ERR_SSL_PROTOCOL_ERROR on a hosted website behind pfsense

Daeta · Jul 19, 2016, 10:34 PM

Hi All-
I am trying to do the following and I am being met with increasing difficulty.
1. Purchased UCC SSL Certificate for 4 domain names.
a. redmine.domain.net
b. mine.domain.net
c. domain.net
d. devmine.domain.net
My Redmine server is hosted behind our PFSense w/ NGIX.
My mine server is a website hosted in Apache2
My website is a Wordpress site hosted on Hostgator.
I've done all my work starting from my Redmine server. Last week I created the certificate from GoDaddy using as CSR generated with opensll and I applied it to my server and all was well.
I then went to my Apache2 web server and tried to import the certificate. Well that failed…. :(
NOW, though... My redmine server; I am getting an "ERR_SSL_PROTOCOL_ERROR"... When trying to access my website from a machine other than the server.
Upon further research I find that my PFSense is in the middle some how. Not sure why. I didn’t specifically ask it to interfere with SSL request.

Here’s what I get when running

openssl s_client -connect redmine.domain.net:443

CONNECTED(00000003)
depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-5734f1f09387a
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-5734f1f09387a
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-5734f1f09387a
i:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-5734f1f09387a

So, I then went and deleted the Webconfigurator SSL CA and SSL certificate and I am now meet with the same issue but with a little different response.

When running the same command on the server it just hangs……. :(
When I run the command from a different machine I get the following.

CONNECTED(00000003)
140484013135736:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 201 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1468967198
Timeout : 300 (sec)
Verify return code: 0 (ok)

I’m at my wits end… Am I missing something simple? Any assistance would be greatly appreciated.

Cheers!

Soyokaze · Jul 19, 2016, 10:43 PM

So, I then went and deleted the Webconfigurator SSL CA and SSL certificate

Bad, bad Idea…

Move pfsense WebGUI to some other port > 1024, make sure you can still access it;
Disable automatic web redirect rule in System -> Advanced;
Troubleshoot your Port forward for your web server in local network.

Daeta · Jul 20, 2016, 12:09 AM

@pan_2:

So, I then went and deleted the Webconfigurator SSL CA and SSL certificate

Bad, bad Idea…

Move pfsense WebGUI to some other port > 1024, make sure you can still access it;
Disable automatic web redirect rule in System -> Advanced;
Troubleshoot your Port forward for your web server in local network.

Totally deleted it just for testing purposes… And, I also disable the automatic web redirect long long ago. I changed the port as well just now and I am still getting the same issues as before. The biggest question I have is why is the PFSense even trying to get involved with the SSL certificate for my server behind it???

cmb · Jul 20, 2016, 12:18 AM

Probably because you're testing from LAN, not WAN, and don't have reflection enabled.

Daeta · Jul 20, 2016, 12:46 AM

@cmb:

Probably because you're testing from LAN, not WAN, and don't have reflection enabled.

Sadly, that's not the case. I am connected to the network via a Site-to-Site VPN. But ping test shows I am routing outside of the VPN tunnel to get to the server in question.

cmb · Jul 20, 2016, 12:47 AM

In that case, because you don't have a matching port forward.

Daeta · Jul 20, 2016, 1:02 AM

@cmb:

In that case, because you don't have a matching port forward.

Well, now I feel stupid…........... Upon checking everything about the rule was correct but '1' thing.... The internal IP address of said server was incorrect. It was close.... But, close doesn't count in IP redirection I learn years ago...

Thanks to all for pointing me down the right track...