Secure Connection Failed - SSL_ERROR_RX_RECORD_TOO_LONG

dan382 · November 12, 2018, 7:45am

I recently used a Digital Ocean one click installer to create a Ubuntu 18.04 installation which included Certbot.

After running certbot and creating the certificate and restarting Apache:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/bin-depot.co.uk-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/bin-depot.co.uk-0001/privkey.pem
Your cert will expire on 2019-02-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”

… I got not response from my site when trying to connect via HTTPS.

I then updated /etc/apache2/ports.conf to include 443:

Listen 80
Listen 443

Then in /etc/apache2/sites-available I updated ‘default-ssl.conf’ to:

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost

		DocumentRoot /var/www/html

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		#   SSL Engine Switch:
		#   Enable/Disable SSL for this virtual host.
		SSLEngine on
		SSLCertificateFile /etc/letsencrypt/live/bin-depot.co.uk-0001/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/bin-depot.co.uk-0001/privkey.pem
		Include /etc/letsencrypt/options-ssl-apache.conf
		ServerName bin-depot.co.uk


		SSLVerifyClient require
		SSLVerifyDepth  10

		#   SSL Engine Options:
		SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>

		#   SSL Protocol Adjustments:
		 BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0

	</VirtualHost>
</IfModule>

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

This is what my 000-default.conf looks like:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Firefox is reporting the error “Secure Connection Failed - SSL_ERROR_RX_RECORD_TOO_LONG”

I’m fairly sure I’m making some mistakes with the above. Can anyone point me in the right direction? Domain is https://bin-depot.co.uk.

stevenzhu · November 12, 2018, 8:13am

Hi,

It seems that you did not specify the SSL protocol and cipher to use in the virtual host… Did you specify those else where?

Thank you

dan382 · November 12, 2018, 8:51am

Hi Steve, how and where do I place this information? Other than the above I haven’t edited other files.

dan382 · November 12, 2018, 9:02am

Just to add to this, adding the following code:

<VirtualHost *:80>
        ServerAdmin dan@***.com
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

#get encrypted requests:
<VirtualHost *:443>
    ServerName bin-depot.co.uk
    ServerAlias www.bin-depot.co.uk
    ServerAdmin dan@***.com

    # include tls key and certificates:
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/bin-depot.co.uk/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/bin-depot.co.uk/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    #directory config:
    DocumentRoot /var/www/html
    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    #logging:
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

…to ‘000-default.conf’ breaks apache with the error:

Job for apache2.service failed because the control process exited with error code.

See "systemctl status apache2.service" and "journalctl -xe" for details.

sahsanu · November 12, 2018, 9:36am

Hi @dan382,

Two things.

1.- Did you enable ssl module?.

sudo a2enmod ssl
sudo systemctl restart apache2

2.- In your conf you are using this path to define the certificate and privkey /etc/letsencrypt/live/bin-depot.co.uk/... but in the output of your certbot command the path for your cert is /etc/letsencrypt/live/bin-depot.co.uk-0001/... so which one is the right one?.

You can check the certificates issued using this command:

sudo certbot certificates

Cheers,
sahsanu

rg305 · November 12, 2018, 9:39am

Please also show:
ls -l /etc/apche2/sites-enabled/
grep -Eri 'servername|serveralias|80|443' /etc/apache/sites-enabled/

dan382 · November 12, 2018, 10:09am

Ran: ls -l /etc/apache2/sites-enabled/ and got the output:

total 0

lrwxrwxrwx 1 www-data www-data 35 Oct 3 14:31 000-default.conf -&gt; ../sites-available/000-default.conf

However, grep -Eri ‘servername|serveralias|80|443’ /etc/apache/sites-enabled/ created the following error:

grep -Eri 'servername|serveralias|80|443' /etc/apache/sites-enabled/

grep: /etc/apache/sites-enabled/: No such file or directory

dan382 · November 12, 2018, 10:22am

Think I’ve run certbot more than once. Both appear to be correct:

Found the following certs:
  Certificate Name: bin-depot.co.uk
    Domains: bin-depot.co.uk www.bin-depot.co.uk
    Expiry Date: 2019-02-08 09:34:39+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/bin-depot.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bin-depot.co.uk/privkey.pem
  Certificate Name: bin-depot.co.uk-0001
    Domains: bin-depot.co.uk
    Expiry Date: 2019-02-09 22:16:49+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/bin-depot.co.uk-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bin-depot.co.uk-0001/privkey.pem

I’ve corrected both to be the latest ‘bin-depot.co.uk-0001’ versions.

Not sure which step has helped, but things looked to have clicked. I can now connect to the site over HTTPS. Thanks for the feedback. It might have simply been the command:

sudo a2enmod ssl

sahsanu · November 12, 2018, 10:53am

Hi @dan382,

Yes, seems activating ssl module solved the problem

Just one thing, the certificate with 0001 suffix only covers your main domain, the other one covers the main domain and www subdomain so I would use this.

Modify again your apache conf to point the SSL directives to path /etc/letsencrypt/live/bin-depot.co.uk/ instead of etc/letsencrypt/live/bin-depot.co.uk-0001/, restart apache, check if you can access to your site y and then remove the certificate covered by cert name bin-depot.co.uk-0001.

sudo certbot delete

And select the number of the certificate with name bin-depot.co.uk-0001

or if your certbot version is a recent version you can use directly this command:

sudo certbot delete --cert-name bin-depot.co.uk-0001

Cheers,
sahsanu

dan382 · November 12, 2018, 11:00am

Thanks Sahsanu, I’ll make sure that gets done next.

system · December 12, 2018, 11:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using certbot for the very first time Help	11	1491	April 15, 2018
IMPORTANT NOTES: - Unable to install the certificate Help	11	11991	December 29, 2018
SSL_ERROR_RX_RECORD_TOO_LONG after installing Certbot on Apache2 Help	2	688	November 19, 2022
DigitalOcean certbot renew but still expired cert Help	5	1788	April 21, 2017
(snap) Everything seems to install, but 443 doesn't work Help	38	2532	October 30, 2020

Secure Connection Failed - SSL_ERROR_RX_RECORD_TOO_LONG

Related topics