ERR_SSL_PROTOCOL_ERROR (SOLVED)
October 19, 2024
Contents
1. Why does the ERR_SSL_PROTOCOL_ERROR occur
2. How to fix the ERR_SSL_PROTOCOL_ERROR
3. How to fix “ERR_SSL_PROTOCOL_ERROR” on a local web server
4. How to configure HTTPS on Apache in Linux
4.1 How to install Apache and OpenSSL on Debian, Ubuntu, Linux Mint, Kali Linux
4.2 How to enable the SSL module for Apache
4.3 How to make a local server open by hostname (setting up hostname to IP address resolution)
4.4 How to create a Certification Authority (CA)
4.5 How to create a certificate for HTTPS (generating a self-signed website certificate)
4.6 Where to copy certificates for Apache in Debian, Ubuntu, Linux Mint
4.7 How to configure Apache to work with SSL certificates
4.8 How to add a local Certification Authority (CA) to trusted ones
Why does the ERR_SSL_PROTOCOL_ERROR occur
The “ERR_SSL_PROTOCOL_ERROR” error occurs if the SSL module for Apache was enabled (activated), but the hosts were not (correctly) configured to work via the HTTPS protocol. In this state, the Apache server is already listening on port 443, but is not able to correctly process HTTPS requests.
Full text of the error:
This site can’t provide a secure connection hackware.local sent an invalid response. ERR_SSL_PROTOCOL_ERROR
That is, most likely, the virtual host intended for processing HTTPS requests is not configured and enabled. To verify this, run the following command, which will list Apache virtual hosts:
apachectl -t -D DUMP_VHOSTS
How to fix the ERR_SSL_PROTOCOL_ERROR
If you received the ERR_SSL_PROTOCOL_ERROR error when trying to open a site on the Internet, then try opening the same site using the HTTP protocol – your connection to the site will not be encrypted, but at least you will be able to view the web page you are interested in.
How to fix “ERR_SSL_PROTOCOL_ERROR” on a local web server
To fix this error, you need to correctly configure the web server to work with the HTTPS protocol. And if this option is not suitable for sites on the Internet (of course, if this is not your site), then you can fix this problem on your local computer.
Below is a step-by-step manual on how to configure Apache to work with HTTPS. This instruction is suitable for Debian and Debian-based distributions, examples of such distributions: Ubuntu, Linux Mint, Kali Linux.
If you have already tried to configure HTTPS on Apache, then the following detailed manual will help you find the cause of the error in your settings that cause ERR_SSL_PROTOCOL_ERROR, or you can just start over.
How to configure HTTPS on Apache in Linux
How to install Apache and OpenSSL on Debian, Ubuntu, Linux Mint, Kali Linux
Let's start by installing the Apache and OpenSSL packages. We'll need OpenSSL to generate self-signed certificates.
Your system may already have these packages. If necessary, install them with the following commands:
sudo apt update sudo apt install apache2 openssl
To start the web server, run the following command:
sudo systemctl start apache2.service
Open http://localhost/ in your web browser – you should see the default Apache page in Debian.
To make the web server service start automatically after rebooting your computer, you can add it to startup with the following command:
sudo systemctl enable apache2.service
How to enable the SSL module for Apache
Let's start by enabling the SSL module for Apache. This is done with the command:
sudo a2enmod ssl
How to make a local server open by hostname (setting up hostname to IP address resolution)
Come up with a hostname. You can choose any name – one or more words separated by periods. And if you choose a name like this:
ANYTHING.localhost
For example:
hackware.localhost
Then you don't even have to set up hostname to IP resolution, since names containing “.localhost” are automatically redirected to localhost.
You can click the following link and, if you have Apache running, it will open your local web server: http://hackware.localhost/
If you want a name without “.localhost” (for example, hackware.local), then you need to set up name to IP address resolution. To do this, we will add an entry to the /etc/hosts file.
I will use hackware.local as a domain name (address of the local website). To make this name point to the web server, to the /etc/hosts file
sudo gedit /etc/hosts
I add the following line (replace hackware.local with your chosen domain name):
127.0.0.1 hackware.local
Immediately after that, you can connect to the web server in your web browser using the domain name http://hackware.local (but only via HTTP for now).
How to create a Certification Authority (CA)
First, we will create the keys of the Certificate Authority (CA). This only needs to be done once. Despite the grandiose name “Certification Authority”, we will create a key and a certificate (a pair of private and public keys) with two commands – that's all. These keys can be created anywhere, for example, I created a folder called myCA where they will be stored:
mkdir myCA cd myCA
Now create the private and public keys of the Certificate Authority with the following commands:
openssl genpkey -algorithm RSA -out rootCA.key openssl req -x509 -new -noenc -key rootCA.key -sha256 -days 1024 -out rootCA.crt
During the second command, you will be asked for various information – it does not matter what you enter, it does not affect anything for our testing purposes. You can simply press Enter on all the requests.
The rootCA.crt file is a certificate containing the public key. This file is not secret and we will need it to add our Certificate Authority (CA) to the trusted ones, so that the operating system trusts the signed certificates.
The rootCA.key file should be kept secret – it can be used to create certificates that will be recognized by your operating system as signed by a trusted Certification Authority.
