ERR_SSL_PROTOCOL_ERROR on a hosted website behind pfsense



  • Hi All-
    I am trying to do the following and I am being met with increasing difficulty.  
    1.  Purchased UCC SSL Certificate for 4 domain names. 
         a.  redmine.domain.net
         b.  mine.domain.net
         c.  domain.net
         d.  devmine.domain.net
    My Redmine server is hosted behind our PFSense w/ NGIX.
    My mine server is a website hosted in Apache2
    My website is a Wordpress site hosted on Hostgator.
    I've done all my work starting from my Redmine server.  Last week I created the certificate from GoDaddy using as CSR generated with opensll and I applied it to my server and all was well.  
    I then went to my Apache2 web server and tried to import the certificate.  Well that failed….  :(
    NOW, though...  My redmine server;  I am getting an "ERR_SSL_PROTOCOL_ERROR"...  When trying to access my website from a machine other than the server.
    Upon further research I find that my PFSense is in the middle some how.  Not sure why.  I didn’t specifically ask it to interfere with SSL request.

    Here’s what I get when running

    openssl s_client -connect redmine.domain.net:443

    CONNECTED(00000003)
    depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-5734f1f09387a
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-5734f1f09387a
    verify error:num=21:unable to verify the first certificate
    verify return:1

    Certificate chain
    0 s:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-5734f1f09387a
      i:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-5734f1f09387a

    So, I then went and deleted the Webconfigurator SSL CA and SSL certificate and I am now meet with the same issue but with a little different response.

    When running the same command on the server it just hangs…….  :(
    When I run the command from a different machine I get the following.

    CONNECTED(00000003)
    140484013135736:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 7 bytes and written 201 bytes

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg  : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        Start Time: 1468967198
        Timeout  : 300 (sec)
        Verify return code: 0 (ok)

    I’m at my wits end…  Am I missing something simple? Any assistance would be greatly appreciated.

    Cheers!



  • So, I then went and deleted the Webconfigurator SSL CA and SSL certificate

    Bad, bad Idea…

    Move pfsense WebGUI to some other port > 1024, make sure you can still access it;
    Disable automatic web redirect rule in System -> Advanced;
    Troubleshoot your Port forward for your web server in local network.



  • @pan_2:

    So, I then went and deleted the Webconfigurator SSL CA and SSL certificate

    Bad, bad Idea…

    Move pfsense WebGUI to some other port > 1024, make sure you can still access it;
    Disable automatic web redirect rule in System -> Advanced;
    Troubleshoot your Port forward for your web server in local network.

    Totally deleted it just for testing purposes…  And, I also disable the automatic web redirect long long ago.  I changed the port as well just now and I am still getting the same issues as before.  The biggest question I have is why is the PFSense even trying to get involved with the SSL certificate for my server behind it???



  • Probably because you're testing from LAN, not WAN, and don't have reflection enabled.



  • @cmb:

    Probably because you're testing from LAN, not WAN, and don't have reflection enabled.

    Sadly, that's not the case.  I am connected to the network via a Site-to-Site VPN.  But ping test shows I am routing outside of the VPN tunnel to get to the server in question.



  • In that case, because you don't have a matching port forward.



  • @cmb:

    In that case, because you don't have a matching port forward.

    Well, now I feel stupid…...........  Upon checking everything about the rule was correct but '1' thing....  The internal IP address of said server was incorrect.  It was close....  But, close doesn't count in IP redirection I learn years ago...

    Thanks to all for pointing me down the right track...

    Cheers!



  • Well, did you seen user manual for consumer devices, like TVs or microwave, where you have "Device doesn't work - Plug power cord to wall outlet" in Troubleshooting section?
    :D