opensslapache2.4

Site throws ERR_SSL_PROTOCOL_ERROR


I found a lot of similar questions, but no solution works here.

https://pmadmin.qno.de/index.html:443 shows in the browser:

Diese Website kann keine sichere Verbindung bereitstellen
pmadmin.qno.de hat eine ungültige Antwort gesendet.
Versuche, die Windows-Netzwerkdiagnose auszuführen.
ERR_SSL_PROTOCOL_ERROR
root@bywater ~ # cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.4 LTS"
root@bywater ~ # dpkg -l apache2
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version           Architecture Description
+++-==============-=================-============-=================================
ii  apache2        2.4.52-1ubuntu4.8 amd64        Apache HTTP Server
root@bywater ~ # dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version           Architecture Description
+++-==============-=================-============-====================================================
ii  openssl        3.0.2-0ubuntu1.15 amd64        Secure Sockets Layer toolkit - cryptographic utility

In the access.log, i find:

2003:e9:4f12:6d00:4539:bdd0:36ce:1851 - - [18/Mar/2024:20:21:02 +0100] "\x16\x03\x01\x02\x11\x01" 400 488 "-" "-"
2003:e9:4f12:6d00:4539:bdd0:36ce:1851 - - [18/Mar/2024:20:21:02 +0100] "\x16\x03\x01\x02\x11\x01" 400 488 "-" "-"

There is no entry in error.log

In ssl_engine.log, i find:

[Mon Mar 18 20:21:02.357687 2024] [core:debug] [pid 595065] protocol.c(1449): [client 2003:e9:4f12:6d00:4539:bdd0:36ce:1851:49640] AH00566: request failed: malformed request line
[Mon Mar 18 20:21:02.434954 2024] [core:debug] [pid 595066] protocol.c(1449): [client 2003:e9:4f12:6d00:4539:bdd0:36ce:1851:49642] AH00566: request failed: malformed request line

/etc/apache2/sites-enabled/a02-phpmyadmin-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost 65.21.136.15:443 [2a01:04f9:003b:25b0:0009:0006:0001:0a02]:443>
    HttpProtocolOptions Unsafe

    ServerAdmin webmaster@qno.de
    DocumentRoot  /srv/phpmyadmin_html
    ServerName pmadmin.qno.de

    ErrorLog /var/log/apache2/a02_phpmyadmin/error.log
    CustomLog /var/log/apache2/a02_phpmyadmin/access.log combined

    AddDefaultCharset UTF-8
    AddOutputFilterByType DEFLATE text/html text/plain text/xml
    DirectoryIndex index.php index.html

    SSLProtocol TLSv1.3 TLSv1.2
    SSLHonorCipherOrder On
    SSLCompression off

    SSLCipherSuite 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5:!SHA1'

    ErrorLog /var/log/apache2/a02_phpmyadmin/ssl_engine.log
    LogLevel debug
    
    SSLCertificateFile /etc/letsencrypt/live/pmadmin.qno.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/pmadmin.qno.de/privkey.pem
    
    <Directory /srv/phpmyadmin_html>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>
</IfModule>
root@bywater ~ # apache2ctl -t
Syntax OK
root@bywater ~ # apache2ctl -S
VirtualHost configuration:
[2a01:4f9:3b:25b0:9:6:1:a02]:443 pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin-le-ssl.conf:2)
[2a01:4f9:3b:25b0:9:6:1:a02]:80 pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
[2a01:4f9:3b:25b0:9:6:1:b01]:80 www.sk-koenig-tegel.de (/etc/apache2/sites-enabled/b01-tegel.conf:2)
[2a01:4f9:3b:25b0:9:6:1:b01]:443 www.sk-koenig-tegel.de (/etc/apache2/sites-enabled/b01-tegel.conf:28)
65.21.136.15:80        is a NameVirtualHost
         default server pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
         port 80 namevhost pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
         port 80 namevhost www.sk-koenig-tegel.de (/etc/apache2/sites-enabled/b01-tegel.conf:2)
                 alias sk-koenig-tegel.de
65.21.136.15:443       is a NameVirtualHost
         default server pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin-le-ssl.conf:2)
         port 443 namevhost pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin-le-ssl.conf:2)
         port 443 namevhost www.sk-koenig-tegel.de (/etc/apache2/sites-enabled/b01-tegel.conf:28)
                 alias sk-koenig-tegel.de
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

root@bywater ~ # netstat -tlpn|grep 443
tcp6       0      0 :::443                  :::*                    LISTEN      268958/apache2

root@bywater ~ # openssl s_client -tls1_3 -connect pmadmin.qno.de:443 -6
CONNECTED(00000003)
4087D64E7E7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 248 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Von extern:

root@raspberry ~ # nmap -6 -sT -sV -p 443 pmadmin.qno.de
Starting Nmap 7.70 ( https://nmap.org ) at 2024-03-18 20:35 CET
Nmap scan report for pmadmin.qno.de (2a01:4f9:3b:25b0:9:6:1:a02)
Host is up (0.041s latency).
Other addresses for pmadmin.qno.de (not scanned): 65.21.136.15

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https Apache/2.4.52 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.28 seconds
root@raspberry ~ # nmap -4 -sT -sV -p 443 pmadmin.qno.de
Starting Nmap 7.70 ( https://nmap.org ) at 2024-03-18 20:36 CET
Nmap scan report for pmadmin.qno.de (65.21.136.15)
Host is up (0.038s latency).
Other addresses for pmadmin.qno.de (not scanned): 2a01:4f9:3b:25b0:9:6:1:a02
rDNS record for 65.21.136.15: bywater.qno.de

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https Apache/2.4.52 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.17 seconds

I hope i included all information that lead to a solution in other cases. No idea what i could try ...

TIA QNo


Solution

  • Thanks to @dave_thompson_085, i recognized my fault: in the heat of a lot of tests, i somehow deleted SSLEngine on. And surprise, surprise: after inserting it, ssl works. Thank you a lot, i’m ashamed a bit..