Need help getting SSL working

I just stood up a new Apache server on a Ubuntu 14.04 VM.   My consultant requested this.   I am trying to get SSL to work and I'm stuck.   the site works if I access over http:// however   Every time I access the URL with https:// I'm getting

This site can’t provide a secure connection
authorize.mpbio.com sent an invalid response.
Try running Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

Here is the .conf file.   I'm lost on figuring out why it's not working.  

Any help is greatly appreciated.  I'm sure the solution is something simple.

Thanks in advance.  

<VirtualHost *:80>
        ServerName mysite.com
        ServerAlias server.mysite.com
        ServerAlias dev-app-2
        DocumentRoot /var/www/vhosts/xxxxx
        <Directory /var/www/vhosts/xxxxx>
                Options -Indexes +FollowSymLinks -MultiViews
                AllowOverride All
                #Order deny,allow
                #Allow from all
                Require all granted
        </Directory>
        CustomLog /var/log/apache2/xxxxx.log combined
        ErrorLog /var/log/apache2/xxxxx-error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
</VirtualHost>
<VirtualHost *:443>
        ServerName mysite.com
        ServerAlias server.mysite.com
        ServerAlias dev-app-2
        DocumentRoot /var/www/vhosts/xxxxx
        SSLProtocol all -SSLv2 -SSLv3
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/xxxxx.com.crt
        SSLCertificateKeyFile /etc/ssl/certs/xxxxx.com.key
        <Directory /var/www/vhosts/xxxxx>
                Options -Indexes +FollowSymLinks -MultiViews
                AllowOverride All
                #Order deny,allow
                #Allow from all
                Require all granted
        </Directory>
        CustomLog /var/log/apache2/xxxxx.log combined
        ErrorLog /var/log/apache2/xxxxx-error.log
        LogLevel warn
</VirtualHost>
Andrew HamiltonDirector of Global InfrastructureAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Prabhin MPEngineer-TechOPSCommented:
hi,
Can you share apache error log,
Meanwhile you can go through this Document also,
https://comodosslstore.com/blog/easily-fix-err-ssl-protocol-error-on-chrome.html
Kent WSr. Network / Systems AdminCommented:
If you are trying to secure authorize.mpbio.com first you need to change the ServerName from mysite.com to authorize.mpbio.com.
Because of the way SSL works, I would also put the actual IP you are listening on in the VirtualHost directive entry with 443.
Apache on RPM based systems are ok with the wildcard * if you only have one SSL site, but as a rule of tumb, it's best practice to use the IP.  I've never tried it on Ubuntu. It may not like the wildcard *.
If you are serving on 192.168.1.50:
<VirtualHost 192.168.1.50:443>
        ServerName authorize.mpbio.com             (or the actual FQDN you purchased your cert for)
        ServerAlias <-- Unless you have a wildcard cert that can secure more than one *.domain.tld, then ServerAlias is useless. Technically you can use it, but if the name doesn't match the cert, it's going to throw a name mismatch error.

Additionally, I'm not able to log into my Ubuntu with a cert to look, but there is usually a separate ssl.conf file to define your SSL based sites.

The other questions...If you have not purchased a cert, you will need that. It wasn't mentioned, and some folks new to SSL don't realize this when trying to just encrypt a site. You'll need a cert that matches the site name at the very least. If you are doing a self rolled cert, you'll also have to create an Signing Authority cert to import into your browser (your browser has well-known CA's root and intermediate certs, but if you are gonna "fake it", you also have to either create your own browser SA cert or ignore the "no intermediate SA available" errors you will receive.
arnoldCommented:
The error log as Prabhin requested should clear the issue.
You are missing the CA certs,

Try
Apachectl stop
Apachectl startssl
What do you get.

Commonly the config is separated, potentially there is an SSL.conf config that prevents port 443 attachment.

The certificate, key might be the issue if you have a password on the key and when SSL attempts to start it prompts for the password.

Kent's point is valid as well dealing with the site you are accessing does not match the certificate.

You need to add the host authorize. To the list......

There are several explanations that have to be worked using the prior experts request for additional information.

To track down the issue.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Andrew HamiltonDirector of Global InfrastructureAuthor Commented:
Arnold,  This is what I get

root@authorize:/# apachectl stop
root@authorize:/# apachectl startssl
The startssl option is no longer supported.
Please edit httpd.conf to include the SSL configuration settings
and then use apachectl start.
Action 'startssl' failed.
The Apache error log may have more information.
root@authorize:/#
Andrew HamiltonDirector of Global InfrastructureAuthor Commented:
Prabhin.   Here is a tail of the error logs

root@authorize:/var/log/apache2# tail error.log
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20131226/php_mbstring.dll' - /usr/lib/php/20131226/php_mbstring.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20131226/php_mysql.dll' - /usr/lib/php/20131226/php_mysql.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20131226/php_pdo_mysql.dll' - /usr/lib/php/20131226/php_pdo_mysql.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20131226/php_pdo_odbc.dll' - /usr/lib/php/20131226/php_pdo_odbc.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20131226/php_xmlrpc.dll' - /usr/lib/php/20131226/php_xmlrpc.dll: cannot open shared object file: No such file or directory in Unknown on line 0
[Wed Feb 28 06:20:52.283021 2018] [ssl:warn] [pid 3052] AH01909: authorize.mpbio.com:443:0 server certificate does NOT include an ID which matches the server name
[Wed Feb 28 06:20:52.283371 2018] [ssl:warn] [pid 3052] AH01916: Init: (authorize.mpbio.com:443) You configured HTTP(80) on the standard HTTPS(443) port!
[Wed Feb 28 06:20:52.285433 2018] [mpm_prefork:notice] [pid 3052] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured -- resuming normal operations
[Wed Feb 28 06:20:52.285451 2018] [core:notice] [pid 3052] AH00094: Command line: '/usr/sbin/apache2'
[Wed Feb 28 06:20:58.521961 2018] [mpm_prefork:notice] [pid 3052] AH00169: caught SIGTERM, shutting down
Dmitri FarafontovLinux Systems AdminCommented:
Check the configuration with the following command:

