Secure Connection Failed - SSL_ERROR_RX_RECORD_TOO_LONG


#1

I recently used a Digital Ocean one click installer to create a Ubuntu 18.04 installation which included Certbot.

After running certbot and creating the certificate and restarting Apache:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/bin-depot.co.uk-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/bin-depot.co.uk-0001/privkey.pem
Your cert will expire on 2019-02-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”

… I got not response from my site when trying to connect via HTTPS.

I then updated /etc/apache2/ports.conf to include 443:

Listen 80
Listen 443

Then in /etc/apache2/sites-available I updated ‘default-ssl.conf’ to:

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost

		DocumentRoot /var/www/html

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		#   SSL Engine Switch:
		#   Enable/Disable SSL for this virtual host.
		SSLEngine on
		SSLCertificateFile /etc/letsencrypt/live/bin-depot.co.uk-0001/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/bin-depot.co.uk-0001/privkey.pem
		Include /etc/letsencrypt/options-ssl-apache.conf
		ServerName bin-depot.co.uk


		SSLVerifyClient require
		SSLVerifyDepth  10

		#   SSL Engine Options:
		SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>

		#   SSL Protocol Adjustments:
		 BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0

	</VirtualHost>
</IfModule>

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

This is what my 000-default.conf looks like:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Firefox is reporting the error “Secure Connection Failed - SSL_ERROR_RX_RECORD_TOO_LONG”

I’m fairly sure I’m making some mistakes with the above. Can anyone point me in the right direction? Domain is https://bin-depot.co.uk.


#2

Hi,

It seems that you did not specify the SSL protocol and cipher to use in the virtual host… Did you specify those else where?

Thank you


#3

Hi Steve, how and where do I place this information? Other than the above I haven’t edited other files.


#4

Just to add to this, adding the following code:

<VirtualHost *:80>
        ServerAdmin dan@***.com
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

#get encrypted requests:
<VirtualHost *:443>
    ServerName bin-depot.co.uk
    ServerAlias www.bin-depot.co.uk
    ServerAdmin dan@***.com

    # include tls key and certificates:
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/bin-depot.co.uk/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/bin-depot.co.uk/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    #directory config:
    DocumentRoot /var/www/html
    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    #logging:
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

…to ‘000-default.conf’ breaks apache with the error:

Job for apache2.service failed because the control process exited with error code.

See "systemctl status apache2.service" and "journalctl -xe" for details.

#5

Hi @dan382,

Two things.

1.- Did you enable ssl module?.

sudo a2enmod ssl
sudo systemctl restart apache2

2.- In your conf you are using this path to define the certificate and privkey /etc/letsencrypt/live/bin-depot.co.uk/... but in the output of your certbot command the path for your cert is /etc/letsencrypt/live/bin-depot.co.uk-0001/... so which one is the right one?.

You can check the certificates issued using this command:

sudo certbot certificates

Cheers,
sahsanu


#6

Please also show:
ls -l /etc/apche2/sites-enabled/
grep -Eri 'servername|serveralias|80|443' /etc/apache/sites-enabled/


#7

Ran: ls -l /etc/apache2/sites-enabled/ and got the output:

total 0

lrwxrwxrwx 1 www-data www-data 35 Oct 3 14:31 000-default.conf -&gt; ../sites-available/000-default.conf

However, grep -Eri ‘servername|serveralias|80|443’ /etc/apache/sites-enabled/ created the following error:

grep -Eri 'servername|serveralias|80|443' /etc/apache/sites-enabled/

grep: /etc/apache/sites-enabled/: No such file or directory

#8

Think I’ve run certbot more than once. Both appear to be correct:

Found the following certs:
  Certificate Name: bin-depot.co.uk
    Domains: bin-depot.co.uk www.bin-depot.co.uk
    Expiry Date: 2019-02-08 09:34:39+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/bin-depot.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bin-depot.co.uk/privkey.pem
  Certificate Name: bin-depot.co.uk-0001
    Domains: bin-depot.co.uk
    Expiry Date: 2019-02-09 22:16:49+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/bin-depot.co.uk-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bin-depot.co.uk-0001/privkey.pem

I’ve corrected both to be the latest ‘bin-depot.co.uk-0001’ versions.

Not sure which step has helped, but things looked to have clicked. I can now connect to the site over HTTPS. Thanks for the feedback. It might have simply been the command:

sudo a2enmod ssl


#9

Hi @dan382,

Yes, seems activating ssl module solved the problem :wink:

Just one thing, the certificate with 0001 suffix only covers your main domain, the other one covers the main domain and www subdomain so I would use this.

Modify again your apache conf to point the SSL directives to path /etc/letsencrypt/live/bin-depot.co.uk/ instead of etc/letsencrypt/live/bin-depot.co.uk-0001/, restart apache, check if you can access to your site y and then remove the certificate covered by cert name bin-depot.co.uk-0001.

sudo certbot delete

And select the number of the certificate with name bin-depot.co.uk-0001

or if your certbot version is a recent version you can use directly this command:

sudo certbot delete --cert-name bin-depot.co.uk-0001

Cheers,
sahsanu


#10

Thanks Sahsanu, I’ll make sure that gets done next.