Loading...
X

ERR_SSL_PROTOCOL_ERROR (SOLVED)

Contents

1. Why does the ERR_SSL_PROTOCOL_ERROR occur

2. How to fix the ERR_SSL_PROTOCOL_ERROR

3. How to fix “ERR_SSL_PROTOCOL_ERROR” on a local web server

4. How to configure HTTPS on Apache in Linux

4.1 How to install Apache and OpenSSL on Debian, Ubuntu, Linux Mint, Kali Linux

4.2 How to enable the SSL module for Apache

4.3 How to make a local server open by hostname (setting up hostname to IP address resolution)

4.4 How to create a Certification Authority (CA)

4.5 How to create a certificate for HTTPS (generating a self-signed website certificate)

4.6 Where to copy certificates for Apache in Debian, Ubuntu, Linux Mint

4.7 How to configure Apache to work with SSL certificates

4.8 How to add a local Certification Authority (CA) to trusted ones


Why does the ERR_SSL_PROTOCOL_ERROR occur

The “ERR_SSL_PROTOCOL_ERROR” error occurs if the SSL module for Apache was enabled (activated), but the hosts were not (correctly) configured to work via the HTTPS protocol. In this state, the Apache server is already listening on port 443, but is not able to correctly process HTTPS requests.

Full text of the error:

This site can’t provide a secure connection
hackware.local sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

That is, most likely, the virtual host intended for processing HTTPS requests is not configured and enabled. To verify this, run the following command, which will list Apache virtual hosts:

apachectl -t -D DUMP_VHOSTS

How to fix the ERR_SSL_PROTOCOL_ERROR

If you received the ERR_SSL_PROTOCOL_ERROR error when trying to open a site on the Internet, then try opening the same site using the HTTP protocol – your connection to the site will not be encrypted, but at least you will be able to view the web page you are interested in.

How to fix “ERR_SSL_PROTOCOL_ERROR” on a local web server

To fix this error, you need to correctly configure the web server to work with the HTTPS protocol. And if this option is not suitable for sites on the Internet (of course, if this is not your site), then you can fix this problem on your local computer.

Below is a step-by-step manual on how to configure Apache to work with HTTPS. This instruction is suitable for Debian and Debian-based distributions, examples of such distributions: Ubuntu, Linux Mint, Kali Linux.

If you have already tried to configure HTTPS on Apache, then the following detailed manual will help you find the cause of the error in your settings that cause ERR_SSL_PROTOCOL_ERROR, or you can just start over.

How to configure HTTPS on Apache in Linux

How to install Apache and OpenSSL on Debian, Ubuntu, Linux Mint, Kali Linux

Let's start by installing the Apache and OpenSSL packages. We'll need OpenSSL to generate self-signed certificates.

Your system may already have these packages. If necessary, install them with the following commands:

sudo apt update
sudo apt install apache2 openssl

To start the web server, run the following command:

sudo systemctl start apache2.service

Open http://localhost/ in your web browser – you should see the default Apache page in Debian.

To make the web server service start automatically after rebooting your computer, you can add it to startup with the following command:

sudo systemctl enable apache2.service

How to enable the SSL module for Apache

Let's start by enabling the SSL module for Apache. This is done with the command:

sudo a2enmod ssl

How to make a local server open by hostname (setting up hostname to IP address resolution)

Come up with a hostname. You can choose any name – one or more words separated by periods. And if you choose a name like this:

ANYTHING.localhost

For example:

hackware.localhost

Then you don't even have to set up hostname to IP resolution, since names containing “.localhost” are automatically redirected to localhost.

You can click the following link and, if you have Apache running, it will open your local web server: http://hackware.localhost/

If you want a name without “.localhost” (for example, hackware.local), then you need to set up name to IP address resolution. To do this, we will add an entry to the /etc/hosts file.

I will use hackware.local as a domain name (address of the local website). To make this name point to the web server, to the /etc/hosts file

sudo gedit /etc/hosts

I add the following line (replace hackware.local with your chosen domain name):

127.0.0.1 	hackware.local

Immediately after that, you can connect to the web server in your web browser using the domain name http://hackware.local (but only via HTTP for now).

How to create a Certification Authority (CA)

First, we will create the keys of the Certificate Authority (CA). This only needs to be done once. Despite the grandiose name “Certification Authority”, we will create a key and a certificate (a pair of private and public keys) with two commands – that's all. These keys can be created anywhere, for example, I created a folder called myCA where they will be stored:

mkdir myCA
cd myCA

Now create the private and public keys of the Certificate Authority with the following commands:

openssl genpkey -algorithm RSA -out rootCA.key
openssl req -x509 -new -noenc -key rootCA.key -sha256 -days 1024 -out rootCA.crt

During the second command, you will be asked for various information – it does not matter what you enter, it does not affect anything for our testing purposes. You can simply press Enter on all the requests.

The rootCA.crt file is a certificate containing the public key. This file is not secret and we will need it to add our Certificate Authority (CA) to the trusted ones, so that the operating system trusts the signed certificates.

The rootCA.key file should be kept secret – it can be used to create certificates that will be recognized by your operating system as signed by a trusted Certification Authority.

