Why is Apache listening on port 443 with http but not on https?
It was a stupid typo in my example.com.conf. I had to change port 433 to 443:
...
# Default-Host
<VirtualHost *:433>
...
to
...
# Default-Host
<VirtualHost *:443>
...
Now it works.
Related videos on Youtube
Dodo
Hey, I'm a developer for (web-)applications. Actually I love C# but I missed the chance to work for an employer who wants to pay for a C#-Newbie ... So I come to terms with Java now, including JSF, Wicket, XPages, etc. While working with Domino products (Notes Client, Domino Designer, ...) I learned one important lesson, you should also keep in your mind: "Don't try to understand, WHY ... simply accept the Domino charm and go on working!"
Updated on September 18, 2022Comments
-
Dodo over 1 year
I have an Apache 2.4 on Debian and configured two VirtualHosts:
- The first is listening to port 80 to forward all "unsecure" requests to my secure VirtualHost.
- The second is the "secure" VirtualHost and listening to port 443.
Note: I use the "example.com" in my text, but I have a non-fake domain with SSL :-)
When I test the connection to
https://example.com
I get an error.
"error:1408F10B:SSL routines:ssl3_get_record:wrong version number" on client side with curl / "ERR_SSL_PROTOCOL_ERROR" with Chrome
"AH00566: request failed: malformed request line" at Apache server sideWhen I test the connection with port 443
https://example.com:443
it also results in same error.When I test the connection to
http://example.com:443
(protocol http and port 443) the default index page of apache is successfully shown. .... Although this is not my own index.html which I actually expected. But this is another issue for later.Since the last test success I guess that there is no issue with SSL certificate, right?
Apache seams to listen on both ports:
> sudo apache2ctl -S VirtualHost configuration: *:80 example.com (/etc/apache2/sites-enabled/example.com.conf:10) *:433 example.com (/etc/apache2/sites-enabled/example.com.conf:21) ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log" Mutex ssl-stapling: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/var/run/apache2/" mechanism=default Mutex watchdog-callback: using_defaults Mutex rewrite-map: using_defaults Mutex ssl-stapling-refresh: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="www-data" id=33 Group: name="www-data" id=33 > netstat -tupln (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - udp 0 0 0.0.0.0:68 0.0.0.0:* - udp6 0 0 fe80::250:56ff:fe20:546 :::*
My "ports.conf":
# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf Listen 0.0.0.0:80 <IfModule ssl_module> Listen 0.0.0.0:443 </IfModule> <IfModule mod_gnutls.c> Listen 0.0.0.0:443 </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
My "example.com.conf" in sites-enabled:
######## # main config file for my webpage ######## # NameVirtualHost is deprected #NameVirtualHost *:443 <VirtualHost *:80> ServerName example.de # this line is masked for superuser.com due to privacy ServerAlias XXXXXXX.online-server.cloud www.example.com xxx.xxx.xx.xx Redirect permanent / https://example.com LogLevel debug CustomLog ${APACHE_LOG_DIR}/example-nossl-access.log combined ErrorLog ${APACHE_LOG_DIR}/example-nossl-error.log </VirtualHost> # Default-Host <VirtualHost *:433> # admin mail given to user when any issues occur ServerAdmin [email protected] # the domain that routes to DocumentRoot ServerName example.com # alias which also routes to DocumentRoot # this line is masked for superuser.com due to privacy ServerAlias www.example.com XXXXXX.online-server.cloud xxx.xxx.xx.xx DocumentRoot /var/www/example-homepage LogLevel debug CustomLog ${APACHE_LOG_DIR}/example-access.log combined ErrorLog ${APACHE_LOG_DIR}/example-error.log #<IfModule mod_ssl.c> SSLEngine on SSLCertificateKeyFile /etc/apache2/ssl/_.example.com_private_key.key SSLCertificateFile /etc/apache2/ssl/example.com_ssl_certificate.cer #</IfModule> </VirtualHost> <Directory /var/www/example-homepage> # allow .htaccess files in root directory AllowOverride All </Directory>
Edit SSL Logs:
[Fri Feb 07 07:17:37.546729 2020] [ssl:info] [pid 83145:tid 139622694843520] AH01914: Configuring server example.com:443 for SSL protocol [Fri Feb 07 07:17:37.546735 2020] [ssl:debug] [pid 83145:tid 139622694843520] ssl_engine_init.c(1750): AH10083: Init: (example.com:443) mod_md support is unavailable. [Fri Feb 07 07:17:37.546943 2020] [ssl:debug] [pid 83145:tid 139622694843520] ssl_engine_init.c(479): AH01893: Configuring TLS extension handling [Fri Feb 07 07:17:37.547220 2020] [ssl:debug] [pid 83145:tid 139622694843520] ssl_util_ssl.c(476): AH02412: [example.com:443] Cert matches for name 'example.com' [subject: CN=*.example.com / issuer: CN=Encryption Everywhere DV TLS CA - G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 0C9227F96F2A0EFA7B7E6F7391B9EBA0 / notbefore: Dec 26 00:00:00 2019 GMT / notafter: Dec 25 12:00:00 2020 GMT] [Fri Feb 07 07:17:37.547229 2020] [ssl:info] [pid 83145:tid 139622694843520] AH02568: Certificate and private key example.com:443:0 configured from /etc/apache2/ssl/example.com_ssl_certificate.cer and /etc/apache2/ssl/_.example.com_private_key.key
Edit 2 Verbose log from curl:
* Expire in 0 ms for 6 (transfer 0x55ac2933ef50) * Expire in 1 ms for 1 (transfer 0x55ac2933ef50) ... * Trying xxx.xxx.xx.xx... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x55ac2933ef50) * Connected to example.com (xxx.xxx.xx.xx) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * error:1408F10B:SSL routines:ssl3_get_record:wrong version number * Closing connection 0 curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Please help me to understand why https is not mapped to port 443 and to fix that issue so I can access my webpage with
https://example.com
.-
Ramhound about 4 yearsThis within an Intranet or Internet configuration? This indicates it's a port forwarding issue.
-
Dodo about 4 yearsIt's both, from internal (curl with
https://localhost
) and from internet with browser or curlcurl https://example.com
. -
Ramhound about 4 yearsYour system is allowing the connection but are you forwarding the traffic to that device on those ports? I linked to what seemed to be a relevant case from Stack Overflow.
-
Ramhound about 4 yearsIs there a reason you don't define which SSL Ciphers and Protocols you want to support?
-
Ramhound about 4 yearsYour configuration file seems incomplete. You also have 443 and 433 in your configuration file. This error usually occurs if you attempt to connect to something that isn't using SSL/TLS. A wireshark trace might help you identify what is going on.
-
Ramhound about 4 yearsI am going to avoid submitting an answer to this question because your configuration file has some major issues that should be resolved before that happens. Apache is configured to listen to 433 instead of 443, which is the reason you are getting the wrong index page when you force the port. Your Apache configuration seems to be missing several fields that should be defined.
-
Ramhound about 4 yearsSince your certificate files are connected to the virtual host on port 433 instead of 443 that is the reason you get an error on
https:\\example.com
. I did research on1408F10B
and it's linked to an invalid secured HTTP connection. Please fix these errors and update your question. -
Dodo about 4 yearsOh noooo! You are right!!!! What a stupid mistake. Changing port definition in VirtualHost Directive from 433 to 443 was the solution. Now it works. You are great! Thank a lot.