2.db.transport.rest ERR_SSL_PROTOCOL_ERROR

[refda]

Hey, the domains transport.rest, 1.db.transport.rest and 2.db.transport.rest are not reachable since a few days/weeks. The following error occurred while opening the page: ERR_SSL_PROTOCOL_ERROR.

For testing purpose:

• error occured on different devices and browsers, also on servers

• with special vpn the error is not coming up > page is accessable

• 1.flixbus.transport.rest is working fine all the time

Thanks for fixing!

[derhuerst]

It may be related to subject alternative names. I've recently set up my server to use one Let's Encrypt certificate for multiple domains. I'm not an expert on this though.

error occured on different devices and browsers, also on servers

Interesting! For me it works fine with Safari 12.0.3, Firefox 65.0.1 and Chromium 75.0.3738.0 (Developer Build) on macOS 10.13.6, as well as with curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3 from an Ubuntu 16.04.6 LTS.

[derhuerst]

I've changed the nginx config. Can you try again?

[refda]

Thanks for your reply! Both, with the local computer or the server the error still persist. On the server (other location than the local computer) gives the following error message:

error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

The same error is coming up with these options (only for testing): curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

[refda]

Now I tried it with the mobil phone. With WLAN it is not possible to access the site, with mobile data it is possible to access. I think there is an error in SSL communication maybe in connection with IPv4/IPv6 config.

[derhuerst]

I can't confirm this unfortunately:

curl -s -v -6 'https://2.db.transport.rest/' >/dev/null

*   Trying ::ffff:54.37.75.136...
* TCP_NODELAY set
* Connected to 2.db.transport.rest (::ffff:54.37.75.136) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2565 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=2.db.transport.rest
*  start date: Mar 20 03:58:54 2019 GMT
*  expire date: Jun 18 03:58:54 2019 GMT
*  subjectAltName: host "2.db.transport.rest" matched cert's "2.db.transport.rest"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: 2.db.transport.rest
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Wed, 03 Apr 2019 10:33:26 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 148
< Connection: keep-alive
< X-Powered-By: db-rest 2.0.0 https://github.com/derhuerst/db-rest
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=864000; includeSubDomains
< X-API-Version: 2.0.0
< ETag: W/"94-zAO8w1b0CBl/0PcHGzN097+4NLg"
< Vary: Accept-Encoding
< 
{ [148 bytes data]
* Connection #0 to host 2.db.transport.rest left intact

[derhuerst]

Now I tried it with the mobil phone. With WLAN it is not possible to access the site, with mobile data it is possible to access.

Sounds like a DNS issue. Can you give me the IP address your browser(s) try to connect to? You can see that e.g. in the dev tools.

The same error is coming up with these options (only for testing):

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

Can you try with regular curl from the command line?

[derhuerst]

I found an error: From a server, I can't use IPv6 (curl -6 ... fails). Will investigate.

[refda]

curl -s -v -6 'https://2.db.transport.rest/' >/dev/null

*   Trying 2001:41d0:701:1100::26d...
* TCP_NODELAY set
* Connected to 2.db.transport.rest (2001:41d0:701:1100::26d) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0

[refda]

When I am using curl -s -v --ipv4 'https://2.db.transport.rest/' >/dev/null there is no error...

[derhuerst]

Please try now with curl -6. After changing my server config, I don't have problems anymore.

[refda]

Now everythink works fine, thanks! Maybe you could explain your changes in short.

[derhuerst]

I use nginx as a reverse proxy and for HTTPS. I have several config files, each for a separate domain, proxying to a different local port.

In each of these, I forgot the ssl flag in the listen directive. Fixed, it looks like this:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    # other directives…
}