I was tinkering with Apache SSL – and got the following error:
[Sat Sep 15 05:05:33 2007] [error] [client 61.219.39.67] Invalid method in request \x16\x03\x01
Turned out to be a wrong IP address for that host – I had changed the IP for the host in some places, but not another – fixed and working now in SSL mode…
This particular error usually means that a web browser is trying to speak ssl to an non-ssl vhost.
I had the same problem, but in addition I was getting error 12263 in Firefox, indicating that SSL was broken on the server.
It turned out that some of my virtual hosts were written as instead of . The SSL-enabled hosts were all written as . When I changed all the lines to specify exactly which port to listen to, the errors went away.
I hypothesize that the non-SSL virtual hosts were matching the incoming request before the SSL-enabled virtual hosts for the same content, but didn’t know enough about SSL to provide a good response to the browse. Hence the error 12263, and the error in the log.
Hello,
Matt, I have the same problem but your explanation is not really clear. Could you explain again how you solved this problem ?
Regards,
Tex
It looks like whenever you put things in angle brackets, the text disappears.
Some of my virtual host files had (in angle brackets) as the top line: “VirtualHost *” instead of “VirtualHost *:80″. The ones that I wanted SSH-enabled had “VirtualHost *:443″. This setup caused problems.
Once I changed the all the “VirtualHost *” lines to “VirtualHost *:80″, and made sure that :443 was in the secure hosts, the problem went away. Now all my virtual host files have *:N, where N is the port I want it to answer to – none of them have * alone.
As I mentioned above, I think that the virtual host files with the * matcher were more general, and so grabbed the incoming sessions first. However, since they didn’t have any SSL commands (engine on, key files, etc.), they didn’t know what to do with the browser’s SSL-related requests, so they sent an error.
I have only one virtual host file included with one virtual host in it and the port is specified as you explained. During the startup, I have the following warn message : “You configured HTTP(80) on the standard HTTPS(443) port” so it looks like there is a non ssl instance stealing my 433 port …
Tex
If you’re not getting the 12263 error, then it’s probably a different problem. My quick googling suggests that you might try playing with the Listen directive (add something like “Listen example.com:443) and the NameVirtualHost directive.
Maybe you could try finding a set of normal non-SSL configuration files, then changing all references of port 80 to 443.
Could you post what your config files – without the angle brackets – (need to fix this)
All angle brackets replaced by double parenthesis: ((. First, ports.conf:
Listen 80
((IfModule mod_ssl.c((
Listen 443
((/IfModule((
A non-SSL virtual host, in the sites-available directory:
((VirtualHost *:80((
ServerName http://www.mydomain.com
ServerAlias mydomain.com
ServerAdmin m@mydomain.ca
DocumentRoot /var/www/mydomain
((Directory /var/www/mydomain/((
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
((/Directory((
ErrorLog /var/log/apache2/mydomain/error.log
LogLevel warn
CustomLog /var/log/apache2/mydomain/access.log combined
ServerSignature On
((/VirtualHost((
and the SSL-enabled file for the same site, also in the sites-available directory:
NameVirtualHost *:443
((VirtualHost *:443((
ServerName http://www.mydomain.com
ServerAlias mydomain.com
ServerAdmin m@mydomain.ca
DocumentRoot /var/www/mydomain
((Directory /var/www/mydomain/”
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
((/Directory((
ErrorLog /var/log/apache2/mydomain/error.log
LogLevel warn
CustomLog /var/log/apache2/mydomain/access.log combined
ServerSignature On
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
((/VirtualHost((
@Matt, I actually am getting the 12263 error in Firefox.
@gregg, I do not have the ports.conf file. I am on Solaris 9 and it looks like there is no such a file.
Here is my httpd.conf file:
http://pastebin.com/f7ade1930
On the line 461, I include this vhost file:
http://pastebin.com/f5e50538e
And on line 480, I include this ssl file:
http://pastebin.com/f30bfba70
Thanks for your help,
Tex
When I try to connect via the command line with openssl, I got the following error:
~ $ openssl s_client -connect 192.168.0.48:443
CONNECTED(00000003)
4796:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
Hi Tex,
Telnet to that host: telnet 192.168.0.48 443
If you get “Escape character is ‘^]’.” its running fine, if not then port 443 is not active..
Just as a test try port 444 and you should get an error..
For the virtualhost directive, *443 – not sure about this, I have it set per IP:
( VirtualHost 2.2.2.3:443 )
and it working great
Not sure whats up with pastebin – files are not loading…
Ta, worked for me after reading the comments. I wanted the same domain to work using either http or https. I’d left the http (port 80) virtual host using the https (port 443) IP address.. which obviously wouldn’t work!
I ran into this problem with ssl enabled on apache 2, I just hadn’t symlinked in my vhost config to the sites-available dir.
So, apache was told to listen on 443, however had no config to tell it to do the ssl protocal, confusing ie.
IE’s error pages are never helpful, atleast FF give you an explanation to the problem!
Hello:
In this site have a solution in Debian:
http://www.ianmiller.net/article.php?id=13
i solved by using
NameVirtualHost *:443
and
in th essl configuration.