Total error on all my sites, all of a sudden: SSL_ERROR_RX_RECORD_TOO_LONG

jepe · June 8, 2023, 7:54pm

Hi,

this afternoon I realized that there were some overlapping certificates,
looked up how to delete them, and did it,
but apache2 didn't restart because of bad references in the certificate links,
so I updated those few ones, and apache2 could be restarted, problem-free,
BUT none of the sites work anymore...

(NOTE: I did one thing which I don't understand perfectly right now:
I changed the 000.default v-host config, this is why I mention it)

and sure, I've read many-many pages...
and it is evening already in Europe, Budapest...

I've run "certbot certificates" , and got them listed... (I have 10 or 11)
let me only paste here the one I'm focusing on (it is not part of any other certificate):

Certificate Name: bodygabor.hu
Serial Number: 3886dd286b1c3dccfacecb1a925b58b86c0
Key Type: ECDSA
Domains: bodygabor.hu www.bodygabor.hu
Expiry Date: 2023-09-06 18:09:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/bodygabor.hu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/bodygabor.hu/privkey.pem

ALSO:

I ran "certbot renew", had one minor problem (no root dir for a site yet)
but it worked, and for this domain, bodygabor.hu, I did deleted the certificate and installed a new one... and no errors,

and you can see the result: https://bodygabor.hu

(I did commented out the redirect line in the virtual host file, so you can see the port 80 version works)

NOTE 2: I checked the options-ssl-apache-conf file, it was last modified ages ago...

I'd love to get over this, of course
any help I'll appreciate -- I hope I'll understand at least half of it

Server version: Apache/2.4.53 (Debian)
Debian: 11

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Osiris · June 8, 2023, 8:01pm

Your Apache configuration is severely misconfigured: it's "speaking" HTTP on port 443 instead of the expected HTTPS protocol.

jepe · June 8, 2023, 8:03pm

an addition: /var/log/letsencrypt.log

2023-06-08 21:31:59,373:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/bodygabor.hu/cert.pem is signed by the certificate's issuer.
2023-06-08 21:31:59,374:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/bodygabor.hu/cert.pem is: OCSPCertStatus.GOOD

MikeMcQ · June 8, 2023, 8:09pm

Can you post the VirtualHost for the port 443 bodygabor.hu ?

Please use 3 backticks before and after the content so info is not lost. Like:
```
VirtualHost config lines
```

jepe · June 8, 2023, 8:12pm

hi,
thanks for trying to help

<IfModule mod_ssl.c>
<VirtualHost 109.235.67.4:443>

        ServerAdmin adm.artreboot@gmail.com
        ServerName bodygabor.hu
        ServerAlias www.bodygabor.hu
        DocumentRoot /var/www/bodygabor-hu/web

        <Directory /var/www/bodygabor-hu/web>
                php_admin_value open_basedir /var/www/bodygabor-hu
                AllowOverride All
                Require all granted
        </Directory>

        <Directory /var/www/bodygabor-hu/web/read>
           RewriteEngine on
           RewriteRule ^(konyv)?/?([0-9a-zA-Z_-]*)/?$ index.php?read_folder=$1&mappa=$2 [L,QSA]
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/bodygabor.hu/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bodygabor.hu/privkey.pem
</VirtualHost>
</IfModule>

MikeMcQ · June 8, 2023, 8:21pm

You might be missing an SSLEngine on statement. I don't see one. Was that in the default SSL config file you mentioned that got changed and maybe is now missing?

jepe · June 8, 2023, 8:24pm

no, it is in the included file:
options-ssl-apache-conf

and it hasn't been changed for ages..

PS: I've changed the 000-default.conf v-host file only

MikeMcQ · June 8, 2023, 8:30pm

Oh right. Well, let's see result of these then

sudo apache2ctl -M | grep -i ssl

sudo apache2ctl -t -D DUMP_VHOSTS

(omit sudo if not needed)

jepe · June 8, 2023, 8:34pm

sudo apache2ctl -M | grep -i ssl
ssl_module (shared)

DUMP_VHOSTS: part of the list...

   port 443 namevhost bodygabor.hu (/etc/apache2/sites-enabled/bodygabor.hu-le-ssl.conf:2)
                 alias www.bodygabor.hu

Osiris · June 8, 2023, 8:37pm

Please post the entire list.

jepe · June 8, 2023, 8:39pm

I'm not sure, it seems sensitive to be published for ever...
why do you need the entire list?

MikeMcQ · June 8, 2023, 8:41pm

jepe:

        <Directory /var/www/bodygabor-hu/web/read>
           RewriteEngine on
           RewriteRule ^(konyv)?/?([0-9a-zA-Z_-]*)/?$ index.php?read_folder=$1&mappa=$2 [L,QSA]
        </Directory>

I'm not the best with Apache rules without testing them but should this redirect?

curl -I https://bodygabor.hu/read/konyv/Test123

We know https isn't working but if I use port 443 with http it doesn't redirect. And, if it should redirect it means we are not reaching that VirtualHost.

You could add something else in that VirtualHost and try to reach it like this to see.

curl -I http://bodygabor.hu:443/SomeSampleFile.html

jepe · June 8, 2023, 8:41pm

maybe the default server might be of importance?

default server 00.artreboot.eu (/etc/apache2/sites-enabled/00.artreboot.eu-le-ssl.conf:2)

jepe · June 8, 2023, 8:46pm

curl -I http://bodygabor.hu:443/index.html
HTTP/1.1 200 OK
Date: Thu, 08 Jun 2023 20:46:04 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8

but I know you have seen this output yourself, as it doesn't matter who does it...

jepe · June 8, 2023, 8:49pm

I'm rebooting ...
I have, but nothing has changed...
it was just an idea

MikeMcQ · June 8, 2023, 8:52pm

But would that be the same response if a different VirtualHost processed it?

You have to setup something unique to that VHost. Best to use a redirect. I shouldn't have just showed a filename as that would be seen by any other VHost with the same DocumentRoot

Try adding this to that VHost

Redirect temp "/test246" "/Redirected246.html"

jepe · June 8, 2023, 8:55pm

every v-host is down... the same way...
none of them works, in other words

my intuition says that apache is looking for the certificates in a wrong directory... somehow...
I mean, the browser sees no certificate...

but you're right, as far as I can tell :), the v-host file doesn't even get read...

jepe · June 8, 2023, 9:00pm

/etc/apache2/ports.conf:


Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

jepe · June 8, 2023, 9:02pm

hm...
it is "ssl_module" instead of "mod_ssl.c"... could this be it?
this file hasn't been changed since 2020...

MikeMcQ · June 8, 2023, 9:02pm

Does this mean the temp redirect does not work?

Next I would change your VirtualHost statements to use * and not the IP

<VirtualHost 109.235.67.4:443>

Change to:
<VirtualHost *:443>