Acme.sh using alpn to avoid port 80 -> SSL_ERROR_RX_RECORD_TOO_LONG

Help
1

My domain is:
lottertal.ddns.net
I ran this command:
acme.sh --issue --alpn --force --keylength ec256 --pre-hook 'systemctl stop apache2' --post-hook 'systemctl start apache2' -d lottertal.ddns.net
It produced this output:
[Mo 7. Dez 15:29:32 CET 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mo 7. Dez 15:29:32 CET 2020] Run pre hook:'systemctl stop apache2'
[Mo 7. Dez 15:29:32 CET 2020] Standalone alpn mode.
[Mo 7. Dez 15:29:32 CET 2020] Creating domain key
[Mo 7. Dez 15:29:32 CET 2020] The domain key is here: /root/.acme.sh/lottertal.ddns.net_ecc/lottertal.ddns.net.key
[Mo 7. Dez 15:29:32 CET 2020] Single domain='lottertal.ddns.net'
[Mo 7. Dez 15:29:32 CET 2020] Getting domain auth token for each domain
[Mo 7. Dez 15:29:36 CET 2020] Getting webroot for domain='lottertal.ddns.net'
[Mo 7. Dez 15:29:36 CET 2020] lottertal.ddns.net is already verified, skip tls-alpn-01.
[Mo 7. Dez 15:29:36 CET 2020] Verify finished, start to sign.
[Mo 7. Dez 15:29:36 CET 2020] Lets finalize the order.
[Mo 7. Dez 15:29:36 CET 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/#######'
[Mo 7. Dez 15:29:37 CET 2020] Downloading cert.
[Mo 7. Dez 15:29:37 CET 2020] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/#########'
[Mo 7. Dez 15:29:39 CET 2020] Cert success.
-----BEGIN CERTIFICATE-----
---#####
-----END CERTIFICATE-----
[Mo 7. Dez 15:29:39 CET 2020] Your cert is in /root/.acme.sh/lottertal.ddns.net_ecc/lottertal.ddns.net.cer
[Mo 7. Dez 15:29:39 CET 2020] Your cert key is in /root/.acme.sh/lottertal.ddns.net_ecc/lottertal.ddns.net.key
[Mo 7. Dez 15:29:39 CET 2020] The intermediate CA cert is in /root/.acme.sh/lottertal.ddns.net_ecc/ca.cer
[Mo 7. Dez 15:29:39 CET 2020] And the full chain certs is there: /root/.acme.sh/lottertal.ddns.net_ecc/fullchain.cer
[Mo 7. Dez 15:29:39 CET 2020] Run post hook:'systemctl start apache2'

My web server is (include version):
Apache/2.4.38 (Debian)
The operating system my web server runs on is (include version):
debian 10.7
My hosting provider, if applicable, is:
local installation
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no,

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):acme.sh v2.8.8

follwed by: acme.sh --install-cert -d lottertal.ddns.net --key-file /etc/ssl/localcerts/apache.key --cert-file /etc/ssl/localcerts/apache.pem --ca-file /etc/ssl/localcerts/apache-chain.pem

Result:
answer on apache: Fehlercode: SSL_ERROR_RX_RECORD_TOO_LONG

answer on chromium: lottertal.ddns.net sent an invalid response.

2

Hi @dickkopf

that's funny.

Acme.sh using alpn to avoid port 80

But your error message says:

Your port 443 is a http port.

http://lottertal.ddns.net:443/

answers correct.

May be a wrong port forwarding port 443 extern -> port 80 intern.

Or your port 443 isn't a https port.

3
ID Service Port Internal Port IP Address Protocol Status Modify
1 443 443 192.168.0.101 ALL Enabled Modify Delete
4

does NOT work, when forwarding is restricted to tcp.
is there a relevant difference on UDP?

and lottertal.ddns.net:443 is NOT protected by ssl.
so there obviously there IS a certificate problem.

the only port open to the outside is 443, all others are closed.

5

I start HATING 1und1 isp

6

That's what I've told you already.

It's only your buggy configuration. Please fix that. It's not an 1&1-problem.

2 Likes
7

PS: If you use the standard https port 443 to create a http port, that port is blocked.

So no program is able to create a standard https port using port 443 based on your http port 80.

So the complete problem is self-created.

Create a working http port 80.

1 Like
8

1und1 uses port 80 for management services, they say if you want more you have to pay extra for their cloud services.

thanks for your help.

9

That's unrelevant.

There is no need that the external port 80 works.

Internal you are free. But if you block port 443, no client can create a vHost based on your port 80 as template.

But that's your choice - and your error.

10

I think the missing part here is that if your (default? manually created?) Apache configuration is listening to HTTP (not HTTPS) on port 443, then you have to update your Apache configuration to change this. That involves editing the configuration files in /etc/apache2 (or /etc/httpd) so that there is no VirtualHost listening on port 443 without HTTPS.

It's not that the certificate or port forwarding configuration is wrong, it's that the Apache configuration is wrong—probably because it has an existing VirtualHost conflicting with the new HTTPS VirtualHost.

1 Like
11

You managed to get a cert - that is usually the hardest part, so congratulations on that!
But the installing of the cert:

seems to have failed you.

Perhaps it is missing:

image
image773×732 44.3 KB

Or acme.sh was just unable to properly understand and thus incorrectly modified the config files.
If so, and just for good measure, we should review the basic Apache configuration with:
apachectl -S

12

@rg305 : There is no port 80 vHost. But there is a http port 443 vHost, so it's impossible to create a https port 443 vHost using a port 80 vHost - template.

And the domain is removed:

lottertal.ddns.net. Non-existent domain.
13

Agreed; Then if there is no HTTP config, this result is expected.
He should remove that step and do the install via manual file edit.

14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.