I'm trying to get apache2 to work with a certificate (selc created) on Ubuntu 20. When I try to open, with Chrome, the endpoint (https://local.pretzel.com/editor) I get:
This site can’t provide a secure connection
local.pretzel.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Spend the whole night on this, could use some help to understand what I did wrong and how to propely debug this.
// Apache conf
httpd.conf in /etc/apache2/
LoadModule mpm_prefork_module libexec/apache2/mod_mpm_prefork.so
LoadModule log_config_module libexec/apache2/mod_log_config.so
LoadModule mime_module libexec/apache2/mod_mime.so
LoadModule dir_module libexec/apache2/mod_dir.so
LoadModule authz_core_module libexec/apache2/mod_authz_core.so
LoadModule unixd_module libexec/apache2/mod_unixd.so
LoadModule rewrite_module libexec/apache2/mod_rewrite.so
LoadModule php7_module libexec/apache2/libphp7.so
LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache2/mod_ssl.so
User _www
Group _www
DirectoryIndex index.html
ErrorLog "/var/log/apache2/error_log"
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "/var/log/apache2/access_log" common
TypesConfig /etc/apache2/mime.types
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
DirectoryIndex index.html index.php
<Directory /home/prtz/workspace/frontend/build>
Options Indexes FollowSymLinks
Require all granted
AllowOverride All
</Directory>
ServerName local.pretzel.com
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<VirtualHost *:443>
DocumentRoot "/home/prtz/workspace/frontend/build"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/etc/apache2/local.pretzel.com.crt"
SSLCertificateKeyFile "/etc/apache2/local.pretzel.com.nopass.key"
ServerName local.pretzel.com
</VirtualHost>
/etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName local.pretzel.com
DocumentRoot "/home/prtz/workspace/frontend/build"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/etc/apache2/local.pretzel.com.crt"
SSLCertificateKeyFile "/etc/apache2/local.pretzel.com.nopass.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
/etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName local.pretzel.com
</VirtualHost>
nmap --script ssl-enum-ciphers -p 443 local.pretzel.com:
nmap --script ssl-enum-ciphers -p 443 local.pretzel.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-28 21:27 PDT
Nmap scan report for local.pretzel.com (127.0.0.1)
Host is up (0.000064s latency).
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 15.49 seconds
cat /etc/hosts:
cat /etc/hosts
127.0.0.1 local.pretzel.com
127.0.0.1 localhost
127.0.1.1 ubuntu
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
created certificate with
openssl openssl req -newkey rsa:2048 -x509 -nodes \\
-keyout local.pretzel.com.key \\
-new \\
-out local.pretzel.com.crt \\
-subj /CN=local.pretzel.com \\
-reqexts SAN \\
-extensions SAN \\
-config <(cat /usr/lib/ssl/openssl.cnf \\
<(printf '[SAN]\nsubjectAltName=DNS:local.pretzel.com')) \\
-sha256 \\
-days 3650
sudo openssl rsa -in local.pretzel.com.key -out local.pretzel.com.nopass.key
sudo mv *.key *.crt /etc/apache2
added cert to /usr/local/share/ca-certificates/
sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping duplicate certificate in server.pem
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
// check certificate
openssl verify local.pretzel.com.crt
local.pretzel.com.crt: OK
// check with openssl connect
openssl s_client -connect local.pretzel.com:443 -CApath /etc/ssl/certs
CONNECTED(00000003)
140129913148736:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 311 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
// check firewall
sudo ufw status
[sudo] password for prtz:
Status: active
To Action From
-- ------ ----
Apache ALLOW Anywhere
443 ALLOW Anywhere
80 ALLOW Anywhere
443/tcp ALLOW Anywhere
Apache (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
// using curl with https
curl https://local.pretzel.com
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
while without https it will return the "Apache2 Ubuntu Default Page: It works"
curl https://local.pretzel.com
