"SSL_ERROR_BAD_CERT_DOMAIN" OR "SSL_ERROR_RX_RECORD_TOO_LONG" error After add a domain with ACME

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.searchintegral.com

I ran this command: https://www.searchintegral.com

It produced this output:
SSL_ERROR_BAD_CERT_DOMAIN
SSL_ERROR_RX_RECORD_TOO_LONG

My web server is (include version):
nginx 1.10.3

The operating system my web server runs on is (include version):
ubuntu server 16.04

My hosting provider, if applicable, is:
inhouse

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Detail staus is as below:

1. Before
   https://www.searchintegral.com ok without any problem

2. After

   • using https://www.ollegustafsson.com/en/letsencrypt-routeros/
     to get router.searchintegral.com certificate from lets encrypt with the acme.sh
   • display
     [Thu Mar 1 16:56:47 CST 2018] Le_LinkCert=‘https://acme-v01.api.letsencrypt.org/acme/cert/0448486ee4e5a29ba5f51c56966013071cc9’
     [Thu Mar 1 16:56:47 CST 2018] Cert success.

• but the key file lenght is zero
  -rw-rw-r-- 1 remote remote 1648 Mar 1 17:50 router.searchintegral.com.cer
  -rw-rw-r-- 1 remote remote 846 Mar 1 17:50 router.searchintegral.com.conf
  -rw-rw-r-- 1 remote remote 1005 Mar 1 16:56 router.searchintegral.com.csr
  -rw-rw-r-- 1 remote remote 220 Mar 1 16:56 router.searchintegral.com.csr.conf
  -rw-rw-r-- 1 remote remote 0 Mar 1 17:50 router.searchintegral.com.key

3. Error status

   • https://www.searchintegral.com using chrome or firefox gets the following errors:
     • SSL_ERROR_BAD_CERT_DOMAIN
     • SSL_ERROR_RX_RECORD_TOO_LONG
   • using curl -v https://www.searchintegral.cm gets
     • remote@elasticSearch:~/.acme.sh$ curl -v https://www.searchintegral.com
       Rebuilt URL to: https://www.searchintegral.com/
       Trying 59.124.243.190…
       Connected to www.searchintegral.com (59.124.243.190) port 443 (#0)
       found 148 certificates in /etc/ssl/certs/ca-certificates.crt
       found 592 certificates in /etc/ssl/certs
       ALPN, offering http/1.1
       gnutls_handshake() failed: An unexpected TLS packet was received.
       Closing connection 0
       curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

4. Action

   • remove certificate with acme.sh
     remote@elasticSearch:~/.acme.sh$ ./acme.sh --remove -d router.searchintegral.com
     [Mon Mar 5 11:09:31 CST 2018] router.searchintegral.com is removed, the key and cert files are in
     /home/remote/.acme.sh/router.searchintegral.com
     [Mon Mar 5 11:09:31 CST 2018] You can remove them by yourself.

   • delete the TXT record from DNS

   • check the certificate status from
     https://crt.sh/?q=router.searchintegral.com Certificates
     crt.sh ID Logged At ⇧ Not Before Issuer Name
     344591435 2018-03-01 2018-03-01 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3

     https://crt.sh/?q=router.searchintegral.com
     crt.sh ID Logged At ⇧ Not Before Issuer Name
     337059996 2018-02-21 2018-02-21 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
     285614082 2017-12-23 2017-12-23 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
     238974599 2017-10-24 2017-10-24 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
     190032535 2017-08-14 2017-08-14 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
     154477173 2017-06-15 2017-06-15 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3

5. Current staus

   • https://www.searchintegral.com/ - still get the same error

Are there anything that I forget ?
Thanks for your help …

I’m not sure what your router.~ experiments have anything to do with your www.~ hostname, but I do know your webserver for www.searchintegral.com is speaking HTTP on port 443 and not HTTPS. Looks like a webserver misconfiguration with not enabeling TLS on port 443.

Indeed.

You need to have this in your nginx:

listen 443 ssl http2;

whereas you currently probably just have:

listen 443;

Hi, nginx 's ssl server block is as follow:

server {
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
…
…
}

and it used to work before.

Although I modified my nginx config from above to
server {
# SSL configuration
#
listen 443 ssl http2;
listen [::]:443 ssl http2;
…
…
}

and reload nginx service, but still with no luck …

Hi Osiris,

1. I used Mirkrotik router as firewall.
2. regarding “but I do know your webserver for www.searchintegral.com is speaking HTTP on port 443 and
   not HTTPS”, how can I know ? via browser, it tell me that certificate is valid for www.searchintegral.com
   and throws me “SSL_ERROR_BAD_CERT_DOMAIN” error. As you can see from above post, this LE
   has been running from 2017/06/15 without any problems, and I am sure the nginx’s config is there not
   modified from that time.

anything I need to check ? Thanks,

problem solved, as Osiris said, I checked again the 80 port from the firewall and found:

1. firewall’s NAT rules change, just forward the 80, 443 port to internet web server’s 80

so I changed inteernal web server to accept all the port from the NAT and now it is OK.

Thank you ~

You forwarded external port 443 to internal port 80?

Or am I misinterpreting something?

typing error when combine firewall rule.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.