ssl_error_handshake_failure_alert on https site - localhost
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Initially I'd suggest increasing logging and looking at things in more detail. A good way is to use a tool like curl with the -v option to see what a client thinks about the certificate. Most common thing would be something like a host name mismatch or a broken ca chain.
As you suppose ca.crt is broken or something. I try to build it agian from the how-to. Unfortunately Same error occurs and I have no idea what to do.
Here is what curl give
Code:
debian:/etc/ssl/ssl.crt# curl -v https://localhost
* About to connect() to localhost port 443 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Hmm, add a few more -v's, I'd guess that it could be something like your server not providing a suitable cipher suite to agree on. Personally my style would be to capture the exchange in wireshark and step through it in real detail there. Can you print out the cert? "openssl x509 -noout -text -in server.crt" if i remember right.
Today when I start the pc the previous error didn't appear. On its place I get this when run curl
Code:
debian:/etc/apache2/sites-enabled# curl -v https://localhost
* About to connect() to localhost port 443 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
@sampappachan_nyc
I didn't have ntp installed. I installed in and try to run some of the commands you provide, but I get errors(I am not so skilled). I try to change the date of the pc since I barely remember I do that when I configure openvpn with ssl on other machine and there that was the problem. I try to change the date with few days ahead and beyond the current date, but that didn't helped.
I think handshake is OK now(maybe after restart). What is that with the unknown protocol thing?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.