grep -Ri SSLCertificateFile /etc/apache2/*
Andrew HamiltonDirector of Global InfrastructureAuthor Commented:
root@authorize:~# grep -Ri SSLCertificateFile /etc/apache2/*
/etc/apache2/sites-available/authorize.conf:    SSLCertificateFile /etc/ssl/certs/20170708-mpbio.com.crt
/etc/apache2/sites-available/default-ssl.conf:          #   SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf:          SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf:          #   the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-enabled/authorize.conf.bakup:        SSLCertificateFile /root/20170708-mpbio.com.crt
/etc/apache2/sites-enabled/authorize.conf:      SSLCertificateFile /etc/ssl/certs/20170708-mpbio.com.crt
/etc/apache2/sites-enabled/default-ssl.conf:            #   SSLCertificateFile directive is needed.
/etc/apache2/sites-enabled/default-ssl.conf:            SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-enabled/default-ssl.conf:            #   the referenced file can be the same as SSLCertificateFile
Dmitri FarafontovLinux Systems AdminCommented:
How about apachectl configtest
Andrew HamiltonDirector of Global InfrastructureAuthor Commented:
root@authorize:~# apachectl configtest
Syntax OK
root@authorize:~#
Dmitri FarafontovLinux Systems AdminCommented:
Can you access https via a different browser but Chrome?
Andrew HamiltonDirector of Global InfrastructureAuthor Commented:
Nope,  I get a similar but different message on other browsers
Dmitri FarafontovLinux Systems AdminCommented:
Can you browse and see what the exact error is?
arnoldCommented:
The log, error when Apache us restarted shoukd note the issue, usually there is a CASslcertificate where the certificate chain against which the certificate providence is determined.

Run netstat -an | grep -I 'listen'
Do you gave an entry with :443

Try first allowing sslv3 in your config just to be sure that you restricted the webserver by disabling sslv2 and sslv3 but the access source can not negotiate another option, I.e. Tls might not be working on the webserver. (ALL -SSLv2)
Restart Apache.
Try usin sslabs.com to see what it reports when attempting to access your URL.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew HamiltonDirector of Global InfrastructureAuthor Commented:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0    448 172.16.13.21:22         10.16.0.12:62784        ESTABLISHED
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  5      [ ]         DGRAM                    9218     /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     11564    /var/run/vmware/guestServicePipe
unix  2      [ ACC ]     STREAM     LISTENING     11604    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     8551     @/com/ubuntu/upstart
unix  2      [ ACC ]     SEQPACKET  LISTENING     8902     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     9165     /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     10999    /var/run/acpid.socket
unix  2      [ ]         DGRAM                    10996
unix  3      [ ]         STREAM     CONNECTED     10488    @/com/ubuntu/upstart
unix  3      [ ]         STREAM     CONNECTED     9179
unix  3      [ ]         STREAM     CONNECTED     9257     /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     8891     @/com/ubuntu/upstart
unix  3      [ ]         STREAM     CONNECTED     9183     /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     10478
unix  2      [ ]         DGRAM                    71292
unix  3      [ ]         STREAM     CONNECTED     9181     @/com/ubuntu/upstart
unix  3      [ ]         STREAM     CONNECTED     8882
unix  3      [ ]         STREAM     CONNECTED     9182
unix  3      [ ]         STREAM     CONNECTED     9256
unix  3      [ ]         STREAM     CONNECTED     9178
unix  3      [ ]         STREAM     CONNECTED     9156
unix  3      [ ]         DGRAM                    8940
unix  3      [ ]         DGRAM                    8941
unix  2      [ ]         DGRAM                    9237
Andrew HamiltonDirector of Global InfrastructureAuthor Commented:
SSLProtocol  -SSLv3
Dmitri FarafontovLinux Systems AdminCommented:
You can assemble a certificate chain in a PEM format into one file. Include the private key on top, certificate, any intermediate ones, and finally the root one.
arnoldCommented:
Sslprotocole should exclude sslv2 as it is the weakest, then sslv3 provided tLS is the only available option.

Try  the following locally on the server

openssl s_client -connect localhost:443

And see what it reports, the possible issues could be incomplete certificate chains.
Dmitri FarafontovLinux Systems AdminCommented:
Could be much easier seeing a mistake from the browser itself.
arnoldCommented:
Currently, there is no DNS entry for authorize.mpbio.com. Check DNS records.
Dmitri FarafontovLinux Systems AdminCommented:
That should not matter. What if they don't want FQDN to be externally resolvable.
arnoldCommented:
The error reported can mean several things, lack of protocol, cipher agreement, mismatch in certificate, untrusted CA, mismatch in name, invalid/expired cert depending on where/which browser returns this info.

The output from the internal/local openssl command provided may shed light on what might be going on externally if the internal attempt generates an error
Then work your way out.


From your output of the netstat -an, double check that your webserver is actually bound to IPv4 443 port, note it is only reflected as accessible via tcp6 (IPv6).
.
Dmitri FarafontovLinux Systems AdminCommented:
Auto Close.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.