Shifting HTTPS Port from 7443 to 8443

CP_DP3 · February 9, 2021, 1:46pm

Hi guys,

Via acme.sh / DNS challenge i have got LE certs and my linux server is running fine in my home network guarded by a pfsense firewall.

Renewals have all gone fine. However recently i have tried to change the apache vhost port to 8443 ( opened the port up via NAT in pfsense too ) from 7443

and ....

Firefox gives error 'Error code: SSL_ERROR_RX_RECORD_TOO_LONG'
Chrome gives error 'ERR_SSL_PROTOCOL_ERROR'

When i change back to 7443, all is good and https is functional.

What is the issue ?
Do i need to get new certs bcos i am changing the ports or bcos i enabled
HSTS in my vhost ?

Pls advise.

JuergenAuer · February 9, 2021, 2:49pm

Hi @CP_DP3

that error says: Your port is a http port, you can't connect a http port via https.

See

https://community.letsencrypt.org:80/

Same error message - client uses https, but server sends a correct http answer. So it's not a small handshake, it's a complete page -> too long.

-> Your port 8443 is a http port, not a https.

What says

apachectl -S

narcoczen · February 9, 2021, 6:03pm

I am running on a non standard https port ( non 443 ) as well ...

JuergenAuer · February 9, 2021, 6:05pm

Hi @narcoczen

if you use dns validation (like @CP_DP3 ), the port isn't relevant.

If you use http validation, you must use port 80.

narcoczen · February 9, 2021, 6:07pm

Yep DNS validation ... via acme.sh

Osiris · February 9, 2021, 6:21pm

It's probably due to a lacking SSLEngine directive. SSLEngine is probably set somewhere in one of the port 7443 VirtualHosts and I guess it's inherited to other similar VirtualHosts, but not to your new VirtualHost with a new port, where Apache doesn't have a previous related VirtualHost to fall back to.

CP_DP3 · February 9, 2021, 6:25pm

Yes, i am using a non standard https port - 7443

Output of

#apachectl -S

VirtualHost configuration:

*:7443 is a NameVirtualHost

port 7443 namevhost devkop.mycustomdomain.com (/etc/apache2/vhosts.d/kop_dev.conf:19)
alias devkop
port 7443 namevhost devtest.mycustomdomain.com (/etc/apache2/vhosts.d/test_dev.conf:20)
alias devtest
port 7443 namevhost devcmv.mycustomdomain.com (/etc/apache2/vhosts.d/cmv_dev.conf:19)
alias devcmv
port 7443 namevhost lnxadm6.mycustomdomain.com (/etc/apache2/vhosts.d/lnxadm6.conf:22)
alias lnxadm6

ServerRoot: "/srv/www"
Main DocumentRoot: "/srv/www/htdocs"
Main ErrorLog: "/var/log/apache2/error_log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/var/run/httpd.pid"
Define: SYSCONFIG
Define: SSL
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODSEC_2.5
Define: MODSEC_2.9
User: name="wwwrun" id=30
Group: name="www" id=8

Pls note that i have no issue running on 7443. Also i have used an online ssl checker
( Check SSL Certificate ) to check my setup and everything was green. I just want to shift it to 8443 from 7443

CP_DP3 · February 9, 2021, 6:38pm

Hi ...

#   Enable/Disable SSL for this virtual host
    SSLEngine on

But you have raised an interesting point ... To make the change to 8443, i only changed one of the vhost
to 8443, i left all the rest at 7443.

Do i have to change all to 8443 and then restart apache ?

Osiris · February 9, 2021, 6:35pm

I have no idea what you mean with "change all to 7443". That's the current situation, right?

All I'm saying you should add SSLEngine on to the newly changed port 8443 virtualhost.

CP_DP3 · February 9, 2021, 6:41pm

Noted. Yes ...

The new vhost is just a copy of the old vhost with the port changed.

#   Enable/Disable SSL for this virtual host
    SSLEngine on

#   Force only HTTPS for the next 30 days                                        
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;"

#   Per vhost certificates  
    SSLCertificateFile      /etc/apache2/ssl_certs/mycustomdomain.com.cer
    SSLCertificateKeyFile   /etc/apache2/ssl_certs/mycustomdomain.com.key
    SSLCertificateChainFile /etc/apache2/ssl_certs/mycustomdomain.com.cer

CP_DP3 · February 10, 2021, 8:14pm

Thank you Osiris ....
Your hint paid off... I removed all the other vhosts except the new one with new port and it worked immediately ..so one of the vhosts was problematic .... I will hunt that down ...

Thanks once again ! BIG BIG THANK YOU !
And to the rest who took time off to reply as well. Thanks !

system · March 12, 2021, 1:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.