Best IT Recipes

Failed to establish SSL connection, how can I fix my SSL certificate?

I try wget in my own mailbox, and it cannot be the internal address in wget (another developer says so).

When I wget, I get the following:

 wget http://example.com --2013-03-01 15:03:30-- http://example.com/ Resolving example.com... 172.20.0.224 Connecting to example.com|172.20.0.224|:80... connected. HTTP request sent, awaiting response... 302 Found Location: https://www.example.com/ [following] --2013-03-01 15:03:30-- https://www.example.com/ Resolving www.example.com... 172.20.0.224 Connecting to www.example.com|172.20.0.224|:443... connected. OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Unable to establish SSL connection.

I believe this is because I do not have the certificate setup correctly. Using openssl:

 openssl s_client -connect example.com:443 CONNECTED(00000003) 15586:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

While I am doing the same command on another site, it shows the entire certificate.

Perhaps the ssl certificate was never configured in a conf file on Apache for this domain?

If so, what should I specify in the virtual host? Is there an alternative other than specifying --no-check-certificate because I don't want to do this?

+53
ssl apache openssl wget
Mar 01 '13 at 21:11
source share
8 answers

SSL23_GET_SERVER_HELLO: unknown protocol

This error occurs when OpenSSL receives something different from ServerHello in the protocol version that it understands from the server. This can happen if the server responds with plain (unencrypted) HTTP. This can also happen if the server only supports, for example. TLS 1.2, and the client does not understand this version of the protocol. Typically, servers are backward compatible with at least SSL 3.0 / TLS 1.0, but perhaps this particular server is not (through implementation or configuration).

It is unclear whether you tried to pass --no-check-certificate or not. I would be surprised if this worked.

A simple test is to use wget (or a browser) to request http://example.com:443 (note http:// , not https:// ); if it works, SSL is not enabled on port 443. To continue debugging, use openssl s_client with the -debug , which before the error message unloads the first few bytes of the server response that OpenSSL could not parse. This can help identify the problem, especially if the server does not respond with a ServerHello message. To find out exactly what OpenSSL expects, check the source: look for SSL_R_UNKNOWN_PROTOCOL in ssl/s23_clnt.c .

Anyway, looking at the apache error log may also give some idea.

+82
Mar 01 '13 at 22:50
source share

In my case, I did not include the site "default-ssl". Only "000-default" was specified in the /etc/apache2/sites-enabled folder.

Enable SSL site on Ubuntu 14 LTS, Apache 2.4.7:

 a2ensite default-ssl service apache2 reload
+18
May 2 '15 at 1:03
source share

A simple note (and a possible reason).

In the Apache.conf file, you can have the correct VirtualHost setting with _default_:443 , etc.

But ... If even one .conf file is included with the wrong settings, which also listens on port 443, then it will disable the entire SSL system.

Therefore, if you are sure that your .conf file is correct, try disabling the other .conf site files in sites-enabled .

+8
Dec 02 '15 at 9:04
source share

There are several possibilities:

  • Your workstation does not have a root CA certificate used to sign your server certificate. How exactly you fix it depends on which OS you are using and which release, etc. (I suspect this is not related)
  • Your certificate is not installed correctly. If your SSL certificate requires an intermediate certificate and you did not install it, you may receive these warnings.
  • Are you sure you have activated SSL on port 443?

First, to fix (3), what happens if you connect to this port?

Assuming this is not (3), then depending on your needs you may be fine by ignoring these errors and simply passing -no-certificate-check. You will probably want to use a regular browser (which usually associates root certificates directly) and see if they are happy.

If you want to manually verify the certificate, send more details from the output of openssl s_client . Or use openssl x509 -text -in /path/to/cert to print it on your terminal.

+4
Mar 01 '13 at 21:22
source share

I had this problem when creating a new instance of EC2. I did not add HTTPS to my security group, and so port 443 was not open.

+2
Nov 09 '15 at 20:35
source share

For me, my server’s DNS name was added to / etc / hosts and it was mapped to 127.0.0.1, resulting in

SL23_GET_SERVER_HELLO: unknown protocol

Removing the display of my real DNS name to 127.0.0.1 resolved the problem.

+1
Mar 13 '18 at 10:26
source share

I answer the same question. Port 443 was not open at Centos.

Check port 443 with the following command:

sudo lsof -i tcp: 443

On the first line of the /etc/httpd/conf.d/ssl.conf file, add two lines:

 LoadModule ssl_module modules/mod_ssl.so Listen 443
0
Mar 31 '17 at 9:47
source share

The problem I encountered was in the client server environment. The client tried to connect via http port 80, but wanted the server proxy to redirect the request to another port, and the data should be https. Thus, basically safe information via http is requested. Thus, the server must have http port 80, and also request the client port, say urla:1111\subB .

The problem was that the server was urla:2222\subB this on some other port e, g urla:2222\subB ; therefore, the client tried to access through 1111, receiving an error. Correcting the port number should fix this problem. In this case, the port number is 1111.

-2
Dec 23 '13 at 9:32
source share


More articles:


All Articles