl-error.log

</VirtualHost>

# Default-Host
<VirtualHost *:433>
    # admin mail given to user when any issues occur
    ServerAdmin [email protected]
    # the domain that routes to DocumentRoot
    ServerName example.com
    # alias which also routes to DocumentRoot
    # this line is masked for superuser.com due to privacy
    ServerAlias www.example.com XXXXXX.online-server.cloud xxx.xxx.xx.xx

    DocumentRoot /var/www/example-homepage
    LogLevel debug
    CustomLog ${APACHE_LOG_DIR}/example-access.log combined
    ErrorLog ${APACHE_LOG_DIR}/example-error.log
    #<IfModule mod_ssl.c>
        SSLEngine on
        SSLCertificateKeyFile /etc/apache2/ssl/_.example.com_private_key.key
        SSLCertificateFile /etc/apache2/ssl/example.com_ssl_certificate.cer
    #</IfModule>
</VirtualHost>

<Directory /var/www/example-homepage>
    # allow .htaccess files in root directory
    AllowOverride All
</Directory>

Edit SSL Logs:

[Fri Feb 07 07:17:37.546729 2020] [ssl:info] [pid 83145:tid 139622694843520] AH01914: Configuring server example.com:443 for SSL protocol
[Fri Feb 07 07:17:37.546735 2020] [ssl:debug] [pid 83145:tid 139622694843520] ssl_engine_init.c(1750): AH10083: Init: (example.com:443) mod_md support is unavailable.
[Fri Feb 07 07:17:37.546943 2020] [ssl:debug] [pid 83145:tid 139622694843520] ssl_engine_init.c(479): AH01893: Configuring TLS extension handling
[Fri Feb 07 07:17:37.547220 2020] [ssl:debug] [pid 83145:tid 139622694843520] ssl_util_ssl.c(476): AH02412: [example.com:443] Cert matches for name 'example.com' [subject: CN=*.example.com / issuer: CN=Encryption Everywhere DV TLS CA - G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 0C9227F96F2A0EFA7B7E6F7391B9EBA0 / notbefore: Dec 26 00:00:00 2019 GMT / notafter: Dec 25 12:00:00 2020 GMT]
[Fri Feb 07 07:17:37.547229 2020] [ssl:info] [pid 83145:tid 139622694843520] AH02568: Certificate and private key example.com:443:0 configured from /etc/apache2/ssl/example.com_ssl_certificate.cer and /etc/apache2/ssl/_.example.com_private_key.key

Edit 2 Verbose log from curl:

* Expire in 0 ms for 6 (transfer 0x55ac2933ef50)
* Expire in 1 ms for 1 (transfer 0x55ac2933ef50)
...
*   Trying xxx.xxx.xx.xx...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55ac2933ef50)
* Connected to example.com (xxx.xxx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Please help me to understand why https is not mapped to port 443 and to fix that issue so I can access my webpage with https://example.com.

Ramhound about 4 years

This within an Intranet or Internet configuration? This indicates it's a port forwarding issue.
Dodo about 4 years

It's both, from internal (curl with https://localhost) and from internet with browser or curl curl https://example.com.
Ramhound about 4 years

Your system is allowing the connection but are you forwarding the traffic to that device on those ports? I linked to what seemed to be a relevant case from Stack Overflow.
Ramhound about 4 years

Is there a reason you don't define which SSL Ciphers and Protocols you want to support?
Ramhound about 4 years

Your configuration file seems incomplete. You also have 443 and 433 in your configuration file. This error usually occurs if you attempt to connect to something that isn't using SSL/TLS. A wireshark trace might help you identify what is going on.
Ramhound about 4 years

I am going to avoid submitting an answer to this question because your configuration file has some major issues that should be resolved before that happens. Apache is configured to listen to 433 instead of 443, which is the reason you are getting the wrong index page when you force the port. Your Apache configuration seems to be missing several fields that should be defined.
Ramhound about 4 years

Since your certificate files are connected to the virtual host on port 433 instead of 443 that is the reason you get an error on https:\\example.com. I did research on 1408F10B and it's linked to an invalid secured HTTP connection. Please fix these errors and update your question.
Dodo about 4 years

Oh noooo! You are right!!!! What a stupid mistake. Changing port definition in VirtualHost Directive from 433 to 443 was the solution. Now it works. You are great! Thank a lot.