SSL_ERROR_RX_RECORD_TOO_LONG on debian 9 apache 2

kmc · May 20, 2020, 5:16pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
webologix.com

I ran this command:
cerbot --apache

It produced this output:
Created an SSL vhost at /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1

Congratulations! You have successfully enabled https://webologix.com and
https://www.webologix.com

My web server is (include version):
Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version):
Debian GNU/Linux 9 (stretch)

My hosting provider, if applicable, is:
OVH

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

https://www.ssllabs.com/ssltest/analyze.html?d=www.webologix.com&latest test gives

SSL_ERROR_RX_RECORD_TOO_LONG

9peppe · May 20, 2020, 5:19pm

You are serving http on port 443, instead of httpS: http://webologix.com:443/

JuergenAuer · May 20, 2020, 5:19pm

Hi @kmc

if you have that error, your port 443 is a http port.

mnordhoff · May 20, 2020, 5:28pm

The virtual hosts Certbot created are -- one hopes -- correct, but look through Apache's configuration for other port 443 virtual hosts that don't enable SSL.

"sudo apachectl -t -D DUMP_VHOSTS" should be able to show a summary of the virtual hosts Apache is aware of.

Sometimes there can be problems with <IfModule> and the order files are included in, if one file uses <IfModule mod_ssl.c> or whatever the syntax is, before another file actually loads mod_ssl.

Edit: Also, it's possible that Apache is configured correctly, but something else is forwarding port 443 to port 80.

kmc · May 20, 2020, 5:41pm

I don’ understand how that can be. Here is the starting vhost:

ks307144 sites-available > cat ../sites-enabled/100-webologix.com.vhost 

<Directory /var/www/webologix.com>
            AllowOverride None
                            Require all denied
            </Directory>

<VirtualHost *:80>

                                    DocumentRoot /var/www/clients/client1/web16/web

            ServerName webologix.com
            ServerAlias www.webologix.com
            ServerAdmin webmaster@example.com


            ErrorLog /var/log/ispconfig/httpd/webologix.com/error.log
            CustomLog /var/log/ispconfig/httpd/webologix.com/access.log combined

            Alias /error/ "/var/www/webologix.com/web/error/"
            ErrorDocument 400 /error/400.html
            ErrorDocument 401 /error/401.html
            ErrorDocument 403 /error/403.html
            ErrorDocument 404 /error/404.html
            ErrorDocument 405 /error/405.html
            ErrorDocument 500 /error/500.html
            ErrorDocument 502 /error/502.html
            ErrorDocument 503 /error/503.html

            <IfModule mod_ssl.c>
            </IfModule>

            <Directory /var/www/webologix.com/web>
                            # Clear PHP settings of this website
                            <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                            SetHandler None
                            </FilesMatch>
                            Options +FollowSymLinks
                            AllowOverride All
                                                            Require all granted
                                            </Directory>
            <Directory /var/www/clients/client1/web16/web>
                            # Clear PHP settings of this website
                            <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                            SetHandler None
                            </FilesMatch>
                            Options +FollowSymLinks
                            AllowOverride All
                                                            Require all granted
                                            </Directory>




            # suexec enabled
            <IfModule mod_suexec.c>
                    SuexecUserGroup web16 client1
            </IfModule>
            <IfModule mod_fastcgi.c>
                            <Directory /var/www/clients/client1/web16/cgi-bin>
                                                                            Require all granted
                                                                </Directory>
                            <Directory /var/www/webologix.com/web>
                                    <FilesMatch "\.php[345]?$">
                                            SetHandler php-fcgi
                                    </FilesMatch>
                            </Directory>
                            <Directory /var/www/clients/client1/web16/web>
                                    <FilesMatch "\.php[345]?$">
                                            SetHandler php-fcgi
                                    </FilesMatch>
                            </Directory>
            Action php-fcgi /php-fcgi virtual
                            Alias /php-fcgi /var/www/clients/client1/web16/cgi-bin/php-fcgi-*-80-webologix.com
            FastCgiExternalServer /var/www/clients/client1/web16/cgi-bin/php-fcgi-*-80-webologix.com -idle-timeout 300 -socket /var/lib/php7.0-fpm/web16.sock -pass-header Authorization  -pass-header Content-Type
            </IfModule>
            <IfModule mod_proxy_fcgi.c>
                    #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web16.sock|fcgi://localhost//var/www/clients/client1/web16/web/$1
                    <Directory /var/www/clients/client1/web16/web>
                            <FilesMatch "\.php[345]?$">
                                            SetHandler "proxy:unix:/var/lib/php7.0-fpm/web16.sock|fcgi://localhost"
                            </FilesMatch>
                    </Directory>
                    </IfModule>



