Ssl_error_rx_record_too_long error

Hello,
I need some help SSL is not working.
After installing certbot on AWS lightsail sail machine OS ubuntu 20.4 Ubuntu 20.04 LTS - Focal-NGINX web server it is getting this error SSL_ERROR_RX_RECORD_TOO_LONG for https connection.
It is not redirecting from http to https

My domain is: contabilidad.tbeotours.com

I tested the installation of the SSL on https://www.ssllabs.com and got A grade.

I am using this odoo conf.

#odoo server
upstream odoo {
  server 127.0.0.1:8069;
}
upstream odoochat {
  server 127.0.0.1:8072;
}

# http -> https
server {
  listen 80;
  server_name contabilidad.tbeotours www.contabilidad.tbeotours;
  rewrite ^(.*) https://$host$1 permanent;
}

server {
  listen 443 ssl;
  server_name contabilidad.tbeotours ww.contabilidad.tbeotours;
  proxy_read_timeout 720s;
  proxy_connect_timeout 720s;
  proxy_send_timeout 720s;

  #uncategorized  Add Headers for odoo proxy mode
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Real-IP $remote_addr;

  # SSL parameters
  HERE (I put them here)
  
  #ssl_prefer_server_ciphers off;

  # log
  access_log /var/log/nginx/odoo.access.log;
  error_log /var/log/nginx/odoo.error.log;

  # Redirect longpoll requests to odoo longpolling port
  location /longpolling {
    proxy_pass http://odoochat;
  }

  # Redirect requests to odoo backend server
  location / {
    proxy_redirect off;
    proxy_pass http://odoo;
  }

  # common gzip
  gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
  gzip on;
}

I am a basic user. I would like to receive specific instructions or examples.

Best regards

That's not what I'm seeing; I'm getting a redirect to https://odoo, which will never work. Your hostname correctly redirects to https:

 dan@Dan-MBP-2013  ~  curl -v http://contabilidad.tbeotours.com
*   Trying 23.22.103.250...
* TCP_NODELAY set
* Connected to contabilidad.tbeotours.com (23.22.103.250) port 80 (#0)
> GET / HTTP/1.1
> Host: contabilidad.tbeotours.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
< Date: Tue, 20 Sep 2022 03:58:17 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://contabilidad.tbeotours.com/
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host contabilidad.tbeotours.com left intact
* Closing connection 0

But the https page then redirects to https://odoo:

dan@Dan-MBP-2013  ~  curl -v https://contabilidad.tbeotours.com/
*   Trying 23.22.103.250...
* TCP_NODELAY set
* Connected to contabilidad.tbeotours.com (23.22.103.250) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=contabilidad.tbeotours.com
*  start date: Sep 16 22:24:38 2022 GMT
*  expire date: Dec 15 22:24:37 2022 GMT
*  subjectAltName: host "contabilidad.tbeotours.com" matched cert's "contabilidad.tbeotours.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: contabilidad.tbeotours.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 303 SEE OTHER
< Server: nginx/1.18.0 (Ubuntu)
< Date: Tue, 20 Sep 2022 03:58:37 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 215
< Connection: keep-alive
< Location: http://odoo/web
< Set-Cookie: session_id=6983daacc9f4b937d1b9c61ebed26fcbf72c491d; Expires=Mon, 19-Dec-2022 03:58:37 GMT; Max-Age=7776000; HttpOnly; Path=/
< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
* Connection #0 to host contabilidad.tbeotours.com left intact
<p>You should be redirected automatically to target URL: <a href="/web">/web</a>.  If not click the link.* Closing connection 0

You should check with whatever support mechanisms exist for Ubuntu or Odoo; your problem has nothing to do with Let's Encrypt.

4 Likes

I see a couple of TYPOs:

Both lines are missing ".com"
One line is missing one "w" (from "www")

3 Likes

Hello

Odoo uses the port 8069
When you type http://contabilidad.tbeotours.com:8069/ it takes you the login session.

When you tipe https://contabilidad.tbeotours.com:8069/ then get the error SSL_ERROR_RX_RECORD_TOO_LONG


SERVER CONFIG

#odoo server
upstream odoo {
 server 127.0.0.1:8069;
}
upstream odoochat {
 server 127.0.0.1:8072;
}


# http -> https
  server {
  listen 80;
 server_name contabilidad.tbeotours.com www.contabilidad.tbeotours.com;
 return 301 https://contabilidad.tbeotours.com$request_uri;
}

server {
listen 443 ssl;
 server_name contabilidad.tbeotours.com www.contabilidad.tbeotours.com;
  proxy_read_timeout 720s;
  proxy_connect_timeout 720s;
  proxy_send_timeout 720s;

  # Add Headers for odoo proxy mode
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Real-IP $remote_addr;


  # SSL parameters
  ssl_certificate /etc/letsencrypt/live/contabilidad.tbeotours.com/fullchain.pem; 
  ssl_certificate_key /etc/letsencrypt/live/contabilidad.tbeotours.com/privkey.pem; 
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 
  include /etc/letsencrypt/options-ssl-nginx.conf; 


  #ssl_prefer_server_ciphers off;

  # log
  access_log /var/log/nginx/odoo.access.log;
  error_log /var/log/nginx/odoo.error.log;

  # Redirect longpoll requests to odoo longpolling port
  location /longpolling {
    proxy_pass http://odoochat;
  }

  # Redirect requests to odoo backend server
  location / {
    proxy_redirect off;
    proxy_pass http://odoo;
  }

  # common gzip
  gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
  gzip on;
}

Is there a NAT or port forwarding setting?

2 Likes

That's to be expected. If port 8069 isn't configured for TLS (as it works with http://), it will error when you try to use TLS by using https://.

3 Likes

What was the point of putting the odoo server behind a proxy, if you are allowing it to be hit directly?:

I suspect it was to encrypt a connection that was otherwise unencryptable.

3 Likes

You can't speak both protocols on the same port, so as @Osiris said, this is exactly as expected. But I'll echo Rudy's question: what's the point of the reverse proxy if you're exposing port 8069 to the Internet?

And in this case, it seems your Nginx configuration is utterly irrelevant, as Nginx isn't listening on port 8069. The more you say, the less it has to do with Let's Encrypt. You need support for Nginx, Odoo, and/or Ubuntu; we provide none of those here.

4 Likes

I agree with the other posters that I think you need general help with nginx, udoo, and AWS configuration. The way you have it configured in nginx is with a proxy to http://odoo which means this:

https://contabilidad.tbeotours.com

should have nginx satisfying the TLS connection and then proxy to odoo (http://127.0.0.1:8069).

But, this fails (right now) because port 443 is closed. You might not have it open in your EC2 Security Group.

And, you don't need port 8069 open to the internet if you proxy like this.

3 Likes