chkMK with HTTPS = ERR_SSL_PROTOCOL_ERROR

CMK version:
2.1.0p6_0

OS version:
Debian Bullseye (11)

Error message:
ERR_SSL_PROTOCOL_ERROR

Output of “cmk --debug -vvn hostname”: (If it is a problem with checks or plugins)
Don’t work for me… Bash tells me: “command not found” :roll_eyes:

Hello Community,

i will secure my chkmk Login. I go straight to: chkmk https manual

*Yes i import my .CER File… without errors

And after a HTTPS Setup from the ChkMK Manual, my Web GUI is gone…

I do this:

And get the Answer:

user@chkmk:~$ curl -v -I https://IP_CHKMK/MYSIDE/check_mk/login.py

  • Trying IP_CHKMK:443…
  • Connected to IP_CHKMK (IP_CHKMK) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • error:1408F10B:SSL routines:ssl3_get_record:wrong version number
  • Closing connection 0
    curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

In my opinion, the file is still missing: *.key ??
Or what am I missing? What am I doing wrong?

Did you do a “su - SITENAME” ??
I get a commad not found when i am not switched to a site…

Apache itself is completely happy with the config and cert + key files?
If you restart apache with “systemctl restart apache” and check “systemctl status apache” do you see anything out of the normal?

what do you mean with:
“In my opinion, the file is still missing: *.key ??”
why do you think that?

1 Like

Try to open the main web server homepage in a browser with https.
If that is working, you can switch CMK to https.
And yes, you will need cert and key for the Apache.

Thanks for fast reply
What do you mean with: su - SITENAME ? (i have do all commands with SUDO :slight_smile: )
Hint: chkMK is the “one and only” Service of this Apache2 Setup

By the way, i’m new at chkMK

SSL Labs Doku tell’s:

  1. SSLCertificateFile pointed to the location of the Certificate issued for your domain name
  2. SSLCertificateKeyFile pointed to the location of your Private Key on the server.

therefore my question, it could be that it is different here

For the " cmk --debug -vvn hostname" command, you have to be the site-user.
That is done with su - YOURSITENAME

JUP! i need a *.key file…
Thanks, i will generate it, and “do it again” and report here again

Securing the web interface with HTTPS
Point 1 -3 * The server is reachable under HTTPS. :wink:

or, a “new” error msg :frowning:

after doing point 1-3 , i use the curl command… with HTTPS =>

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

then i read some article about my erreor msg on stackoverflow (1) my Vhost File looks like:
<VirtualHost *:80 *:443>

i do the same curl command for chkmk without the HTTPS - HTTP only, and i see:

HTTP/1.1 302 Found
Date: Wed, 07 Sep 2022 12:29:47 GMT
Server: Apache/2.4.54 (Debian)
Strict-Transport-Security: max-age=3153600
Location: https://MY_CHKMKIP/MYSITE/check_mk/login.py
Content-Type: text/html; charset=iso-8859-1

Sadly, no Browser will show me the chkmk login Page
Firefox: SSL_ERROR_RX_RECORD_TOO_LONG
Brave (Chrom Clon) ERR_SSL_PROTOCOL_ERROR

(1)

Hmmm…
I have done a look into my two sites (Apache not CMK !!! :wink: )
000-default.conf → <VirtualHost *:80>
default-ssl.conf -> <VirtualHost _default_:443>

In mods-enabled/ssl.conf is this:

        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        SSLProtocol all -SSLv3

SSLv3 is excluded…

Did you enable port 443 in Apache ports.conf?!

If you are speaking German you might rather look at this article. We are still discussing some aspects of this article until it gets translated and moved to the 2.1.0 manual.

Moinsen :wink:

german language is not a problem for me…

I have started to build according to these instructions, we have an “internal CA”.

We have “inhouse”: *.cer and *.crt - so i can skip some of it, and “pick” the rest together

the first thing I notice is that when I run: “openssl req” I get an error message. “req” (really? REQ)

Invalid command ‘reg’; type “help” for a list.

what package am i missing? so i can have “req” in debian bullseye?

req as in request, not reg (as in register or something)

1 Like

How can i “tag” this threat as “Solved” ?!