Mobile letsencrypt problem > ERR SSL PROTOCOL ERROR


#1

I have a very strange issue with several sites hosted on one of my servers. They are Wordpress sites created with easyengine and using letsencrypt (–wpredis --php7 --le).

On Desktop everything is working normally, but since last letsencrypt renew i think (for all of them) on mobile they get a:

The site can’t provide a secure connection. ERR SSL PROTOCOL ERROR

Even more strange, on my phone they work on WIFI but not on 4G. I tested them on ssllabs and they get a B grade and a: Warning: Inconsistent server configuration

But sslshopper tells me everything is ok.

Any ideas?


#2

What are the inconsistencies detected by SSLLabs?

It is very, very hard to guess something without a minimum of concrete information.


#3

There isn’t much information on SSLLabs, here is one of my sites results: https://www.ssllabs.com/ssltest/analyze.html?d=france-bioimaging.org&latest


#4

Let’s Encrypt certs are not accepted by old mobile browsers, as well they’re not accepted by Windows XP.

Is that your issue?


#5

Thanks @portofacil but I have the last version of Chrome and Safari on my phone and it works on both when I’am on WIFI. I only get the error when I’am on 3G or 4G network, on both browsers.

I didn’t think it was possible to have a problem depending on the connection of my phone :confused:

Any idea?


#6

Hard to guess.

Perhaps your operator is using some kind of proxy messing with the certificates.

Do you get the same misbehavior when you access my site (https://www.portofacil.net) using your 3G? It is not EE, but it is Let’s Encrypt.


#7

It’s not the operator. I have some feedback from different countries, and it doesn’t depend on the operator. Your site is working fine for me in the same conditions.


#8

Everything seems to be fine. Were you able to solve the issue? If not, can you try with these settings?

    # openssl dhparam -out dhparam.pem 2048
    ssl_dhparam /etc/nginx/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security max-age=15768000;

#9

I solved the issue by removing the AAAA register for all my sites. It seems that the IPV6 + SSL wasn’t well configured, and I suppose that mobile over 3G/4G uses IPV6 instead of IPV4, I don’t know exactly.

Anyway, removing AAAA register solved the problem, even if it is not an optimal solution.

I also improved my SSL grade from B to A by following this > https://easyengine.io/tutorials/nginx/diffie-hellman-logjam-attack-fix/ which is similar to what you propose, thanks!


#10

Are you guys using IPV6 + Letsencrypt successfully? If yes, is there something I need to know to correctly configure my server?


#11

I’m not using IPv6 at all.


#12

Its a little late. But I had the same problem. For me it was due to 1&1 had randomly system assigned IP6 addresses to all my domains,even when A record pointed outside their network. This meant anything attempting IP6 would now try because there was an IP6 address. My NGINX config was not setup for this and failed. I had to remove the IP6addresses in my control panel for 1&1


#13

To use IPv6, it require only to add the directives listen [::]:80; in your http vhosts and listen [::]:443 ssl http2; in your https vhosts


#14

I have the same issue with my 4G network, it is not providing the secure connection of Err SSL Protocol Error, you can try to reboot your network system or try to disable chrome QUIC.