Https redirects to http port & SSL_ERROR_RX_RECORD_TOO_LONG

My domain is:
jayotis.works:433

I ran this command:
certbot certificates

It produced this output:
Found the following certs:
** Certificate Name: jayotis.works**
** Domains: jayotis.works**
** Expiry Date: 2020-03-07 10:21:27+00:00 (VALID: 47 days)**
** Certificate Path: /etc/letsencrypt/live/jayotis.works/fullchain.pem**
** Private Key Path: /etc/letsencrypt/live/jayotis.works/privkey.pem**

I ran this command:
openssl s_client -connect jayotis.works:433 -servername jayotis.works -showcerts | openssl x509 -text -noout

It produced this output:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = jayotis.works
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:

Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
Validity
Not Before: Dec 8 10:21:27 2019 GMT
Not After : Mar 7 10:21:27 2020 GMT
Subject: CN = jayotis.works
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:

Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:

X509v3 Authority Key Identifier:
keyid:

        Authority Information Access: 
            OCSP - URI:http://ocsp.int-x3.letsencrypt.org
            CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

        X509v3 Subject Alternative Name: 
            DNS:jayotis.works
        X509v3 Certificate Policies: 
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org

        CT Precertificate SCTs: 
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : <snip>
                Timestamp : Dec  8 11:21:27.193 2019 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                         <snip>
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : <snip>
                Timestamp : Dec  8 11:21:27.240 2019 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                          <snip>
Signature Algorithm: sha256WithRSAEncryption

I ran this command:
curl -X GET -I http://jayotis.works:8080

It produced this output:

HTTP/1.1 301 Moved Permanently
Date: Mon, 20 Jan 2020 08:21:55 GMT
Server: Apache/2.4.25 (Debian)
X-UA-Compatible: IE=edge
X-Pingback: https://jayotis.works:8080/xmlrpc.php
X-Redirect-By: WordPress
Location: https://jayotis.works:8080/
Content-Length: 0
Content-Type: text/html; charset=UTF-8

My web server is (include version):
Wordpress 5.3.2
|Server architecture|Linux 4.4.103+ armv7l|
|Web server|Apache/2.4.25 (Debian)|
|cURL version|7.52.1 OpenSSL/1.0.2u|

My hosting provider, if applicable, is:
NA
I can login to a root shell on my machine:
Yes
I’m using a control panel to manage my site:
no
The version of my client is:
certbot 0.28.0

Sorry for the crazy configuration/setup, 80 and 443 are “filtered” so I use 8080 & 433. I redirected using
Redirect permanent / https://jayotis.works:433
in my 000-default.conf. I have commented that out and just trying to connect via browser to 433 but it seems to redirect to https:jayotis.works:8080 and I do not have a redirect in default-ssl.conf.
SSLCertificateFile /etc/letsencrypt/live/jayotis.works/fullchain.pem
** SSLCertificateKeyFile /etc/letsencrypt/live/jayotis.works/privkey.pem**
** Include /etc/letsencrypt/options-ssl-apache.conf**

Do I need to provide more info?

Hi @krypto

you can’t use one port (8080) with both protocols http / https. Your Curl connects http, the result is a redirect to https, the same port.

Your http://jayotis.works:8080/ works, so https://jayotis.works:8080/ produces the expected result

SSL_ERROR_RX_RECORD_TOO_LONG

That isn’t used, the redirect has port 8080 as destination.

Check your config to find that wrong redirect and change it.

Your port 443 is invisible, checking your domain - only timeouts - https://check-your-website.server-daten.de/?q=jayotis.works

2 Likes

@ JuergenAuer Thank you for the response. Correct, that is why I am attempting to run http on 8080 https on 433.

Yes, It isn’t used because I commented that directive out. I mentioned it for some details on the steps I have tried to make this work.

You are correct, there is a configuration issue and was hoping to get help with that.

Again you are correct, it is filtered by my isp so appears invisible.

Thank you for giving me a second look at my curl request, it seems wordpress (along with many other things) does not like https on port 433 and is causing the 301 redirect to 8080. I have checked the .htaccess file and it looks ok but I will look further into wordpress for a solution.

Sorry for the poor formating, I normally don’t post on forums and just now found the preview pane was being covered behind a popup forum message.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.