We have two websites running on one apache:
www-example1-com, www-example2-com
www-example1-com was the first site to exist, got a lets-encrypt certificate and works fine.
www-example2-com is the second site, that also got a lets-encrypt certificate.
www-example1-com works fine. www-example2-com causes an error in Firefox and Chromium
SSL_ERROR_NO_CYPHER_OVERLAP in Firefox
ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chromium
What I did so far:
- I generated a certificate for www-example2
- I expanded the certificate of www-example1 to count for www-example2 too.
- I expanded the example2.conf in /etc/apache2/sites-available by the code-snippet from
https://ssl-config.mozilla.org/
- I deleted the key and the certificate for www.example2 and regathered it.
- I checked example1-conf, example2-conf, 000-default-le-ssl.conf, apache2.conf
- https://www.ssllabs.com/ssltest/analyze.html?d=example2.com --> Assessment failed: Failed to communicate with the secure server
The error.log of apache outputs this line: [ssl:info] [pid 19288] (70014)End of file found: [client 192.168.0.9:53597] AH01991: SSL input filter read failed.
Please note: There is a SNI that seems to be correctly configured, but I have no direct access to.
In each case the error message did not change.
000-default-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
ServerAdmin webmaster@localhost
Protocols h2 h2c http/1.1
DocumentRoot /var/www/html/
ServerName www.example1.com
ServerAlias example1.com
Protocols h2 h2c http/1.1
<Directory /var/www/>
Options -Indexes +FollowSymLinks
AllowOverride all
Order allow,deny
allow from all
</Directory>
# added 01.04.2019 END
<Directory /var/www/html/>
Options -Indexes +FollowSymlinks
AllowOverride All
Require all granted
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#SSLEngine off
#Include /etc/letsencrypt/options-ssl-apache.conf
#Header always set Content-Security-Policy upgrade-insecure-requests
Include /etc/letsencrypt/options-ssl-apache.conf
#SSLCertificateFile /etc/letsencrypt/live/www.example2.com/fullchain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/www.example2.com/privkey.pem
#Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.example1.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example1.com-0001/privkey.pem
</VirtualHost>
</IfModule>
example2.conf
<VirtualHost *:80>
Protocols h2 http/1.1
ServerAdmin [email protected]
DocumentRoot /var/www/html1/example2/
ServerName www.example2.com
ServerAlias example2.com
<Directory /var/www/html1/example2>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example2.com [OR]
RewriteCond %{SERVER_NAME} =example2.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin [email protected]
Protocols h2 h2c http/1.1
DocumentRoot /var/www/html1/example2
ServerName www.example2.com
ServerAlias example2.com
<Directory /var/www/html1>
Options -Indexes +FollowSymLinks
AllowOverride all
Order allow,deny
allow from all
</Directory>
<Directory /var/www/html1/example2>
Options -Indexes +FollowSymlinks
AllowOverride All
Require all granted
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# SSLHonorCipherOrder off
# SSLSessionTickets off
#SSLUseStapling On
#SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.example1.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example1.com-0001/privkey.pem
</VirtualHost>
</IfModule>
The output of openssl:
CONNECTED(00000003)
140386018971712:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 198 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1623677307
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Could somebody please help to find the error? Please tell me if you need more information.
Thanks in advance.