            # add support for apache mpm_itk
            <IfModule mpm_itk_module>
                    AssignUserId web16 client1
            </IfModule>

            <IfModule mod_dav_fs.c>
            # Do not execute PHP files in webdav directory
                    <Directory /var/www/clients/client1/web16/webdav>
                            <ifModule mod_security2.c>
                                    SecRuleRemoveById 960015
                                    SecRuleRemoveById 960032
                            </ifModule>
                            <FilesMatch "\.ph(p3?|tml)$">
                                    SetHandler None
                            </FilesMatch>
                    </Directory>
                    DavLockDB /var/www/clients/client1/web16/tmp/DavLock
                    # DO NOT REMOVE THE COMMENTS!
                    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
  # WEBDAV BEGIN
                    # WEBDAV END
            </IfModule>



</VirtualHost>

And here the vhost genrated by certbot:

ks307144 sites-available > cat ../sites-enabled/100-webologix.com.vhost 

<Directory /var/www/webologix.com>
            AllowOverride None
                            Require all denied
            </Directory>

<VirtualHost *:80>

                                    DocumentRoot /var/www/clients/client1/web16/web

            ServerName webologix.com
            ServerAlias www.webologix.com
            ServerAdmin webmaster@example.com


            ErrorLog /var/log/ispconfig/httpd/webologix.com/error.log
            CustomLog /var/log/ispconfig/httpd/webologix.com/access.log combined

            Alias /error/ "/var/www/webologix.com/web/error/"
            ErrorDocument 400 /error/400.html
            ErrorDocument 401 /error/401.html
            ErrorDocument 403 /error/403.html
            ErrorDocument 404 /error/404.html
            ErrorDocument 405 /error/405.html
            ErrorDocument 500 /error/500.html
            ErrorDocument 502 /error/502.html
            ErrorDocument 503 /error/503.html

            <IfModule mod_ssl.c>
            </IfModule>

            <Directory /var/www/webologix.com/web>
                            # Clear PHP settings of this website
                            <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                            SetHandler None
                            </FilesMatch>
                            Options +FollowSymLinks
                            AllowOverride All
                                                            Require all granted
                                            </Directory>
            <Directory /var/www/clients/client1/web16/web>
                            # Clear PHP settings of this website
                            <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                            SetHandler None
                            </FilesMatch>
                            Options +FollowSymLinks
                            AllowOverride All
                                                            Require all granted
                                            </Directory>



            # suexec enabled
            <IfModule mod_suexec.c>
                    SuexecUserGroup web16 client1
            </IfModule>
            <IfModule mod_fastcgi.c>
                            <Directory /var/www/clients/client1/web16/cgi-bin>
                                                                            Require all granted
                                                                </Directory>
                            <Directory /var/www/webologix.com/web>
                                    <FilesMatch "\.php[345]?$">
                                            SetHandler php-fcgi
                                    </FilesMatch>
                            </Directory>
                            <Directory /var/www/clients/client1/web16/web>
                                    <FilesMatch "\.php[345]?$">
                                            SetHandler php-fcgi
                                    </FilesMatch>
                            </Directory>
            Action php-fcgi /php-fcgi virtual
                            Alias /php-fcgi /var/www/clients/client1/web16/cgi-bin/php-fcgi-*-80-webologix.com
            FastCgiExternalServer /var/www/clients/client1/web16/cgi-bin/php-fcgi-*-80-webologix.com -idle-timeout 300 -socket /var/lib/php7.0-fpm/web16.sock -pass-header Authorization  -pass-header Content-Type
            </IfModule>
            <IfModule mod_proxy_fcgi.c>
                    #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web16.sock|fcgi://localhost//var/www/clients/client1/web16/web/$1
                    <Directory /var/www/clients/client1/web16/web>
                            <FilesMatch "\.php[345]?$">
                                            SetHandler "proxy:unix:/var/lib/php7.0-fpm/web16.sock|fcgi://localhost"
                            </FilesMatch>
                    </Directory>
                    </IfModule>



