Ssl – Serving port 443 over http creates 400 Bad Request Error instead of redirect

apache-2.4httpssl

So for posterity sake, I am trying to configure my server so that even when someone tries to go to go to http:// domain.com:443, they would be correctly redirected to the https version of the site (https:// domain.com).

When testing something like http:// domain.com:443, it does not redirect correctly to https:// domain.com, I instead get hit with a 400 Bad Request page with the following content:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Apache/2.4.18 (Ubuntu) Server at sub.domain.com Port 443

I tried including the following lines in my 000-default.conf in the <VirtualHost *:80>:

RewriteEngine On 
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

But it didn't work.

This issue occurs on all domains, subdomains and the server IP itself.

Possibly related, trying to do a dry run of letsencrypt returns the following:

   Domain: domain.com
   Type:   connection
   Detail: Failed to connect to 123.123.123.123:443 for TLS-SNI-01
   challenge

For each and every domain listed in the sites-enabled folder.

Best Answer

TL;TR: you cannot serve both HTTP and HTTPS on the same port (443).

While it would be in theory possible to figure out based on the first data from the client if the client is sending a HTTP request (i.e. GET .. or similar) or is starting a TLS handshake (\x16\x03...) most web servers don't do this. Instead they expect the client to behave properly, that is use plain HTTP on one port (usually 80) and HTTPS on another port (usually 443).

Your URL of http://example.com:443 is causing the browser to make a plain HTTP request to port 443. But the server is expecting TLS there which means that your plain HTTP request is unexpected. Apache is at least nice enough to check if the incoming data for a plain HTTP request in this case so that it can offer you a more useful description:

Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.

If you try such requests with other servers then they would either close the connection without any error at all or just hang because they are still hoping to get a TLS handshake from the client.

Related Topic