Apache – Unable to establish SSL connection, how to fix the SSL cert

apacheopensslsslwget

I'm trying to wget to my own box, and it can't be an internal address in the wget (so says another developer).

When I wget, I get this:

wget http://example.com
--2013-03-01 15:03:30--  http://example.com/
Resolving example.com... 172.20.0.224
Connecting to example.com|172.20.0.224|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.example.com/ [following]
--2013-03-01 15:03:30--  https://www.example.com/
Resolving www.example.com... 172.20.0.224
Connecting to www.example.com|172.20.0.224|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

I believe it is because I do not have the certificate setup properly. Using openssl:

openssl s_client -connect example.com:443
CONNECTED(00000003)
15586:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

While if I do the same command on another site, it shows the entire cert.

Perhaps the ssl cert was never setup in the conf file on Apache for that domain?

If so, what should I be specifying in the virtualhost? Is there any alternative other than specifying --no-check-certificate because I don't want to do that?

Best Answer

SSL23_GET_SERVER_HELLO:unknown protocol

This error happens when OpenSSL receives something other than a ServerHello in a protocol version it understands from the server. It can happen if the server answers with a plain (unencrypted) HTTP. It can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn't (by implementation or configuration).

It is unclear whether you attempted to pass --no-check-certificate or not. I would be rather surprised if that would work.

A simple test is to use wget (or a browser) to request http://example.com:443 (note the http://, not https://); if it works, SSL is not enabled on port 443. To further debug this, use openssl s_client with the -debug option, which right before the error message dumps the first few bytes of the server response which OpenSSL was unable to parse. This may help to identify the problem, especially if the server does not answer with a ServerHello message. To see what exactly OpenSSL is expecting, check the source: look for SSL_R_UNKNOWN_PROTOCOL in ssl/s23_clnt.c.

In any case, looking at the apache error log may provide some insight too.

Related Solutions

How to generate a self-signed SSL certificate using OpenSSL

You can do that in one command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

You can also add -nodes (short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.

The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.

Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).

Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a certificate authority (CA).

Node.js – howto create nodejs ssl server

Try adding the CA like so:

var credentials = {
  key: fs.readFileSync(options.base_project_folder + 'privatekey.pem'),
  cert: fs.readFileSync(options.base_project_folder + 'certificate.pem'),
  ca: fs.readFileSync(/path/to/CA/cert)
};

The docs say that the options argument is similar to tls.createServer

Best Answer

Related Solutions

How to generate a self-signed SSL certificate using OpenSSL

Node.js – howto create nodejs ssl server

Related Topic