Hi all,
I’m kinda at a loss with this problem, and found a similar problem on the forum, however that turned out to be a typo, and i’ve checked it with my setup and things seem to be allright;
Situation:
I have a webshop running on Vultr with the Origin Certificates (Authenticated Origin Pulls: ON) from CF installed. Running Apache2 with php 7.2(-fpm), maria db and for the shop prestashop. I started with Let’s encrypt but because I want to use CF I decided to use the CF certificates instead.
I’ve got an advanced cert on the edge with settings:
Always Use HTTPS: ON
HTTP Strict Transport Security (HSTS): DISABLED
Minimum TLS Version: TLS1.2
Opportunistic Encryption: ON
TLS 1.3: ON
Automatic HTTPS Rewrites: ON
Certificate Transparency Monitoring: ON
Disable Universal SSL: DISABLED
So the problem
When I have the mode set to Flexible everyting works. However once I go to Full or Full-Strict the site does not work on my iPhone anymore. I’ve checked in Chrome and it gives a “ERR_FAILED” message.
Once I go back to Flexible the site starts working straight away again.
I’ve tried:
- Turning H2 off on Apache, no luck.
- CURL-ing:
sudo curl -v --http2 https://blackcoffeeandsupplies.shop * Trying 172.67.207.170... * TCP_NODELAY set * Connected to blackcoffeeandsupplies.shop (172.67.207.170) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=blackcoffeeandsupplies.shop * start date: Jun 19 00:00:00 2020 GMT * expire date: Jul 19 12:00:00 2020 GMT * subjectAltName: host "blackcoffeeandsupplies.shop" matched cert's "blackcoffeeandsupplies.shop" * issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0xa0b010) > GET / HTTP/2 > Host: blackcoffeeandsupplies.shop > User-Agent: curl/7.63.0 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! * HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) * stopped the pause stream! * Connection #0 to host blackcoffeeandsupplies.shop left intact curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
and one Flexible:
sudo curl -v --http2 https://blackcoffeeandsupplies.shop
- Trying 172.67.207.170…
- TCP_NODELAY set
- Connected to blackcoffeeandsupplies.shop (172.67.207.170) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none- TLSv1.2 (OUT), TLS header, Certificate Status (22):
- TLSv1.2 (OUT), TLS handshake, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (IN), TLS handshake, Server finished (14):
- TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.2 (OUT), TLS handshake, Finished (20):
- TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
- TLSv1.2 (IN), TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
- ALPN, server accepted to use h2
- Server certificate:
- subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=blackcoffeeandsupplies.shop
- start date: Jun 19 00:00:00 2020 GMT
- expire date: Jul 19 12:00:00 2020 GMT
- subjectAltName: host “blackcoffeeandsupplies.shop” matched cert’s “blackcoffeeandsupplies.shop”
- issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
- SSL certificate verify ok.
- Using HTTP2, server supports multi-use
- Connection state changed (HTTP/2 confirmed)
- Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
- Using Stream ID: 1 (easy handle 0x1538010)
GET / HTTP/2
Host: blackcoffeeandsupplies.shop
User-Agent: curl/7.63.0
Accept: /
- Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Fri, 19 Jun 2020 11:03:45 GMT
< content-type: text/html; charset=utf-8
< set-cookie: __cfduid=d38d86dbcab270b6b1f8b8bc1d6b7edf21592564625; expires=Sun, 19-Jul-20 11:03:45 GMT; path=/; domain=.blackcoffeeandsupplies.shop; HttpOnly; SameSite=Lax; Secure
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< set-cookie: PHPSESSID=6h8c9tas88k62uvghv4jpk0ppc; path=/
< set-cookie: PrestaShop-63a90b2ec8a45103117197e609fd836f=def50200d8089ec1773acf95668af5e80ad96a945d07897a7f1602240a591112b6443808b8830932a832f603a57f927632e4d7246b58d45f4faae577c22722f8274ad6b10a0776818d16e5075b41f3228c18f59af97745e16e9232309fc04dcc9a55c0c6d9b9d17a4915bc5ee245cc754d21e76f1f501c2da85eaf73bb8cdafc6bbf38df65c98ce196403734eeb110216f35d4a985ae546abc3bff2d9a70ef; expires=Thu, 09-Jul-2020 11:03:45 GMT; Max-Age=1728000; path=/; domain=blackcoffeeandsupplies.shop; secure; HttpOnly
< set-cookie: PrestaShop-63a90b2ec8a45103117197e609fd836f=def50200c90afd5060474ce98271a5d6c44cda1e2f612d3087a49a2f5d5165783014eab8ea1a1af643e55a21cc1f4ea152bc6ff03d9317b4bc18010977541a5228b2a2a4703e59ccfb1167927ae3a9ae72d81bca342543551405f2a2ed5572ce4352e1f56da8b38d70f4eb9071f858dd1dc1a4c6ceb2e4dc4a359502a0785b0da6c20be0a3aee341e3ba10d9816bff592773d18c0d8f97c607b159e2c4c30df20115c8b06ad53cef3a9f76ffff49d35830be125b94007401c098409df210c049ec015e2d99; expires=Thu, 09-Jul-2020 11:03:45 GMT; Max-Age=1728000; path=/; domain=blackcoffeeandsupplies.shop; secure; HttpOnly
< strict-transport-security: max-age=63072000; includeSubDomains; preload
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< vary: Accept-Encoding
< cf-cache-status: DYNAMIC
< cf-request-id: 036dd8c7da0000d9056628f200000001
< expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
< server: cloudflare
< cf-ray: 5a5cc3ec9c20d905-AMS
So i’m kinda certain it has something to do with:
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)! * HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) * stopped the pause stream! * Connection #0 to host blackcoffeeandsupplies.shop left intact curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
However I can’t find the answer anywhere.
Hope some can help me/point me in the right direction.
Let me know if you need anything else!
Thanks and Best Regards,
Henk-Jan
A quick update via this way because I’m at the post limit for today:
It’s strange situation but I’ve solved it for now i guess? On my iPhone i’m able to load and Curl also works.
As @michael suggested it was in the VHOST config:
The vhost in apache had:
Protocols: h2 HTTP/1.1 (as in documentation of Apache2).However after removing HTTP/1.1 it worked. It seems that something was confliciting with it?
Love to discuss more about it tomorrow, but for now I can’t post anymore due to the limit.
update 2:
It’s getting weirder and weirder.So the problem wasn’t with the VHost settings, just after I tried @michael his suggestion, the site stayed online however images wouldn’t load.
So I went back to:
Protocols h2And went in to the settings on CF, just to try and mess with the always https etc. Just to try something out. I thought I’d purge cache and notices that always online was on. So I turned it off and instant the images got visible again.
Next step was to try and go to vhost settings with the http/1.1 and guess what everything works now!
I don’t know if this is something that would never work, and I was stupid for turning always online on and thinking it would work with strict? But it looks like everything works now!
Thanks everyone!