Total error on all my sites, all of a sudden: SSL_ERROR_RX_RECORD_TOO_LONG


this afternoon I realized that there were some overlapping certificates,
looked up how to delete them, and did it,
but apache2 didn't restart because of bad references in the certificate links,
so I updated those few ones, and apache2 could be restarted, problem-free,
BUT none of the sites work anymore...

(NOTE: I did one thing which I don't understand perfectly right now:
I changed the 000.default v-host config, this is why I mention it)

and sure, I've read many-many pages...
and it is evening already :slight_smile: in Europe, Budapest...

I've run "certbot certificates" , and got them listed... (I have 10 or 11)
let me only paste here the one I'm focusing on (it is not part of any other certificate):

Certificate Name:
Serial Number: 3886dd286b1c3dccfacecb1a925b58b86c0
Key Type: ECDSA
Expiry Date: 2023-09-06 18:09:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/


I ran "certbot renew", had one minor problem (no root dir for a site yet)
but it worked, and for this domain,, I did deleted the certificate and installed a new one... and no errors,

and you can see the result:

(I did commented out the redirect line in the virtual host file, so you can see the port 80 version works)

NOTE 2: I checked the options-ssl-apache-conf file, it was last modified ages ago...

I'd love to get over this, of course :slight_smile:
any help I'll appreciate -- I hope I'll understand at least half of it :slight_smile:

Server version: Apache/2.4.53 (Debian)
Debian: 11

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Your Apache configuration is severely misconfigured: it's "speaking" HTTP on port 443 instead of the expected HTTPS protocol.


an addition: /var/log/letsencrypt.log

2023-06-08 21:31:59,373:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/ is signed by the certificate's issuer.
2023-06-08 21:31:59,374:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/ is: OCSPCertStatus.GOOD

Can you post the VirtualHost for the port 443 ?

Please use 3 backticks before and after the content so info is not lost. Like:
VirtualHost config lines


thanks for trying to help :slight_smile:

<IfModule mod_ssl.c>

        DocumentRoot /var/www/bodygabor-hu/web

        <Directory /var/www/bodygabor-hu/web>
                php_admin_value open_basedir /var/www/bodygabor-hu
                AllowOverride All
                Require all granted

        <Directory /var/www/bodygabor-hu/web/read>
           RewriteEngine on
           RewriteRule ^(konyv)?/?([0-9a-zA-Z_-]*)/?$ index.php?read_folder=$1&mappa=$2 [L,QSA]

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

You might be missing an SSLEngine on statement. I don't see one. Was that in the default SSL config file you mentioned that got changed and maybe is now missing?


no, it is in the included file:

and it hasn't been changed for ages..

PS: I've changed the 000-default.conf v-host file only

Oh right. Well, let's see result of these then

sudo apache2ctl -M | grep -i ssl

sudo apache2ctl -t -D DUMP_VHOSTS

(omit sudo if not needed)

sudo apache2ctl -M | grep -i ssl
ssl_module (shared)

DUMP_VHOSTS: part of the list...

   port 443 namevhost (/etc/apache2/sites-enabled/

Please post the entire list.


I'm not sure, it seems sensitive to be published for ever...
why do you need the entire list?

I'm not the best with Apache rules without testing them but should this redirect?

curl -I

We know https isn't working but if I use port 443 with http it doesn't redirect. And, if it should redirect it means we are not reaching that VirtualHost.

You could add something else in that VirtualHost and try to reach it like this to see.

curl -I

maybe the default server might be of importance?

default server (/etc/apache2/sites-enabled/

curl -I
HTTP/1.1 200 OK
Date: Thu, 08 Jun 2023 20:46:04 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8

but I know you have seen this output yourself, as it doesn't matter who does it...

I'm rebooting ...
I have, but nothing has changed...
it was just an idea :slight_smile:

But would that be the same response if a different VirtualHost processed it?

You have to setup something unique to that VHost. Best to use a redirect. I shouldn't have just showed a filename as that would be seen by any other VHost with the same DocumentRoot

Try adding this to that VHost

Redirect temp "/test246" "/Redirected246.html"

every v-host is down... the same way...
none of them works, in other words

my intuition says that apache is looking for the certificates in a wrong directory... somehow...
I mean, the browser sees no certificate...

but you're right, as far as I can tell :), the v-host file doesn't even get read...


Listen 80

<IfModule ssl_module>
        Listen 443

<IfModule mod_gnutls.c>
        Listen 443

it is "ssl_module" instead of "mod_ssl.c"... could this be it?
this file hasn't been changed since 2020...

Does this mean the temp redirect does not work?

Next I would change your VirtualHost statements to use * and not the IP


Change to:
<VirtualHost *:443>