Strange SSL problem on apache after upgrade of Ubuntu

  • Ok so, after the upgrade from Ubuntu 16.04 to Ubuntu 18.04, I reinstalled i-MSCP and now the panel (or anything else) doesn't work on apache 443, before the upgrade I had the PanelRedirect plugin installed which would enable customers to access the panel on a normal URL without :8443 at the end, now the panel works properly if I add :8443 at the end, but on the normal URL Chrome gives the following error :

    Code
    1. This site can’t provide a secure connection website sent an invalid response.
    2. Try running Windows Network Diagnostics.
    3. ERR_SSL_PROTOCOL_ERROR

    If I try to curl https://localhost I get this : (If I try to curl any https site which is NOT on this server, it works fine)

    Code
    1. # curl -I https://localhost
    2. curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

    I checked all Apache modules, I check OpenSSL version, everything *seems* fine, I also compared settings between this server and another recently updated server which works fine and couldn't find any difference in configs.

    The only thing I can think of is that i-MSCP was recently upgraded from a very old version (1.1.21) to the latest 1.5.3-2018 and maybe some old config file was left behind which is interfering with Apache. I tried to run the installer again with --reconfigure and nothing changed.

    The only logs I get in Apache are :

    Quote

    127.0.0.1 - - [09/Feb/2019:14:15:12 +0200] "\x16\x03\x01\x02" 400 226 "-" "-"

    127.0.0.1 - - [09/Feb/2019:14:15:19 +0200] "\x16\x03\x01\x02" 400 226 "-" "-"

    127.0.0.1 - - [09/Feb/2019:14:15:25 +0200] "\x16\x03\x01\x02" 400 226 "-" "-"

    It's like Apache doesn't know anymore how to handle a SSL connection.


    ANY IDEAS ?! :idea:


    Ubuntu 18.04 - i-MSCP 1.5.3 Build: 2018120800

    P.S. When I finished the reconfigure of the panel after it said I can login into the panel the following error appeared below for 3 different sites :

    [ERROR] Servers::named::bind::_compileZone: Couldn't compile the site.com zone: Unknown error

  • First of all, I have no clue :-)


    But I can help you, how I would act in such a situation.

    and now the panel (or anything else) doesn't work on apache 443


    netstat -luntep|grep 443


    Is there anything running? I guess so, because there are reaction on 443, but crosschecking what is running can't hurt.

    (BTW, if you not already dropped sudo from the box, you should be running that command as root).


    apache2ctl -2, look fopr enabled hostet at 443.



    SSL routines:ssl3_get_record:wrong version number

    OK, give this a try: https://www.ssllabs.com/ssltest/


    Which TLS Version?


    Maybe your old config housed the setup, so they use outdated protocols/cyphers.

  • Hey tracer thanks for your reply!


    Quote

    # netstat -luntep|grep 443

    tcp 0 0 *:8443 0.0.0.0:* LISTEN 0 4031892 18077/nginx: master

    tcp6 0 0 :::443 :::* LISTEN 0 4091968 4142/apache2

    tcp6 0 0 :::8443 :::* LISTEN 0 4031893 18077/nginx: master

    And SSL Labs says :

    Quote


    Assessment failed: No secure protocols supported

    It is very weird, I have another server with the exact same configuration, i checked each file in /etc/apache2 , i checked enable modules of apache, they are identical, on one server everything works fine, and this one it doesn't. I even checked apache2 related installed packages, same version and same packages installed on both servers, I'm really lost, no idea where to look next :/


    A more verbose curl.

  • Did you try that apache2ctl thing?

    Which sites are enabled on port 443?


    However …

    I'm really lost, no idea where to look next

    … no SSL enabled is really weird.


    That would be my next try: root@web10:/usr/local/src/imscp-1.5.3# perl imscp-autoinstall -dar ssl

  • That would be my next try: root@web10:/usr/local/src/imscp-1.5.3# perl imscp-autoinstall -dar ssl

    Code
    1. Congratulations i-MSCP has been successfully installed/updated.
    Code
    1. ~/imscp-1.5.3-2018120800# curl https://localhost
    2. curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

    What's next ? :D:D

  • Hmm, waiting for someone who is experienced in those crypto things? :)


    Edit: By the way, one of my setups, works like a charme, but same warning:



  • Apparently, after the upgrade the plugin PanelRedirect was no longer installed for some reason, after the (re)install of the plugin, the panel now works on :443

  • Apparently, after the upgrade the plugin PanelRedirect was no longer installed for some reason, after the (re)install of the plugin, the panel now works on :443

    Well, I asked twice for apache2ctl -S. (not -2, my fault …)


    With PanelRedict it shows:

    Code
    1. x.x.x.x:443 is a NameVirtualHost
    2. default server web10.x.net (/etc/apache2/imscp/before/PanelRedirect_ssl.conf:1)
    3. port 443 namevhost web10.x.net (/etc/apache2/imscp/before/PanelRedirect_ssl.conf:1)
    4. port 443 namevhost x.net (/etc/apache2/sites-enabled/x.net_ssl.conf:1)
    5. alias www.x.net
    6. alias dmn48.web10.x.net

    BTW, before an upgrade you should disable all plugins and enable them afterwards.

  • Good evening,


    The fact is that with latest i-MSCP version, you should not use the PanelRedirect plugin which was deprecated in favour of the Redirect (proxy) feature that is integrated in core. You can find more information there:


    The PanelRedirect plugin will be soon abandoned and therefore, no longer maintained.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206