            # add support for apache mpm_itk
            <IfModule mpm_itk_module>
                    AssignUserId web16 client1
            </IfModule>

            <IfModule mod_dav_fs.c>
            # Do not execute PHP files in webdav directory
                    <Directory /var/www/clients/client1/web16/webdav>
                            <ifModule mod_security2.c>
                                    SecRuleRemoveById 960015
                                    SecRuleRemoveById 960032
                            </ifModule>
                            <FilesMatch "\.ph(p3?|tml)$">
                                    SetHandler None
                            </FilesMatch>
                    </Directory>
                    DavLockDB /var/www/clients/client1/web16/tmp/DavLock
                    # DO NOT REMOVE THE COMMENTS!
                    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
  # WEBDAV BEGIN
                    # WEBDAV END
            </IfModule>



</VirtualHost>

JuergenAuer · May 20, 2020, 5:45pm

That's not a Certbot created vHost, that's a port 80 vHost. So you have minimal two port 80 vHosts with the same domain name, that's part of the problem.

What says

apachectl -S

kmc · May 20, 2020, 6:35pm

I manually removed the second vhost on 80.

Now I get "No secure protocols supported "

I’ve seen that could be caused by talking http on 443, as you said. Did the following related tests:

ks307144 ~ > apache2ctl -t -D DUMP_MODULES|grep ssl
 ssl_module (shared)
ks307144 ~ > apachectl -M|grep ssl
 ssl_module (shared)
...
ks307144 ~ > rgrep -i 443 /etc/apache2/sites-available/*webologix*
/etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf:<VirtualHost *:443>
ks307144 ~ > cat /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>

                                        DocumentRoot /var/www/clients/client1/web16/web

                ServerName webologix.com
                ServerAlias www.webologix.com
                ServerAdmin webmaster@example.com


                ErrorLog /var/log/ispconfig/httpd/webologix.com/error.log
                CustomLog /var/log/ispconfig/httpd/webologix.com/access.log combined

                Alias /error/ "/var/www/webologix.com/web/error/"
                ErrorDocument 400 /error/400.html
                ErrorDocument 401 /error/401.html
                ErrorDocument 403 /error/403.html
                ErrorDocument 404 /error/404.html
                ErrorDocument 405 /error/405.html
                ErrorDocument 500 /error/500.html
                ErrorDocument 502 /error/502.html
                ErrorDocument 503 /error/503.html

                <IfModule mod_ssl.c>
                </IfModule>

                <Directory /var/www/webologix.com/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +FollowSymLinks
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                <Directory /var/www/clients/client1/web16/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +FollowSymLinks
                                AllowOverride All
                                                                Require all granted
                                                </Directory>




                # suexec enabled
                <IfModule mod_suexec.c>
                        SuexecUserGroup web16 client1
                </IfModule>
                <IfModule mod_fastcgi.c>
                                <Directory /var/www/clients/client1/web16/cgi-bin>
                                                                                Require all granted
                                                                    </Directory>
                                <Directory /var/www/webologix.com/web>
                                        <FilesMatch "\.php[345]?$">
                                                SetHandler php-fcgi
                                        </FilesMatch>
                                </Directory>
                                <Directory /var/www/clients/client1/web16/web>
                                        <FilesMatch "\.php[345]?$">
                                                SetHandler php-fcgi
                                        </FilesMatch>
                                </Directory>
                Action php-fcgi /php-fcgi virtual
                                Alias /php-fcgi /var/www/clients/client1/web16/cgi-bin/php-fcgi-*-80-webologix.com
                FastCgiExternalServer /var/www/clients/client1/web16/cgi-bin/php-fcgi-*-80-webologix.com -idle-timeout 300 -socket /var/lib/php7.0-fpm/web16.sock -pass-header Authorization  -pass-header Content-Type
                </IfModule>
                <IfModule mod_proxy_fcgi.c>
                        #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web16.sock|fcgi://localhost//var/www/clients/client1/web16/web/$1
                        <Directory /var/www/clients/client1/web16/web>
                                <FilesMatch "\.php[345]?$">
                                                SetHandler "proxy:unix:/var/lib/php7.0-fpm/web16.sock|fcgi://localhost"
                                </FilesMatch>
                        </Directory>
                        </IfModule>



