Comcast Xfinity users get an SSL error when trying to visit my site

Help
#1

The error usually appears as "ERR_SSL_PROTOCOL_ERROR" or "SSL_ERROR_RX_RECORD_TOO_LONG". This is occurring regardless of what browser is used and appears to be exclusive to Comcast Xfinity users.

My site is *.is-best-girl.fyi with the wildcard being used for obvious purposes, i.e. https://samus.is-best-girl.fyi/ .

It's on a shared hosting package with Namecheap, the computer in question running Cloud Linux, and they do not support root access or Let's Encrypt as an official cert provider so I had to manually install it with certbot running on Windows 10.

I contacted Namecheap customer support about the issue and they said that as far as they can tell the cert is installed correctly and the server is functioning properly.

2 Likes
#2

Hi and welcome to the LE community forum.
I have to agree with NameCheap, I can't anything wrong.
If you have a picture of the error, that might be helpful.

It might be something like them adding "www" to your site:
https://www.samus.is-best-girl.fyi

Which also resolves to your IP:

Name:    www.samus.is-best-girl.fyi
Address:  162.0.229.129

Are they connecting to a port other than 443?

2 Likes
#3

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Usually when I see this type of error I think of an http port (80) trying to be an https port. It is often a port forwarding problem.

I've seen a lot of threads surrounding this issue (SSL_ERROR_RX_RECORD_TOO_LONG) related to Comcast Xfinity.

It could be that your SSL/TLS configuration is "too hard" for their systems. Take a look at which protocols you allow.

3 Likes
#4

Hi @neosquid

if you have that error:

You can always create that error, if there is a working http - port:

https://samus.is-best-girl.fyi:80/
https://community.letsencrypt.org:80/
https://check-your-website.server-daten.de:80/ (own site)

Three different sites, same error, https works.

So it's not a problem of your https configuration, your cipher suites are completely unrelevant.

But checking your site via https://check-your-website.server-daten.de/?q=samus.is-best-girl.fyi#url-checks - the main things are ok. The wildcard doesn't work with the www subdomain, so Grade N, but that's not a problem.

Looks like Comcast Xfinity has a wrong cache.

Or you had a wrong port forwarding

port 443 extern -> port 80 intern

and that wrong port forwarding is cached.

Is there a cache you can cleanup?

If not, users with that problem may clean their browser cache.

4 Likes
#5

Notably, I've had a user who has tried the website both on their home internet and on mobile hotspot. Their home internet is Comcast. In the same browser, on the same computer, they can connect fine on hotspot but not on landline.

I will recommend clearing browser caches if anyone gets the issue again, but I'm not sure how to tell Comcast itself to fix their cache or whatever issue they're having with resolving my site.

2 Likes
#6

I would suggest looking in to Comcast internet engineering team... possibly at your local level. (I have had some success at this approach) the Corporate site is full of BS.
The caches can be flushed and recreated on the fly, if they are willing to do it.
"Squeaky wheel gets the grease"

Rip

2 Likes