I am trying to add SSL certs to my server but when I connect via a browser it throws an error (ERR_SSL_PROTOCOL_ERROR in Chrome).
This is confirmed using testssh (https://testssl.sh/)
Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 not offered TLS 1.3 not offered
On the server I can see that mod_ssl and openssl are installed:
sudo yum list installed *ssl* Loaded plugins: priorities, update-motd, upgrade-helper Installed Packages mod24_ssl.x86_64 openssl.x86_64 openssl-devel.x86_64
This is in my .conf file for the virtual host (*:80 excluded):
<VirtualHost *:443> ServerName freedomtospeakup.com ServerAlias www.freedomtospeakup.com DocumentRoot "/var/www/f2su" DirectoryIndex index.php ErrorLog /var/log/httpd/f2su-error_log CustomLog /var/log/httpd/f2su-access_log combined SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRS A+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" SSLCertificateFile /etc/letsencrypt/live/freedomtospeakup.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/freedomtospeakup.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/freedomtospeakup.com/chain.pem <Directory "/var/www/f2su"> AllowOverride All Allow from All </Directory> </VirtualHost>
Cert seems to be ok, this is what I get when doing sudo ./certbot-auto certificates
Certificate Name: freedomtospeakup.com Domains: freedomtospeakup.com www.freedomtospeakup.com Expiry Date: 2019-10-27 12:53:18+00:00 (VALID: 87 days) Certificate Path: /etc/letsencrypt/live/freedomtospeakup.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/freedomtospeakup.com/privkey.pem
This is what I have tried to date:
- yum update (no packages to update)
- date (correct)
- rebooted server (no change)
- checked firewall to ensure 443 is open (it is)
- checked ssl.conf with another server where it is working (no differences)
Anything else that I can check?
Well, the only obvious problem I see with your SSL configuration is that your
SSLCipherSuite is not properly specified. Each cipher should be separated by a colon, but yours have spaces separating them. Replace the spaces with colons and try again. You can also find a continuously updated secure configuration at https://cipherli.st/ , which you may want to bookmark for later use.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.