How to create a certificate for HTTPS (generating a self-signed website certificate)
With the following commands, I create a private key and a website certificate. In these commands you can change the key names (for example, replace hackware.local with your domain name) – but the file names do not affect anything – you can use any:
openssl genpkey -algorithm RSA -out hackware.local.key openssl req -new -key hackware.local.key -out hackware.local.csr
After executing the second command, you will again be asked for various information – as before, almost all of them can be left blank, with the exception of one field:
Common Name (e.g. server FQDN or YOUR name) []:
In this field, specify your local domain, for example:
hackware.local
Also think up and remember a password to enter in the next field (you can skip it):
A challenge password []:
Create a file extraoptions.ext with the following content (instead of hackware.local specify your domain):
subjectAltName = DNS:*.hackware.local, DNS:hackware.local
Note that the domain is specified twice – with and without an asterisk. This is done so that the certificate works for both the main domain and all its subdomains.
In fact, you can also specify IP addresses (including IPv6) – if you do this, the certificate will also be valid for these IP addresses. Example of extraoptions.ext file with IP addresses:
subjectAltName = DNS:*.hackware.local, DNS:hackware.local, IP:192.168.1.37, IP:2001:fb1:139:3995:da89:dbdf:1e9a:eb84
To find out the IP addresses of your Linux computer, use the following command:
ip a
Note: if you have not configured a static IP address, your IP addresses will most likely change after you reboot your computer.
The last command is to sign the certificate:
openssl x509 -req -in hackware.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out hackware.local.crt -days 500 -sha256 -extfile extraoptions.ext
As a result, three new files were created:
hackware.local.crt hackware.local.csr hackware.local.key
The hackware.local.csr file is no longer needed and you can delete it.
Where to copy certificates for Apache in Debian, Ubuntu, Linux Mint
Copy (or move) the created certificates:
sudo cp hackware.local.crt /etc/ssl/certs/ sudo cp hackware.local.key /etc/ssl/private/
How to configure Apache to work with SSL certificates
In the directory /etc/apache2/sites-available/ create a file with the .conf extension, for example:
sudo gedit /etc/apache2/sites-available/hackware-ssl.conf
And copy the following content into it:
<VirtualHost *:443> DocumentRoot "/var/www/html/" ServerName hackware.local ServerAdmin whatever@gmail.com LogLevel error # LogLevel info ssl:warn # You may like this instead of the previous one ErrorLog "/var/log/apache2/hackware.local-ssl-error_log" CustomLog "/var/log/apache2/hackware.local-ssl-access_log" combined SSLEngine on SSLCertificateFile "/etc/ssl/certs/hackware.local.crt" SSLCertificateKeyFile "/etc/ssl/private/hackware.local.key" <Directory /> Options +Indexes +FollowSymLinks +ExecCGI AllowOverride All </Directory> <FilesMatch "\.(?:cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost>
In this configuration, pay special attention to the settings of the following directives:
- ServerName – the chosen domain name for the local site
- SSLCertificateFile and SSLCertificateKeyFile – paths to the certificate and private key. If you have chosen other names for your keys, then change them here.
Save and close the file.
Now enable the new virtual host (note that the name of the configuration file may be different – this is the same file that you created in the /etc/apache2/sites-available/ directory a little earlier):
sudo a2ensite hackware-ssl.conf
And reload the apache2 service settings:
sudo systemctl reload apache2
To check that the new virtual host was really added, you can run the following command:
apachectl -t -D DUMP_VHOSTS
Now you can use the HTTPS protocol to connect to the web server: https://hackware.local/
But something is wrong – the web browser does not trust the self-signed certificate. To fix this, you need to add the Certification Authority created above in this instruction to the list of trusted ones.
How to add a local Certification Authority (CA) to trusted ones
Neither browsers nor even console utilities trust a self-signed certificate. To make browsers trust all certificates created using a local Certification Authority, you need to do the following.
1) Create a file CAtoCert9.sh and save the following content to it:
#!/bin/bash certfile="/home/mial/myCA/rootCA.crt" certname="HackWare CA" for certDB in $(find ~/ -name "cert9.db") do certdir=$(dirname ${certDB}); certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir} done
In this file, change the certfile value to the path to your certificate file and the certname value to the name of your certificate (you can choose any – you will need this name if you want to delete the certificate), save and close the file.
2) Then run it like this:
bash CAtoCert9.sh
If you want to remove your Certification Authority from the trusted ones, then create a file CAfromCert9.sh and copy the following into it:
#!/bin/bash certname="HackWare CA" for certDB in $(find ~/ -name "cert9.db") do certdir=$(dirname ${certDB}); certutil -D -d sql:${certdir} -n "${certname}" done
In this file, change the certname value to the name of your certificate, save and close the file.
Then run it as follows:
bash CAfromCert9.sh
Let's check the local web server page via HTTPS in different web browsers. In the Firefox web browser, the connection is marked as secure:
In the Chromium web browser, the connection is also marked as secure:
Related articles:
- Error code: SSL_ERROR_RX_RECORD_TOO_LONG (SOLVED) (100%)
- How to set up HTTPS on Apache in Debian, Ubuntu, Linux Mint, Kali Linux (85.3%)
- Error “net::ERR_CERT_COMMON_NAME_INVALID” for self-signed certificate (SOLVED) (75.2%)
- Error code: SSL_ERROR_BAD_CERT_DOMAIN for self-signed certificate (SOLVED) (75.2%)
- Error “net::ERR_CERT_AUTHORITY_INVALID” for self-signed certificate (SOLVED) (65.7%)
- How to disable “did you mean...” feature in Linux shell (RANDOM - 51.1%)