Enabled HTTP/2 Support in apache2 v2.4.25 on Debian 9.13 but Tests Show No Support for HTTP/2

I am trying to configure HTTP/2 support but something is going wrong.

My server is a google compute engine vm running Debian 9.13 (stretch) server version Apache/2.4.25 with SSL certs configured using OpenSSL. When I run openssl version it reports version 1.1.1g. When running phpinfo(); it reports OpenSSL/1.0.2u. PHP version 7.4.11 and phpinfo(); also reports…

SSL_VERSION_INTERFACE -> mod_ssl/2.4.25
SSL_VERSION_LIBRARY -> OpenSSL/1.0.2u
SSL_PROTOCOL -> TLSv1.2

I followed the instructions here to “Enable HTTP/2 module in Apache” and “Enable HTTP/2 in your Apache virtual host” and also here. After doing so, when I run the command apache2ctl -M | grep http2 it returns http2_module (shared) which signals HTTP/2 Support is enabled. But it isn’t in production.

Here is the line used in my apache2 virtual hosts configuration file /etc/apache2/sites-available/default-ssl.conf

<VirtualHost _default_:443>
    Protocols h2 h2c http/1.1
    ...

Here is the verbose connection information when using curl -vso http2_debug.log --http2 https://pharealty.com/ command which does successfully download the page.

*   Trying 35.236.101.224...
* TCP_NODELAY set
* Connected to pharealty.com (35.236.101.224) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} (5 bytes data)
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} (512 bytes data)
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ (109 bytes data)
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ (4036 bytes data)
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ (333 bytes data)
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ (4 bytes data)
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} (70 bytes data)
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} (1 bytes data)
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} (16 bytes data)
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ (1 bytes data)
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ (16 bytes data)
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=pharealty.com
*  start date: Jul 10 01:53:04 2021 GMT
*  expire date: Oct  8 01:53:03 2021 GMT
*  subjectAltName: host "pharealty.com" matched cert's "pharealty.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
} (5 bytes data)
> GET / HTTP/1.1
> Host: pharealty.com
> User-Agent: curl/7.52.1
> Accept: */*
>
{ (5 bytes data)
< HTTP/1.1 200 OK
< Date: Wed, 08 Sep 2021 17:20:21 GMT
< Server: Apache
< Upgrade: h2,h2c
< Connection: Upgrade
< Set-Cookie: PHPSESSID=1mv9jqka4n7c7fb6qmtavfsgue; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< X-Pingback: https://pharealty.com/xmlrpc.php
< Link: <https://pharealty.com/wp-json/>; rel="https://api.w.org/"
< Link: <https://pharealty.com/wp-json/wp/v2/pages/48>; rel="alternate"; type="application/json"
< Link: <https://pharealty.com/>; rel=shortlink
< Set-Cookie: phaLandingPage=%2F; expires=Tue, 08-Mar-2022 17:20:21 GMT; Max-Age=15638400; path=/
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ (7 bytes data)
* Curl_http_done: called premature == 0
* Connection #0 to host pharealty.com left intact

It looks like it is working perfectly at first then later reverts to HTTP/1.1

As far as I can tell I’ve got a new enough version of OpenSSL. And although this page that I mentioned previously highly recommends a version of apache higher than 2.4.25, I have been unable to update apache to anything other than 2.4.25.

Do I need to setup a new SSL certificate after making the switch? Is the version of apache what’s causing the issues?

I’ve tested the site on several http/2 test websites and it fails every time.