1

I have the following Apache configuration set up for my Wordpress installation and it does not serve the website over HTTPS at all, I only get the ERR_SSL_PROTOCOL_ERROR error.

I did some research and came across this solution on Reddit, which did not work and made my website unusable. The site does work over HTTPS if I turn on Cloudflare proxying but some things don't work such as saving posts. Any help is appreciated.

<VirtualHost CENSOREDIP:80> 
  ProxyPreserveHost On 
  ProxyRequests Off
  ServerName crossfade.zone
  ServerAdmin CENSOREDEMAIL
  DocumentRoot /var/www/crossfade
  LogLevel debug
</VirtualHost> 
<VirtualHost CENSOREDIP:443>
  ProxyPreserveHost on
  ProxyRequests Off
  ServerName crossfade.zone
  ServerAdmin CENSOREDEMAIL
  DocumentRoot /var/www/crossfade
  LogLevel debug
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/crossfade.zone/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/crossfade.zone/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
  RequestHeader set X-Forwarded-Port "443" 
  RequestHeader set X-Forwarded-Proto "https"
  <Proxy *>
      Order deny,allow
      Allow from all
  </Proxy>
  </VirtualHost>
  <Directory /var/www/crossfade>
    AllowOverride All
    Options FollowSymLinks
  </Directory>
  <Directory /var/www/crossfade>
    AllowOverride All
    Options -Indexes +MultiViews +FollowSymLinks +ExecCGI
    Require all granted
  </Directory>
Improve this question
3
  • 1
    What do your logs say? Commented Apr 28 at 10:28
  • @symcbean I'm confused on what you're asking for. The site isn't being served over HTTPS so I don't know what logs would even exist of it Commented Apr 30 at 15:21
  • Is it worth running the Qualys test at ssllabs.com/ssltest on the site to see if it identified issues with your HTTPS setup for the site? Commented May 2 at 2:11

1 Answer 1

Reset to default
0

There are several possible reasons for your error. Here are the most likely:

1. Misconfigured or Missing SSL Certificates Ensure that your PEM files exists, are accessible to Apache, and contain valid certificates and keys.

2. SSL Protocol Configuration Should be default from Let's Encrypt, but you can set them up explicitly:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on

3. SSL Engine Not Starting Check if the SSL module is enabled by running:

sudo a2enmod ssl
sudo systemctl restart apache2

Other optimizations to your configuration:

  1. I would not define 80 and 443 settings. Best to redirect HTTP to HTTPS
  2. Your directory block is duplicated for the same path. It can be consolidated into a single one
  3. If you're not using Apache as a reverse proxy, you can try removing or disabling the ProxyPreserveHost and related proxy settings

Updated from reviewing the Logs

Based on the logs, your Apache server is trying to proxy requests to a backend service on localhost:6969, but nothing is running or listening on that port, which leads to a connection refusal. This is not an SSL configuration issue per se, but it results in your browser receiving no response (or a malformed one), hence triggering the ERR_SSL_PROTOCOL_ERROR.

If you intend to serve static content from /var/www/crossfade and not proxy to a backend, do the following:

Remove these from your config:

ProxyPreserveHost On
ProxyRequests Off
<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"

And restart Apache.

Improve this answer
7
  • 1. The PEM files are correct and working. I have tried both downloading them from Cloudflare, as well as using Let's Encrypt. 2. Adding those did not make any changes. 3. SSL was already enabled. Thank you for those optimizations, but right now if I direct HTTP to HTTPS my site is not reachable at all. Commented Apr 30 at 15:26
  • Check your Apache logs, maybe they can give you a hint on where the exact error is - For Ubuntu, it usually is at /var/log/apache2/error.log Commented May 1 at 16:32
  • here is my entire error log file https://files.ashie.lol/error.log -- everything in relation to the crossfade.zone domain looks to be in order Commented May 1 at 19:46
  • openssl s_client -connect crossfade.zone:443 gives a CONNECTED(00000003) 406780A7B17F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354: error -- i've tried looking at a few solutions online and none of them worked (from this and this thread). Commented May 1 at 19:51
  • I've seen several fixes saying that there are domains on :443 without SSLEngine on that are causing the issue, but all those sites are working except for this specific site so I don't see how that would work, plus that's just not a realistic solution for me. Commented May 1 at 19:55

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.