12

I'm currently trying out HTTPS on one of my sites, and I got a trial certificate from a trusted CA. I've gone through the following checklist:

  • Copied all the cert files according to the CA's instructions
  • Enabled mod_ssl on apache with a2enmod ssl
  • Checked PHP has OpenSSL enabled
  • Made a new virtual host in Apache listening to 443
  • Inputted the SSL directives:

    SSLEngine on

    SSLCertificateKeyFile /etc/ssl/ssl.key/server.key

    SSLCertificateFile /etc/ssl/ssl.crt/api_my_site_com.crt

    SSLCertificateChainFile /etc/ssl/ssl.crt/apimysite.com-bundle

  • Checked only apache was listening to port 443 with lsof

  • Check locally and from my own PC with telnet if I could connect to 443 (to the IP of the server, not domain; trying to connect to my-site.com:443 gave me connect failed)

However, when I try to browse to https://my-site.com (obviouslly not the real domain), I get a 'Connection Refused' error. This is what Apache logs:

[Sat Jul 20 22:50:34 2013] [info] Loading certificate & private key of SSL-aware server
[Sat Jul 20 22:50:34 2013] [info] Configuring server for SSL protocol
[Sat Jul 20 22:50:34 2013] [info] RSA server certificate enables Server Gated Cryptography (SGC)
[Sat Jul 20 22:50:34 2013] [info] [client ::1] Connection to child 0 established (server my-site.com:443)
[Sat Jul 20 22:50:34 2013] [info] Seeding PRNG with 656 bytes of entropy
[Sat Jul 20 22:50:34 2013] [info] [client ::1] SSL library error 1 in handshake (server my-site:443)
[Sat Jul 20 22:50:34 2013] [info] SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!?
[Sat Jul 20 22:50:34 2013] [info] [client ::1] Connection closed to child 0 with abortive shutdown (server my-site:443)

Any ideas why this is happening?

Configuration files:

ports.conf

Listen 443
NameVirtualHost *:80
Listen 80

virtualhost config

<VirtualHost *:443>
DocumentRoot /var/www/mysite/sandbox/api
ServerName api.my-site.com
RewriteEngine on
RewriteRule ^/v1/* /v1/api.php [L]
RewriteRule ^/* /index.php [L]
<Directory "/var/www/mysite/sandbox/api">
allow from all
</Directory>
Options -MultiViews
ErrorDocument 404 /404.html
AddDefaultCharset utf-8
<IfModule mod_mime> 
AddCharset utf-8 .atom .css .js .json .rss .vtt .webapp .xml
</IfModule> 
<IfModule mod_rewrite> 
Options +FollowSymlinks
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
</IfModule> 
<IfModule mod_autoindex> 
Options -Indexes
</IfModule> 
<IfModule mod_rewrite> 
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
</IfModule> 
<FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
FileETag None
SSLEngine on
SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
SSLCertificateFile /etc/ssl/ssl.crt/api_my_site_com.crt
SSLCertificateChainFile /etc/ssl/ssl.crt/apimysite.com-bundle
ErrorLog /var/www/mysite/api.log
LogLevel info
</VirtualHost>
Deniz Zoeteman
  • 721
  • 2
  • 8
  • 18
  • Did you enable the new virtual host with a2ensite? – ALex_hha Jul 20 '13 at 21:18
  • Yes - and when I change the port of the virtualhost to 80, it works fine (but of course not secure) – Deniz Zoeteman Jul 20 '13 at 21:21
  • Please list your configuration files as-is (obscuring bits you consider necessary ofcourse). Also provide firewall listing (e.g. iptables -L -n -v). – Alexandru-Florin Vintiloiu Jul 20 '13 at 21:46
  • I've added the ports conf and the virtualhost one - firewall is fine, 443 and 80 are listed (and i could connect from my PC anyways to IP:443, not the domain.com:443 though) – Deniz Zoeteman Jul 20 '13 at 21:55
  • If you have another Linux OS that can connect to the server try `openssl s_client -connect servername:443` and post back the output. Something is either not right with the certificate chain or the connection is not ok for some reason. – Alexandru-Florin Vintiloiu Jul 20 '13 at 22:22
  • I don't, but I do have a Windows install with the openssl win32 binary. I tried it out using the hostname:443 of the server (not the api.mysite.com one; that gave me a `No such file or directory` error.), it gives a bunch of certificate data back and ends with: `Verify return code: 19 (self signed certificate in certificate chain)` is this wrong? – Deniz Zoeteman Jul 20 '13 at 22:48

7 Answers7

4

I finally fixed this by noticing I hadn't installed mod_ssl.

sudo yum install mod_ssl
Jack
  • 139
  • 5
3

I added this in httpd.conf and restarted Apache:

Listen 443

And it's working now.

datasn.io
  • 279
  • 1
  • 4
  • 15
  • This is make error if some will try to fetch with http request. Even if you try to redirect http to https it will not work. – NomanJaved Aug 18 '20 at 09:29
1

Using a Debian install, I can only assume it has to be the same reason as with this Ubuntu bug.

Reordering the listen directives in /etc/apache2/sites-available/default-ssl.conf solves this. Patch

1

As you have created a virtual host, the SSL for the new host should be different than port 80, because you have enabled SSL for port 80 via 443. So for new virtual host, try with 636 and see.

user3592502
  • 107
  • 3
0

FYI just found the same thing can happen for another reason,when I upgraded a server from Debian 9 to 11. I copied over the apache2 configs and found that connections on 80 worked but those on 443 were refused. When I did a status check I found this

Dec 04 09:55:54 Server2 systemd[1]: Starting The Apache HTTP Server...
Dec 04 09:55:55 Server2 apachectl[877]: AH00526: Syntax error on line 240 of /etc/apache2/apache2.conf:
Dec 04 09:55:55 Server2 apachectl[877]: Cannot define multiple Listeners on the same IP:port
Dec 04 09:55:55 Server2 apachectl[851]: Action 'start' failed.
Dec 04 09:55:55 Server2 apachectl[851]: The Apache error log may have more information.

This is a bit confusing because apache was running, but checking the line 240 I found a

Listen 443

directive. This was in addition to one earlier in the chain. Apache2 from Stretch worked perfectly well with it but Bullseye didn't.

Hope this helps someone.

Mick
  • 1
0

I've found the issue - I'm using the Cloudflare Free plan for my domain, and this is actively blocking any connections on port 443.

Deniz Zoeteman
  • 721
  • 2
  • 8
  • 18
-1

My issue was my router didn't have port 443 forwarded yet.

Yes i'm a nut, i hope this helped someone.

Walter
  • 1