I have an Apache 2.4 on Debian and configured two VirtualHosts:
- The first is listening to port 80 to forward all "unsecure" requests to my secure VirtualHost.
- The second is the "secure" VirtualHost and listening to port 443.
Note: I use the "example.com" in my text, but I have a non-fake domain with SSL :-)
When I test the connection to I get an error.
"error:1408F10B:SSL routines:ssl3_get_record:wrong version number" on client side with curl / "ERR_SSL_PROTOCOL_ERROR" with Chrome
"AH00566: request failed: malformed request line" at Apache server side
When I test the connection with port 443 it also results in same error.
When I test the connection to (protocol http and port 443) the default index page of apache is successfully shown. .... Although this is not my own index.html which I actually expected. But this is another issue for later.
Since the last test success I guess that there is no issue with SSL certificate, right?
Apache seams to listen on both ports:
> sudo apache2ctl -S
VirtualHost configuration:
*:80 example.com (/etc/apache2/sites-enabled/example.com.conf:10)
*:433 example.com (/etc/apache2/sites-enabled/example.com.conf:21)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
> netstat -tupln
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp6 0 0 fe80::250:56ff:fe20:546 :::* My "ports.conf":
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 0.0.0.0:80
<IfModule ssl_module> Listen 0.0.0.0:443
</IfModule>
<IfModule mod_gnutls.c> Listen 0.0.0.0:443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noetMy "example.com.conf" in sites-enabled:
########
# main config file for my webpage
########
# NameVirtualHost is deprected
#NameVirtualHost *:443
<VirtualHost *:80> ServerName example.de # this line is masked for superuser.com due to privacy ServerAlias XXXXXXX.online-server.cloud xxx.xxx.xx.xx Redirect permanent / LogLevel debug CustomLog ${APACHE_LOG_DIR}/example-nossl-access.log combined ErrorLog ${APACHE_LOG_DIR}/example-nossl-error.log
</VirtualHost>
# Default-Host
<VirtualHost *:433> # admin mail given to user when any issues occur ServerAdmin # the domain that routes to DocumentRoot ServerName example.com # alias which also routes to DocumentRoot # this line is masked for superuser.com due to privacy ServerAlias XXXXXX.online-server.cloud xxx.xxx.xx.xx DocumentRoot /var/www/example-homepage LogLevel debug CustomLog ${APACHE_LOG_DIR}/example-access.log combined ErrorLog ${APACHE_LOG_DIR}/example-error.log #<IfModule mod_ssl.c> SSLEngine on SSLCertificateKeyFile /etc/apache2/ssl/_.example.com_private_key.key SSLCertificateFile /etc/apache2/ssl/example.com_ssl_certificate.cer #</IfModule>
</VirtualHost>
<Directory /var/www/example-homepage> # allow .htaccess files in root directory AllowOverride All
</Directory>Edit SSL Logs:
[Fri Feb 07 07:17:37.546729 2020] [ssl:info] [pid 83145:tid 139622694843520] AH01914: Configuring server example.com:443 for SSL protocol
[Fri Feb 07 07:17:37.546735 2020] [ssl:debug] [pid 83145:tid 139622694843520] ssl_engine_init.c(1750): AH10083: Init: (example.com:443) mod_md support is unavailable.
[Fri Feb 07 07:17:37.546943 2020] [ssl:debug] [pid 83145:tid 139622694843520] ssl_engine_init.c(479): AH01893: Configuring TLS extension handling
[Fri Feb 07 07:17:37.547220 2020] [ssl:debug] [pid 83145:tid 139622694843520] ssl_util_ssl.c(476): AH02412: [example.com:443] Cert matches for name 'example.com' [subject: CN=*.example.com / issuer: CN=Encryption Everywhere DV TLS CA - G1,OU= Inc,C=US / serial: 0C9227F96F2A0EFA7B7E6F7391B9EBA0 / notbefore: Dec 26 00:00:00 2019 GMT / notafter: Dec 25 12:00:00 2020 GMT]
[Fri Feb 07 07:17:37.547229 2020] [ssl:info] [pid 83145:tid 139622694843520] AH02568: Certificate and private key example.com:443:0 configured from /etc/apache2/ssl/example.com_ssl_certificate.cer and /etc/apache2/ssl/_.example.com_private_key.keyEdit 2 Verbose log from curl:
* Expire in 0 ms for 6 (transfer 0x55ac2933ef50)
* Expire in 1 ms for 1 (transfer 0x55ac2933ef50)
...
* Trying xxx.xxx.xx.xx...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55ac2933ef50)
* Connected to example.com (xxx.xxx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version numberPlease help me to understand why https is not mapped to port 443 and to fix that issue so I can access my webpage with .
82 Answers
It was a stupid typo in my example.com.conf. I had to change port 433 to 443:
...
# Default-Host
<VirtualHost *:433>
...to
...
# Default-Host
<VirtualHost *:443>
...Now it works.
In my case it turned out it was a wrong configuration; in one virtual host configuration file there were both sections
<VirtualHost *:80>
...
</VirtualHost>
<VirtualHost *:443>
...
</VirtualHost>In another file I had just the <VirtualHost *:443> and this one was not working due to the wrong configuration in the other file. The server on port 443 was not talking TLS at all, and it did correctly respond to HTTP requests.
Nonetheless the server was running and reporting no erros, I had a really hard time finding out the root cause.
