Score:1

How to fix SSL_ERROR_NO_CYPHER_OVERLAP for 2 domains on apache with certbot

cn flag

We have two websites running on one apache: www-example1-com, www-example2-com

www-example1-com was the first site to exist, got a lets-encrypt certificate and works fine. www-example2-com is the second site, that also got a lets-encrypt certificate.

www-example1-com works fine. www-example2-com causes an error in Firefox and Chromium SSL_ERROR_NO_CYPHER_OVERLAP in Firefox ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chromium

What I did so far:

  • I generated a certificate for www-example2
  • I expanded the certificate of www-example1 to count for www-example2 too.
  • I expanded the example2.conf in /etc/apache2/sites-available by the code-snippet from https://ssl-config.mozilla.org/
  • I deleted the key and the certificate for www.example2 and regathered it.
  • I checked example1-conf, example2-conf, 000-default-le-ssl.conf, apache2.conf
  • https://www.ssllabs.com/ssltest/analyze.html?d=example2.com --> Assessment failed: Failed to communicate with the secure server

The error.log of apache outputs this line: [ssl:info] [pid 19288] (70014)End of file found: [client 192.168.0.9:53597] AH01991: SSL input filter read failed.

Please note: There is a SNI that seems to be correctly configured, but I have no direct access to.

In each case the error message did not change.

000-default-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
    ServerAdmin webmaster@localhost
    Protocols h2 h2c http/1.1
    DocumentRoot /var/www/html/
    ServerName www.example1.com
    ServerAlias example1.com
    Protocols h2 h2c http/1.1

    <Directory /var/www/>
            Options -Indexes +FollowSymLinks
            AllowOverride all
            Order allow,deny
            allow from all
    </Directory>
    
    # added 01.04.2019 END
    
    <Directory /var/www/html/>
      Options -Indexes +FollowSymlinks
      AllowOverride All
      Require all granted
      allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    #SSLEngine off
    #Include /etc/letsencrypt/options-ssl-apache.conf
    #Header always set Content-Security-Policy upgrade-insecure-requests
    Include /etc/letsencrypt/options-ssl-apache.conf
    #SSLCertificateFile /etc/letsencrypt/live/www.example2.com/fullchain.pem
    #SSLCertificateKeyFile /etc/letsencrypt/live/www.example2.com/privkey.pem
    #Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/www.example1.com-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.example1.com-0001/privkey.pem
    </VirtualHost>
    </IfModule>

example2.conf

<VirtualHost *:80>
 Protocols h2 http/1.1
 ServerAdmin [email protected]
 DocumentRoot /var/www/html1/example2/
 ServerName www.example2.com
 ServerAlias example2.com
 <Directory /var/www/html1/example2>
    Options -Indexes +FollowSymLinks +MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
 </Directory>

 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 RewriteEngine on
 RewriteCond %{SERVER_NAME} =www.example2.com [OR]
 RewriteCond %{SERVER_NAME} =example2.com
 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
 </VirtualHost>

 <IfModule mod_ssl.c>
 <VirtualHost *:443>
    ServerAdmin [email protected]
    Protocols h2 h2c http/1.1
    DocumentRoot /var/www/html1/example2
    ServerName www.example2.com
    ServerAlias example2.com

    <Directory /var/www/html1>
            Options -Indexes +FollowSymLinks
            AllowOverride all
            Order allow,deny
            allow from all
    </Directory>
    <Directory /var/www/html1/example2>
      Options -Indexes +FollowSymlinks
      AllowOverride All
      Require all granted
     allow from all
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
 #       SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
 #       SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 #       SSLHonorCipherOrder     off
 #       SSLSessionTickets       off

 #SSLUseStapling On
 #SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

 Include /etc/letsencrypt/options-ssl-apache.conf
 SSLCertificateFile /etc/letsencrypt/live/www.example1.com-0001/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/www.example1.com-0001/privkey.pem
 </VirtualHost>
 </IfModule>

The output of openssl:

CONNECTED(00000003)
140386018971712:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert      number 40
---
 no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 198 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher    : 0000
Session-ID: 
Session-ID-ctx: 
Master-Key: 
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1623677307
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

Could somebody please help to find the error? Please tell me if you need more information.

Thanks in advance.

ezra-s avatar
ru flag
Supposedly it should work but I don´t see "SSLEngine on" in the virtualhost. On another note, Order, Allow, Deny are deprecated directives, please stop using them. Same with "AllowOverride all" if you are the admin of the site there is no need to use .htaccess. Oh and... you may like mod_md to handle letsencrypt certs, give it a try.
Zehke avatar
cn flag
is it possible that the error is also thrown when no ssl is enabled on the server? - We took a fresh server, created everything from scratch with just the default apache-website and the error still occurs
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.