Search code examples
apache2lets-encrypt

Apache2 answers with HTTP when it should answer with HTTPS

I hava a web app running locally on port 7530. I can access it via curl without any problems. When I try accessing it via the domain name I get an error indicating that the HTTPS response is in fact an HTTP response.

When I run curl -vvv https://myapp.mydomain.com I get the following output:

*   Trying 12.345.67.89:443...
* TCP_NODELAY set
* Connected to myapp.mydomain.com (12.345.67.89) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Firefox gives the error message SSL_ERROR_RX_RECORD_TOO_LONG.

My config file in /etc/apache2/sites-enabled/010-myapp.mydomain.com-le-ssl.conf and /etc/apache2/sites-available/010-myapp.mydomain.com-le-ssl.conf is:

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        DEFINE myapp_url 127.0.0.1
        DEFINE myapp_port 7530


        ServerName myapp.mydomain.com


        ProxyRequests       Off
        ProxyPreserveHost   On
        AllowEncodedSlashes NoDecode


        RequestHeader    set X-Forwarded-Proto "https"
        RequestHeader    set X-Forwarded-Port "443"

        ProxyPass / http://${myapp_url}:${myapp_port}/
        ProxyPassReverse / http://${myapp_url}:${myapp_port}/

        SSLCertificateFile /etc/letsencrypt/live/myapp.mydomain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/myapp.mydomain.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
    </VirtualHost>
</IfModule>

The output of sudo apachectl -S is:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost files.otherdomain.org (/etc/apache2/sites-enabled/001-files.otherdomain.org.redir.conf:1)
                 alias files.otherdomain.org
         port 80 namevhost media.otherdomain.org (/etc/apache2/sites-enabled/002-media.otherdomain.org.conf:1)
                 alias media.otherdomain.org
         port 80 namevhost app2.otherdomain.org (/etc/apache2/sites-enabled/004-app2.otherdomain.org.conf:1)
         port 80 namevhost app1.mydomain.com (/etc/apache2/sites-enabled/005-app1.mydomain.com.conf:1)
         port 80 namevhost admin.otherdomain.org (/etc/apache2/sites-enabled/006-admin.otherdomain.org.conf:1)
         port 80 namevhost app3.mydomain.com (/etc/apache2/sites-enabled/008-app3.mydomain.com.conf:1)
         port 80 namevhost myapp.mydomain.com (/etc/apache2/sites-enabled/010-myapp.mydomain.com.conf:1)
*:443                  is a NameVirtualHost
         default server files.otherdomain.org (/etc/apache2/sites-enabled/001-files.otherdomain.org.https.redir.conf:2)
         port 443 namevhost files.otherdomain.org (/etc/apache2/sites-enabled/001-files.otherdomain.org.https.redir.conf:2)
                 alias files.otherdomain.org
         port 443 namevhost media.otherdomain.org (/etc/apache2/sites-enabled/002-media.otherdomain.org-le-ssl.conf:10)
         port 443 namevhost app2.otherdomain.org (/etc/apache2/sites-enabled/004-app2.otherdomain.org-le-ssl.conf:2)
         port 443 namevhost app1.mydomain.com (/etc/apache2/sites-enabled/005-app1.mydomain.com-le-ssl.conf:2)
         port 443 namevhost admin.otherdomain.org (/etc/apache2/sites-enabled/006-admin.otherdomain.org-le-ssl.conf:2)
         port 443 namevhost app3.mydomain.com (/etc/apache2/sites-enabled/008-app3.mydomain.com-le-ssl.conf:2)
         port 443 namevhost myapp.mydomain.com (/etc/apache2/sites-enabled/010-myapp.mydomain.com-le-ssl.conf:2)
         port 443 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: wiki_url=127.0.0.1
Define: wiki_port=5410
Define: serv_name=admin.otherdomain.org
Define: myapp_url=127.0.0.1
Define: myapp_port=7530
User: name="www-data" id=33

Where do I have a configuration error?

Solution

  • The problem was that somebody put the config files for files.otherdomain.org directly into the sites-enabled directory. The config files themselves look correct, but removing them solved the issue for all the other virtual hosts.