Long Record, No SSL over 443


#1

So, after running this, the checks show that I get "Assessment failed: No secure protocols supported ". I have checked the vhost files created by lets encrypt and they look good. Firefox gives me a “SSL_ERROR_RX_RECORD_TOO_LONG” error when attempting to view the site. The regular HTTP version is still applicable. I host the websites off my own machine at home, using google domains with an A NAME set to get to my machine. I have several sites hosted, they all work dandy. Not sure what else I can do at this point. I’ve tried reinstalling to no avail. Friends have tried to help but when they run requests over HTTPS they get HTTP data back. I have other things installed that require some security (Webmin for example uses HTTPS and works fine). Not sure what’s up. Thanks all!

My domain is: https://www.zealotgaming.com

I ran this command: sudo certbot --apache -d zealotgaming.com -d www.zealotgaming.com

It produced this output:

Deploying Certificate for zealotgaming.com to VirtualHost /etc/apache2/sites-enabled/zealotgaming.com-le-ssl.conf
Deploying Certificate for www.zealotgaming.com to VirtualHost /etc/apache2/sites-enabled/zealotgaming.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://zealotgaming.com and
https://www.zealotgaming.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=zealotgaming.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.zealotgaming.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zealotgaming.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zealotgaming.com/privkey.pem
   Your cert will expire on 2018-06-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version): Apache version 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04 LTS

My hosting provider, if applicable, is: Home Machine Dedicated to Hosting

I can login to a root shell on my machine (yes or no, or I don’t know):Yes (Putty)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Please show the 443 configuration file or virtualhost section.


#3

Your webserver software “speaks” plain http over port 443, this is the reason for the error message. Do you have a port forwarding from 443->80 on your home router (assuming you offer your services via your broadband internet access)?


#4

My router is set to forward both Port 80 and 443 to my Server machine for both UDP and TCP, but I don’t think I have 443 set to deliver traffic to 80, that seems beyond my wheelhouse. I am not at home so I cannot tell you more than that, but will post later.

Here is the vhost file /etc/apache2/sites-available/zealotgaming.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	
	ServerName zealotgaming.com
	ServerAlias www.zealotgaming.com
	ServerAdmin drmath@zealotgaming.com
	DocumentRoot /var/www/zealotgaming.com/public_html
    
    <Directory />
    	Options Indexes FollowSymLinks MultiViews
    	AllowOverride All
    </Directory>


	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
Include /etc/letsencrypt/options-ssl-apache.conf
Include /etc/letsencrypt/options-ssl-apache.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/zealotgaming.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zealotgaming.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

#5

Check the contents of these files to see if conenctions are reaching this vhost:


#6

Here are the law entries in the access.log file:

XX.XX.XX.XX - - [19/Mar/2018:11:48:03 -0500] "\x16\x03\x01" 400 0 "-" "-"
XX.XX.XX.XX - - [19/Mar/2018:11:48:04 -0500] "\x16\x03\x01" 400 0 "-" "-"
XX.XX.XX.XX - - [19/Mar/2018:11:48:05 -0500] "\x16\x03\x01" 400 0 "-" "-"
XX.XX.XX.XX - - [19/Mar/2018:11:48:10 -0500] "\x16\x03\x01" 400 0 "-" "-"
XX.XX.XX.XX - - [19/Mar/2018:11:48:10 -0500] "\x16\x03\x01" 400 0 "-" "-"
XX.XX.XX.XX - - [19/Mar/2018:11:48:10 -0500] "\x16\x03\x01" 400 0 "-" "-"
XX.XX.XX.XX - - [19/Mar/2018:11:48:11 -0500] "\x16\x03\x01" 400 0 "-" "-"
YY.YY.YY.YY - - [19/Mar/2018:11:48:12 -0500] "\x16\x03\x03\x01\b\x01" 400 0 "-" "-"
XX.XX.XX.XX - - [19/Mar/2018:11:49:14 -0500] "\x16\x03\x01" 400 0 "-" "-"

Nothing in the error.log except PHP errors for some of my sites.


#7

Another thing, I noticed that I have a default site config: /etc/apache2/sites-available/000-default.conf however there is no default ssl site and there never has been. Do I need to create one via Let’sEncrypt for SSL to work?


#8

It doesn’t look as if any of the external connections are reaching your server.

No.


#9

Is there anything I’d need to do on my router besides forward the 443 port to my machine? I have an ASUS RT-N66U (I think, will confirm when home) so do I need to change how traffic is directed somehow?


#10

The \x16\x03\x01 is a TLS 1.0 ClientHello, so this is consistent with the original hypothesis that the server is speaking HTTP instead of HTTPS on port 443, whether as a result of the server configuration or a result of port forwarding. And it’s consistent with the idea that the incoming connections are reaching the server.


#11

Are there any settings I need to particularly look at? It sounds like if it’s getting a response it would more likely be an Apache error? But I literally haven’t touched Apache settings since installing it, just created my virtual hosts and enabled local .htaccess files, and enabled new php modules. That’s pretty much it.


#12

Can you first take a look at your router’s port forwarding to make sure that the public port 443 is forwarded to your server’s port 443?

On the server, you can also try

curl -k https://localhost/

to confirm whether the server itself is speaking HTTP or HTTPS on port 443.


#13

I will take a look when I return home. I ran:

curl -k https://localhost/

On the machine via putty and no errors were returned, just new line.

james@WebServ:~$ curl -k https://localhost/
james@WebServ:~$

Is there something special I need to look for to ensure a port is forwarding to the same port on the host machine?


#14

Would you expect your site content to be blank or empty if it were loaded successfully?

I’m not sure; maybe you can tell us what port forwarding settings you find are in place.


#15

I have multiple virtual hosts and nothing in the default folder at all, so yes the basic site I assume would be empty.


#16

I have no idea if this might help but try adding “-i” as a curl flag to view the response headers.


#17
james@WebServ:~$ curl -k -i https://localhost/
HTTP/1.1 301 Moved Permanently
Date: Mon, 19 Mar 2018 19:44:37 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: ips4_IPSSessionFront=f4poosp5areh2j1oq1ndcn8m7v; path=/; HttpOnly
Expires: 0
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Length: 0
Location: https://www.coalitionleft.org/
Connection: close
Content-Type: ;charset=UTF-8

james@WebServ:~$

This is one of my other sites that is having similar TLS issues. if it is forwarding to that site, then yes there is a webpage there, an IPS forum setup.


#18

Nonetheless, your server has passed the basic test in this regard because it is, in fact, speaking HTTPS rather than HTTP on port 443. :slight_smile:


#19

We’re narrowing it down! I’m thinking maybe my router is the culprit. I will look at the router settings here in about an hour and a half and reply back with what those settings are to determine if its blocking traffic.


#20

After checking, I simply have normal port forwarding for port 443 to my webserver PC.

I’m not sure what else to do.

FIGURED IT OUT!

It was setting all that traffic to port 80 (on the rightmost side). I changed it to 443 and bingo, all working. THANK YOU EVERYONE!