logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.




Apache responding with wrong protocol with Let's Encrypt

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
SlashMe



Joined: 01 Feb 2018
Posts: 3
Location: Germany

PostPosted: Thu 01 Feb '18 12:02    Post subject: Apache responding with wrong protocol with Let's Encrypt Reply with quote

I'm trying to set up Apache 2.4.25 with a Let's Encrypt certificate on Raspian Stretch. However, I can't get SSL working. Apache keeps responding with a 400 using HTTP instead of doing the SSL handshake, which means the browser's aborting with SSL_ERROR_RX_RECORD_TOO_LONG. What's most confusing is that the log produces lines like:

Code:
hostname:80 148.72.168.62 - - [31/Jan/2018:18:23:13 +0100] "\x16\x03\x01" 400 0 "-" "-"


i.e. it says the request was coming in through port 80, even though it didn't. I changed my configuration to include 'Listen 443 https' and disabled the default listener on port 80. I made sure no process is listening on 80 and Apache is indeed bound to 443, but it still logs port 80 and responds with 400 with HTTP, no SSL. I tried other ports as well. I verified the requests were coming in through the right port using "sudo nc -l <port>" while Apache was stopped.

SSLEngine is on, mod_ssl is loaded, and the paths for the certificate have been set up by certbot.

Any help would be appreciated.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6391
Location: Germany, Next to Hamburg

PostPosted: Thu 08 Feb '18 16:30    Post subject: Reply with quote

Do you have set up vhosts / virtual hosts? If not, you can run apache only on port 80 or 433. If you want both you have to create two vhsots. One for port 80 and one for 433. Note that the default hosts is disabled as soon you setup a vhost. That is why you need to create 2 vhosts.

if you still have a question please ask again.
Back to top
SlashMe



Joined: 01 Feb 2018
Posts: 3
Location: Germany

PostPosted: Thu 08 Feb '18 19:06    Post subject: Reply with quote

Yes, I've enabled both default vhosts for 80 and 443. When that didn't work, I explicitly disabled the vhost for 80 and removed the "Listen 80" line in order to isolate https. Didn't change anything, no SSL response, logs says :80.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6391
Location: Germany, Next to Hamburg

PostPosted: Fri 09 Feb '18 10:18    Post subject: Reply with quote

Please paste only (small) relevant parts of your config at http://apaste.info/ or http://hastebin.com/
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2160
Location: Sun Diego, USA

PostPosted: Fri 09 Feb '18 20:35    Post subject: Reply with quote

Isn't that 443, not 433?
Back to top
pschmehl



Joined: 13 Oct 2017
Posts: 14
Location: United States, Richardson, TX

PostPosted: Sat 10 Feb '18 0:33    Post subject: Reply with quote

Read this: http://www.noah.org/wiki/Apache2_Invalid_method_in_request_%5Cx16%5Cx03%5Cx01

And this: https://www.sysarchitects.com/solved-apache-ssl-virtual-host-says-x16x03x01

If that doesn't fix it, post your httpd.conf file and your virtual host's conf file.
Back to top
SlashMe



Joined: 01 Feb 2018
Posts: 3
Location: Germany

PostPosted: Tue 13 Feb '18 11:05    Post subject: Reply with quote

@pschmehl:

The second link you posted says to enable SSLEngine, which I already made sure is enabled. The other link suggest entering the IP in the <VirtualHost> container, which I can't because I'm using dynamic DNS. However, I was able to solve my problem: My <VirtualHost> was using _default_:443. Using *:443 instead, it works flawlessly. I could've sworn I had tried that already.

However, I still consider it highly confusing that Apache logs requests as coming from port 80 when they clearly don't.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1