How to create a certificate for HTTPS (generating a self-signed website certificate)

With the following commands, I create a private key and a website certificate. In these commands you can change the key names (for example, replace hackware.local with your domain name) – but the file names do not affect anything – you can use any:

openssl genpkey -algorithm RSA -out hackware.local.key
openssl req -new -key hackware.local.key -out hackware.local.csr

After executing the second command, you will again be asked for various information – as before, almost all of them can be left blank, with the exception of one field:

Common Name (e.g. server FQDN or YOUR name) []:

In this field, specify your local domain, for example:

hackware.local

Also think up and remember a password to enter in the next field (you can skip it):

A challenge password []:

Create a file extraoptions.ext with the following content (instead of hackware.local specify your domain):

subjectAltName = DNS:*.hackware.local, DNS:hackware.local

Note that the domain is specified twice – with and without an asterisk. This is done so that the certificate works for both the main domain and all its subdomains.

In fact, you can also specify IP addresses (including IPv6) – if you do this, the certificate will also be valid for these IP addresses. Example of extraoptions.ext file with IP addresses:

subjectAltName = DNS:*.hackware.local, DNS:hackware.local, IP:192.168.1.37, IP:2001:fb1:139:3995:da89:dbdf:1e9a:eb84

To find out the IP addresses of your Linux computer, use the following command:

ip a

Note: if you have not configured a static IP address, your IP addresses will most likely change after you reboot your computer.

The last command is to sign the certificate:

openssl x509 -req -in hackware.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out hackware.local.crt -days 500 -sha256 -extfile extraoptions.ext

As a result, three new files were created:

hackware.local.crt
hackware.local.csr
hackware.local.key

The hackware.local.csr file is no longer needed and you can delete it.

Where to copy certificates for Apache in Debian, Ubuntu, Linux Mint

Copy (or move) the created certificates:

sudo cp hackware.local.crt /etc/ssl/certs/
sudo cp hackware.local.key /etc/ssl/private/

How to configure Apache to work with SSL certificates

In the directory /etc/apache2/sites-available/ create a file with the .conf extension, for example:

sudo gedit /etc/apache2/sites-available/hackware-ssl.conf

And copy the following content into it:

<VirtualHost *:443>
	DocumentRoot "/var/www/html/"
	ServerName hackware.local
	ServerAdmin whatever@gmail.com
	LogLevel error
	# LogLevel info ssl:warn # You may like this instead of the previous one
	ErrorLog "/var/log/apache2/hackware.local-ssl-error_log"
	CustomLog "/var/log/apache2/hackware.local-ssl-access_log" combined
	SSLEngine on
	SSLCertificateFile "/etc/ssl/certs/hackware.local.crt"
	SSLCertificateKeyFile "/etc/ssl/private/hackware.local.key"

	<Directory /> 
		Options +Indexes +FollowSymLinks +ExecCGI
		AllowOverride All
	</Directory>
	
	<FilesMatch "\.(?:cgi|shtml|phtml|php)$">
		SSLOptions +StdEnvVars
	</FilesMatch>

	<Directory /usr/lib/cgi-bin>
		SSLOptions +StdEnvVars
	</Directory>
</VirtualHost>

In this configuration, pay special attention to the settings of the following directives:

  • ServerName – the chosen domain name for the local site
  • SSLCertificateFile and SSLCertificateKeyFile – paths to the certificate and private key. If you have chosen other names for your keys, then change them here.

Save and close the file.

Now enable the new virtual host (note that the name of the configuration file may be different – this is the same file that you created in the /etc/apache2/sites-available/ directory a little earlier):

sudo a2ensite hackware-ssl.conf

And reload the apache2 service settings:

sudo systemctl reload apache2

To check that the new virtual host was really added, you can run the following command:

apachectl -t -D DUMP_VHOSTS

Now you can use the HTTPS protocol to connect to the web server: https://hackware.local/

But something is wrong – the web browser does not trust the self-signed certificate. To fix this, you need to add the Certification Authority created above in this instruction to the list of trusted ones.

How to add a local Certification Authority (CA) to trusted ones

Neither browsers nor even console utilities trust a self-signed certificate. To make browsers trust all certificates created using a local Certification Authority, you need to do the following.

1) Create a file CAtoCert9.sh and save the following content to it:

#!/bin/bash
 
certfile="/home/mial/myCA/rootCA.crt"
certname="HackWare CA"
 
for certDB in $(find ~/ -name "cert9.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}
done

In this file, change the certfile value to the path to your certificate file and the certname value to the name of your certificate (you can choose any – you will need this name if you want to delete the certificate), save and close the file.

2) Then run it like this:

bash CAtoCert9.sh

If you want to remove your Certification Authority from the trusted ones, then create a file CAfromCert9.sh and copy the following into it:

#!/bin/bash

certname="HackWare CA"

for certDB in $(find ~/ -name "cert9.db")
do
	certdir=$(dirname ${certDB});    
	certutil -D -d sql:${certdir} -n "${certname}"
done

In this file, change the certname value to the name of your certificate, save and close the file.

Then run it as follows:

bash CAfromCert9.sh

Let's check the local web server page via HTTPS in different web browsers. In the Firefox web browser, the connection is marked as secure:

In the Chromium web browser, the connection is also marked as secure:


Leave Your Observation

Your email address will not be published. Required fields are marked *