Closed refda closed 5 years ago
It may be related to subject alternative names. I've recently set up my server to use one Let's Encrypt certificate for multiple domains. I'm not an expert on this though.
error occured on different devices and browsers, also on servers
Interesting! For me it works fine with Safari 12.0.3
, Firefox 65.0.1
and Chromium 75.0.3738.0 (Developer Build)
on macOS 10.13.6
, as well as with curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
from an Ubuntu 16.04.6 LTS.
I've changed the nginx config. Can you try again?
Thanks for your reply! Both, with the local computer or the server the error still persist. On the server (other location than the local computer) gives the following error message:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
The same error is coming up with these options (only for testing):
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
Now I tried it with the mobil phone. With WLAN it is not possible to access the site, with mobile data it is possible to access. I think there is an error in SSL communication maybe in connection with IPv4/IPv6 config.
I can't confirm this unfortunately:
curl -s -v -6 'https://2.db.transport.rest/' >/dev/null
* Trying ::ffff:54.37.75.136...
* TCP_NODELAY set
* Connected to 2.db.transport.rest (::ffff:54.37.75.136) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2565 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=2.db.transport.rest
* start date: Mar 20 03:58:54 2019 GMT
* expire date: Jun 18 03:58:54 2019 GMT
* subjectAltName: host "2.db.transport.rest" matched cert's "2.db.transport.rest"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: 2.db.transport.rest
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Wed, 03 Apr 2019 10:33:26 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 148
< Connection: keep-alive
< X-Powered-By: db-rest 2.0.0 https://github.com/derhuerst/db-rest
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=864000; includeSubDomains
< X-API-Version: 2.0.0
< ETag: W/"94-zAO8w1b0CBl/0PcHGzN097+4NLg"
< Vary: Accept-Encoding
<
{ [148 bytes data]
* Connection #0 to host 2.db.transport.rest left intact
Now I tried it with the mobil phone. With WLAN it is not possible to access the site, with mobile data it is possible to access.
Sounds like a DNS issue. Can you give me the IP address your browser(s) try to connect to? You can see that e.g. in the dev tools.
The same error is coming up with these options (only for testing):
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
Can you try with regular curl
from the command line?
I found an error: From a server, I can't use IPv6 (curl -6 ...
fails). Will investigate.
curl -s -v -6 'https://2.db.transport.rest/' >/dev/null
* Trying 2001:41d0:701:1100::26d...
* TCP_NODELAY set
* Connected to 2.db.transport.rest (2001:41d0:701:1100::26d) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
When I am using curl -s -v --ipv4 'https://2.db.transport.rest/' >/dev/null
there is no error...
Please try now with curl -6
. After changing my server config, I don't have problems anymore.
Now everythink works fine, thanks! Maybe you could explain your changes in short.
I use nginx as a reverse proxy and for HTTPS. I have several config files, each for a separate domain, proxying to a different local port.
In each of these, I forgot the ssl
flag in the listen
directive. Fixed, it looks like this:
server {
listen 443 ssl;
listen [::]:443 ssl;
# other directives…
}
Hey, the domains transport.rest, 1.db.transport.rest and 2.db.transport.rest are not reachable since a few days/weeks. The following error occurred while opening the page: ERR_SSL_PROTOCOL_ERROR.
For testing purpose:
error occured on different devices and browsers, also on servers
with special vpn the error is not coming up > page is accessable
1.flixbus.transport.rest is working fine all the time
Thanks for fixing!