CODEWITHSUNDEEP
apachenginxssldnsvhosts
Gawel
Gawel

Reputation: 63

APACHE & NGINX - vhost - ERR_SSL_PROTOCOL_ERROR only with Google Chrome

Vhost/server seen have some conflicts on SSL certificat and produce an error "ERR_SSL_PROTOCOL_ERROR" only on Chrome browser. I try many confuguration on Apache2 and Nginx

I have 1 serveur (ipv4) and 2 subdomaines (vhost) that point to this server (domain1.dns.fr and domain2.dns.fr)

A few week ago Google chrome return a SSL error "ERR_SSL_PROTOCOL_ERROR" only on one sub-domain (domain2.dns.fr).

This error is only on Google Chrome (Firefox, Edge was tested with success).

I tried to change Vhost configuration with Apache AND Nginx but i have the same error.

The very strange case is : if i inverse order of vhost declaration, the domain2.dns.fr work but domain1.dns.fr stop work (same erreur : ERR_SSL_PROTOCOL_ERROR). See given configuration below of this use-case.

So, i'm not sure the problem come from Frontal app. (this is not a browser cacher problem ;-) ) but I don't found the problem.

<VirtualHost domain1.dns.fr:443>
        
        ServerName domain1.dns.fr
        
        ProxyPass / http://localhost:8080/
        
        SSLEngine on
        SSLProtocol -all +TLSv1.2
        SSLCertificateFile /root/.acme.sh/domain1.dns.fr/domain1.dns.fr.cer
        SSLCertificateChainFile /root/.acme.sh/domain1.dns.fr/ca.cer
        SSLCertificateKeyFile /root/.acme.sh/domain1.dns.fr/domain1.dns.fr.key
        
</VirtualHost>

<VirtualHost domain2.dns.fr:443>
        
        ServerName domain2.dns.fr
        
        DocumentRoot /var/www/domain2.dns.fr/public
        <Directory /var/www/domain2.dns.fr/public>
            Require all granted
            Options -Indexes +FollowSymLinks
            AllowOverride all
        </Directory>    
            
        SSLEngine on
        SSLCertificateFile /root/.acme.sh/domain2.dns.fr/domain2.dns.fr.cer
        SSLCertificateChainFile /root/.acme.sh/domain2.dns.fr/ca.cer
        SSLCertificateKeyFile /root/.acme.sh/domain2.dns.frdomain2.dns.fr.key
        
</VirtualHost>
    
    

server {
    listen *:443 ssl;
    server_name domain1.dns.fr;
    charset utf-8;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-for $remote_addr;
        port_in_redirect off;
        proxy_redirect   off;
    }

    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 60m;
    ssl_prefer_server_ciphers on;
    ssl_certificate /root/.acme.sh/domain1.dns.fr/domain1.dns.fr.cer;
    ssl_certificate_key /root/.acme.sh/domain1.dns.fr/domain1.dns.fr.key;
}

server {
    listen *:443 ssl http2;
    server_name domain2.dns.fr;
    charset utf-8;
     
    location / {
        # redirect on apache instance reconfigured on port 7000 for test without php-fpm installation
        proxy_pass http://localhost:7000;
        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-for $remote_addr;
        port_in_redirect off;
        proxy_redirect   off;
    }
    
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 60m;
    ssl_prefer_server_ciphers on;
    ssl_certificate /root/.acme.sh/domain2.dns.fr/domain2.dns.fr.cer;
    ssl_certificate_key /root/.acme.sh/domain2.dns.fr/domain2.dns.fr.key;
}


127.0.0.1       localhost
151.80.129.173  vpsXXXXX.ovh.net       vpsXXXXX

domain1.dns.fr -> TLS 0 -> A -> XXX.XXX.XX.XX
domain2.dns.fr -> TLS 0 -> A -> XXX.XXX.XX.XX

Note : If i try do be less restrictif on ServerName binding, the SSL certificat of domain1.dns.fr was return in browser when client consult domain2.dns.fr (...). vhost seen confused..

Have you some idea / solution for help?

Upvotes: 0

Views: 927

Answers (1)

Alex Brel
Alex Brel

Reputation: 26

Not sure if this is Your case... But few days ago I've stuck with similar trouble. I've got few web-sites in an environment with Nginx/Apache/Openssl at Centos. Nginx was 1.4.4 and Openssl was 1.0.1e. Yeah, quite old ones. So apparently all websites except for the one, located first in Nginx conf file, stopped displaying in Android's Chrome due to some SSL certificate issue. Error was just like yours, "ERR_SSL_PROTOCOL_ERROR". iOS/Windows Chrome was OK. All the other browsers at iOS/Android/Windows were OK too. Through investigations I've found that any one of my websites being located first in Nginx's conf file started to work in Android's Chrome, but only the first one. Since trouble was strange and have appeared only in one browser exactly at one OS, finally I had no better idea than trying to upgrade something. First I upgraded Nginx to latest stable, 1.24 I believe. It made no sense, trouble was there. After that I upgraded Openssl to latest revision of 1.0.1 branch, 1.0.1u IIRC. And that finally made me happy, all started work well again. Thanks for longreading.

Upvotes: 1

Related Questions