                # add support for apache mpm_itk
                <IfModule mpm_itk_module>
                        AssignUserId web16 client1
                </IfModule>

                <IfModule mod_dav_fs.c>
                # Do not execute PHP files in webdav directory
                        <Directory /var/www/clients/client1/web16/webdav>
                                <ifModule mod_security2.c>
                                        SecRuleRemoveById 960015
                                        SecRuleRemoveById 960032
                                </ifModule>
                                <FilesMatch "\.ph(p3?|tml)$">
                                        SetHandler None
                                </FilesMatch>
                        </Directory>
                        DavLockDB /var/www/clients/client1/web16/tmp/DavLock
                        # DO NOT REMOVE THE COMMENTS!
                        # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
                        # WEBDAV END
                </IfModule>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/webologix.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/webologix.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>

Another approach:


ks307144 ~ > rgrep -i 443 /etc/apache2/
/etc/apache2/sites-available/default-ssl.conf:  <VirtualHost *:443>
/etc/apache2/sites-available/joomla-development.eu.vhost-le-ssl.conf:<VirtualHost *:443>
/etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf:<VirtualHost *:443>
/etc/apache2/sites-available/ispconfig.conf:NameVirtualHost *:443
/etc/apache2/sites-available/ispconfig.conf:NameVirtualHost 94.23.227.123:443
/etc/apache2/sites-available/ispconfig.conf:NameVirtualHost [2001:41d0:2:667b::]:443
/etc/apache2/ports.conf:Listen 443
/etc/apache2/ports.conf:Listen 443
/etc/apache2/ports.conf:# NameVirtualHost *:443

ks307144 ~ > cat /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerAdmin webmaster@webologix.com
                ServerName ks307144.kimsufi.com

                DocumentRoot /var/www/html
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                Include /etc/letsencrypt/options-ssl-apache.conf
                SSLCertificateFile /etc/letsencrypt/live/ks307144.kimsufi.com/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/ks307144.kimsufi.com/privkey.pem

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
        </VirtualHost>
</IfModule>

All ispconfig stuff have been disabled as problems started with certs renewall

ks307144 ~ > ll /etc/apache2/sites-enabled/
total 8
lrwxrwxrwx 1 root root 45 avril 15 19:27 000-default.conf -> /etc/apache2/sites-available/000-default.conf
lrwxrwxrwx 1 root root 56 avril 15 18:42 100-joomla-development.eu.vhost -> /etc/apache2/sites-available/joomla-development.eu.vhost
lrwxrwxrwx 1 root root 56 avril 15 18:42 100-mon-voyage-a-cuba.com.vhost -> /etc/apache2/sites-available/mon-voyage-a-cuba.com.vhost
lrwxrwxrwx 1 root root 48 avril 15 18:39 100-webologix.com.vhost -> /etc/apache2/sites-available/webologix.com.vhost
lrwxrwxrwx 1 root root 35 avril 15 18:22 default-ssl.conf -> ../sites-available/default-ssl.conf
lrwxrwxrwx 1 root root 68 mai   20 20:26 joomla-development.eu.vhost-le-ssl.conf -> /etc/apache2/sites-available/joomla-development.eu.vhost-le-ssl.conf
lrwxrwxrwx 1 root root 60 mai   20 18:54 webologix.com.vhost-le-ssl.conf -> /etc/apache2/sites-available/webologix.com.vhost-le-ssl.conf

system · June 19, 2020, 6:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ssl_error_rx_record_too_long Help	15	1542	October 20, 2023
Facing a SSL_ERROR_RX_RECORD_TOO_LONG in Nginx Help	5	2904	August 11, 2020
Certificate created but "No secure protocols supported" Help	9	1785	July 16, 2020
Cerbot not creating web link correctly for domain verification Help	12	978	April 15, 2019
Ssl issue for some files some working on https some on http Help	1	337	August 6, 2020

SSL_ERROR_RX_RECORD_TOO_LONG on debian 9 apache 2

Related topics