After Domain and SSL change, no connection (letsencrypt)

Hi, I have the following problem.

After a domain change and change to Letsencrypt, CalDav / CardDav no longer works, either in Thunderbird, or in DavDroid.

The Davdroid log is this:

[details=Summary] 2017-05-12 07:51:47 750 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><CARD:addressbook-description /><CARD:addressbook-home-set />
2017-05-12 07:51:47 750 [HttpClient$1] --> END PROPFIND (290-byte body)
2017-05-12 07:51:48 750 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on user-given URL failed
EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:238)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:149)
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185)
at okhttp3.RealCall.execute(RealCall.java:69)
at at.bitfire.dav4android.DavResource.propfind(DavResource.java:276)
at at.bitfire.davdroid.ui.setup.DavResourceFinder.checkUserGivenURL(DavResourceFinder.java:179)
at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:119)
at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:90)
at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:142)
at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:125)
at android.support.v4.content.AsyncTaskLoader.onLoadInBackground(AsyncTaskLoader.java:302)
at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:57)
at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:45)
at android.support.v4.content.ModernAsyncTask$2.call(ModernAsyncTask.java:138)
at java.util.concurrent.FutureTask.run(FutureTask.java:237)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:776)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x73b7fe2a80: Failure in SSL library, usually a protocol error
error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x73cb596e20:0x00000001)
error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x73cb802f76:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
… 36 more

...	
	
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] No principal found at user-given URL, trying to discover
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Looking up SRV records for _carddavs._tcp.nextcloud.domain.de
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Didn't find carddav service, trying at https://nextcloud.domain.de:443
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Trying to determine principal from initial context path=https://nextcloud.domain.de/.well-known/carddav

...

2017-05-12 07:51:48 750 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind>
2017-05-12 07:51:48 750 [HttpClient$1] --> END PROPFIND (198-byte body)
2017-05-12 07:51:48 750 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] carddav service discovery failed
EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed
	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:238)
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:149)
	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192)
	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
	at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185)
	at okhttp3.RealCall.execute(RealCall.java:69)
	at at.bitfire.dav4android.DavResource.propfind(DavResource.java:276)
	at at.bitfire.davdroid.ui.setup.DavResourceFinder.getCurrentUserPrincipal(DavResourceFinder.java:352)
	at at.bitfire.davdroid.ui.setup.DavResourceFinder.discoverPrincipalUrl(DavResourceFinder.java:334)
	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:140)
	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:90)
	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:142)
	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:125)
	at android.support.v4.content.AsyncTaskLoader.onLoadInBackground(AsyncTaskLoader.java:302)
	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:57)
	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:45)
	at android.support.v4.content.ModernAsyncTask$2.call(ModernAsyncTask.java:138)
	at java.util.concurrent.FutureTask.run(FutureTask.java:237)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
	at java.lang.Thread.run(Thread.java:776)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x73b7fe2a80: Failure in SSL library, usually a protocol error
error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x73b9c649c0:0x00000001)
error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x73cb802f76:0x00000000)
	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
	... 37 more

...
	
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Finding initial caldav service configuration
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Checking user-given URL: https://nextcloud.domain.de/nextcloud/remote.php/dav
2017-05-12 07:51:48 750 [HttpClient$1] --> PROPFIND https://nextcloud.domain.de/nextcloud/remote.php/dav http/1.1

...

2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] No principal found at user-given URL, trying to discover
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Looking up SRV records for _caldavs._tcp.nextcloud.domain.de
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Didn't find caldav service, trying at https://nextcloud.domain.de:443
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Trying to determine principal from initial context path=https://nextcloud.domain.de/.well-known/caldav
2017-05-12 07:51:48 750 [HttpClient$1] --> PROPFIND https://nextcloud.domain.de/.well-known/caldav http/1.1

...

2017-05-12 07:51:48 750 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind>
2017-05-12 07:51:48 750 [HttpClient$1] --> END PROPFIND (198-byte body)
2017-05-12 07:51:48 750 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed
2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] caldav service discovery failed
EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed
	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:238)
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:149)
	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192)
	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
	at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185)
	at okhttp3.RealCall.execute(RealCall.java:69)
	at at.bitfire.dav4android.DavResource.propfind(DavResource.java:276)
	at at.bitfire.davdroid.ui.setup.DavResourceFinder.getCurrentUserPrincipal(DavResourceFinder.java:352)
	at at.bitfire.davdroid.ui.setup.DavResourceFinder.discoverPrincipalUrl(DavResourceFinder.java:334)
	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:140)
	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:91)
	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:142)
	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:125)
	at android.support.v4.content.AsyncTaskLoader.onLoadInBackground(AsyncTaskLoader.java:302)
	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:57)
	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:45)
	at android.support.v4.content.ModernAsyncTask$2.call(ModernAsyncTask.java:138)
	at java.util.concurrent.FutureTask.run(FutureTask.java:237)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
	at java.lang.Thread.run(Thread.java:776)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x73b7fe2a80: Failure in SSL library, usually a protocol error
error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x73b9c64780:0x00000001)
error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x73cb802f76:0x00000000)
	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
	... 37 more

[/details]

Can someone help me, what is it and how I fix it?

Nextcloud 11.0.3 (stable)
letsecrypt 0.14.0 - 2017-05-04

Nginx config:

ssl on;
ssl_certificate /etc/letsencrypt/live/nextcloud.domain.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nextcloud.domain.de/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.domain.de/fullchain.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128';
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

Did you change your cipher settings? Some old clients don’t support very new cipher settings, I’m not sure why exactly your handshake failed. If it’s your own server, you can perhaps run the webserver in debug mode and get a more detailed information, if there is no matching cipher or other problems.

You Android system and Thunderbird system are up to date? On https://www.ssllabs.com/ you can test your server and browser for compatibility (unfortunately not the *DAV clients).

How can I use the debug mode?

Edit ciphers is change to:
EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;

Can no one really help me?

The Full DAVdroid debug File here.

I have found the solution.

https://forums.bitfire.at/topic/1242/elliptic-curve-ciphers-not-available-on-android-7

This works best for me, better than auto:

ssl_ecdh_curve secp384r1:prime256v1;

yea so actually its not good solution. Since prim256v1 is not as secure as secp521r1, secp384r1 or secp256k1. So basically this is due to a bug in Android 7.0, and 7.1 fixes this. Too bad alot of phones won’t get ROM updates to 7.1.x >< (which I hate).