skip to Main Content

I’m trying to get apache2 to work with a certificate (selc created) on Ubuntu 20.
When I try to open, with Chrome, the endpoint (https://local.pretzel.com/editor) I get:

This site can’t provide a secure connection
local.pretzel.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Spend the whole night on this, could use some help to understand what I did wrong and how to propely debug this.

// Apache conf

httpd.conf in /etc/apache2/

LoadModule mpm_prefork_module libexec/apache2/mod_mpm_prefork.so
LoadModule log_config_module libexec/apache2/mod_log_config.so
LoadModule mime_module libexec/apache2/mod_mime.so
LoadModule dir_module libexec/apache2/mod_dir.so
LoadModule authz_core_module libexec/apache2/mod_authz_core.so
LoadModule unixd_module libexec/apache2/mod_unixd.so
LoadModule rewrite_module libexec/apache2/mod_rewrite.so
LoadModule php7_module libexec/apache2/libphp7.so
LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache2/mod_ssl.so
User _www
Group _www
DirectoryIndex index.html
ErrorLog "/var/log/apache2/error_log"
LogFormat "%h %l %u %t "%r" %>s %b" common
CustomLog "/var/log/apache2/access_log" common
TypesConfig /etc/apache2/mime.types
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
DirectoryIndex index.html index.php
<Directory /home/prtz/workspace/frontend/build>
    Options Indexes FollowSymLinks
    Require all granted
    AllowOverride All 
</Directory>
ServerName local.pretzel.com
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on 
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300
<FilesMatch ".(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<VirtualHost *:443>
    DocumentRoot "/home/prtz/workspace/frontend/build"
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile "/etc/apache2/local.pretzel.com.crt"
    SSLCertificateKeyFile "/etc/apache2/local.pretzel.com.nopass.key"
    
    ServerName local.pretzel.com
     
</VirtualHost>

/etc/apache2/sites-available/default-ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        ServerName local.pretzel.com
        DocumentRoot "/home/prtz/workspace/frontend/build"

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile "/etc/apache2/local.pretzel.com.crt"
        SSLCertificateKeyFile "/etc/apache2/local.pretzel.com.nopass.key"

        <FilesMatch ".(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>


    </VirtualHost>
</IfModule>

/etc/apache2/sites-available/000-default.conf

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
<VirtualHost *:443>
    ServerName local.pretzel.com
</VirtualHost>

nmap –script ssl-enum-ciphers -p 443 local.pretzel.com:

nmap --script ssl-enum-ciphers -p 443 local.pretzel.com

Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-28 21:27 PDT
Nmap scan report for local.pretzel.com (127.0.0.1)
Host is up (0.000064s latency).

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 15.49 seconds

cat /etc/hosts:

cat /etc/hosts
127.0.0.1 local.pretzel.com
127.0.0.1   localhost
127.0.1.1   ubuntu

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

created certificate with

openssl openssl req -newkey rsa:2048 -x509 -nodes \
                -keyout local.pretzel.com.key \
                -new \
                -out local.pretzel.com.crt \
                -subj /CN=local.pretzel.com \
                -reqexts SAN \
                -extensions SAN \
                -config <(cat /usr/lib/ssl/openssl.cnf \
                    <(printf '[SAN]nsubjectAltName=DNS:local.pretzel.com')) \
                -sha256 \
                -days 3650

sudo openssl rsa -in local.pretzel.com.key -out local.pretzel.com.nopass.key

sudo mv *.key *.crt /etc/apache2

added cert to /usr/local/share/ca-certificates/

sudo update-ca-certificates         
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping duplicate certificate in server.pem
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

// check certificate

openssl verify local.pretzel.com.crt 

local.pretzel.com.crt: OK

// check with openssl connect

openssl s_client -connect local.pretzel.com:443 -CApath /etc/ssl/certs
CONNECTED(00000003)
140129913148736:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 311 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

// check firewall

sudo ufw status  
[sudo] password for prtz: 
Status: active

To                         Action      From
--                         ------      ----
Apache                     ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
Apache (v6)                ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6) 

// using curl with https

curl https://local.pretzel.com
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

while without https it will return the "Apache2 Ubuntu Default Page: It works"

curl https://local.pretzel.com

2

Answers


  1. Chosen as BEST ANSWER

    for the certificate it was solved with Getting Chrome to accept self-signed localhost certificate for apache configuration moved the <VirtualHost *:443> part from httpd.conf to sites-available/ folder with a conf file same as the domain that I used.


  2. I removed the additional s from https and it solved my error.

    http://localhost:xxxx/nifi-registry

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search