ssl_error_rx_record_too_long and Apache SSL [closed] - apache

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I've got a customer trying to access one of my sites, and they keep getting this error > ssl_error_rx_record_too_long
They're getting this error on all browsers, all platforms. I can't reproduce the problem at all.
My server and myself are located in the USA, the customer is located in India.
I googled on the problem, and the main source seems to be that the SSL port is speaking in HTTP. I checked my server, and this is not happening. I tried the solution mentioned here, but the customer has stated it did not fix the issue.
Can anyone tell me how I can fix this, or how I can reproduce this???
THE SOLUTION
Turns out the customer had a misconfigured local proxy!


The link mentioned by Subimage was right on the money for me. It suggested changing the virtual host tag, ie, from <VirtualHost myserver.example.com:443> to <VirtualHost _default_:443>
Error code: ssl_error_rx_record_too_long
This usually means the implementation of SSL on your server is not correct. The error is usually caused by a server side problem which the server administrator will need to investigate.
Below are some things we recommend trying.
Ensure that port 443 is open and enabled on your server. This is the standard port for https communications.
If SSL is using a non-standard port then FireFox 3 can sometimes give this error. Ensure SSL is running on port 443.
If using Apache2 check that you are using port 443 for SSL. This can be done by setting the ports.conf file as follows
Listen 80
Listen 443 https
Make sure you do not have more than one SSL certificate sharing the same IP. Please ensure that all SSL certificates utilise their own dedicated IP.
If using Apache2 check your vhost config. Some users have reported changing <VirtualHost> to _default_ resolved the error.
That fixed my problem. It's rare that I google an error message and get the first hit with the right answer! :-)
In addition to the above, these are some other solutions that other folks have found were causing the issue:
Make sure that your SSL certificate is not expired
Try to specify the Cipher:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:+SSLv3


The solution for me was that default-ssl was not enabled in apache 2.... just putting SSLEngine On
I had to execute a2ensite default-ssl and everything worked.


In my case I had to change the <VirtualHost *> back to <VirtualHost *:80> (which is the default on Ubuntu). Otherwise, the port 443 wasn't using SSL and was sending plain HTML back to the browser.
You can check whether this is your case quite easily: just connect to your server http://www.example.com:443. If you see plain HTML, your Apache is not using SSL on port 443 at all, most probably due to a VirtualHost misconfiguration.
Cheers!


In my case I had forgot to set SSLEngine On in the configuration. Like so,
<VirtualHost _default_:443>
SSLEngine On
...
</VirtualHost>
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslengine


If you have the error after setup a new https vhost and the config seems to be right, remember to link in sites-enabled too.


Old question, but first result in Google for me, so here's what I had to do.
Ubuntu 12.04 Desktop with Apache installed
All the configuration and mod_ssl was installed when I installed Apache, but it just wasn't linked in the right spots yet. Note: all paths below are relative to /etc/apache2/
mod_ssl is stored in ./mods-available, and the SSL site configuration is in ./sites-available, you just have to link these to their correct places in ./mods-enabled and ./sites-enabled
cd /etc/apache2
cd ./mods-enabled
sudo ln -s ../mods-available/ssl.* ./
cd ../sites-enabled
sudo ln -s ../sites-available/default-ssl ./
Restart Apache and it should work. I was trying to access https://localhost, so your results may vary for external access, but this worked for me.


Ask the user for the exact URL they're using in their browser. If they're entering https://your.site:80, they may receive the ssl_error_rx_record_too_long error.


In my case, I had the wrong IP Address in the virtual host file. The listen was 443, and the stanza was <VirtualHost 192.168.0.1:443> but the server did not have the 192.168.0.1 address!


My problem was due to a LOW MTU over a VPN connection.
netsh interface ipv4 show inter
Idx Met MTU State Name
--- --- ----- ----------- -------------------
1 4275 4294967295 connected Loopback Pseudo-Interface 1
10 4250 **1300** connected Wireless Network Connection
31 25 1400 connected Remote Access to XYZ Network
Fix:
netsh interface ipv4 set interface "Wireless Network Connection" mtu=1400
It may be an issue over a non-VPN connection also...


You might also try fixing the hosts file.
Keep the vhost file with the fully qualified domain and add the hostname in the hosts file /etc/hosts (debian)
ip.ip.ip.ip name name.domain.com
After restarting apache2, the error should be gone.


Please see this link.
I looked in all my apache log files until I found the actual error (I had changed the <VirtualHost> from _default_ to my fqdn). When I fixed this error, everything worked fine.


I had a messed up virtual host config. Remember you need one virtual host without SSL for port 80, and another one with SSL for port 443. You cannot have both in one virtual host, as the webmin-generated config tried to do.


In my case the problem was that https was unable to start correctly because Listen 443 was in "IfDefine SSL" derective, but my apache didnt start with -DSSL option. The fix was to change my apachectl script in:
$HTTPD -k $ARGV
to:
$HTTPD -k $ARGV -DSSL
Hope that helps somebody.


I had the same problem in some browser to access to my SSL site.
I have found that I had to give to fireFox the right proxy (FireFox was accessing directly to internet).
Depending of the lan configuration (Tunneling, filtering, proxy redirection), the "direct access to internet" mode for FireFox throws this error.


For me the solution was that my ddclient was not cronning properly...

Related

Enable SSL (HTTPS) on Bitnami MEAN setup on AWS

I use a Bitnami MEAN installation (https://bitnami.com/stack/mean) v 3.2.11 on EC2. I didn't do any extra modifications of the apache2 setup except for the rerouting the port where my app runs to port 80, like this
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
Now my app is available fine on :80 port via http:// but I can't make it run via https://. But access via https is what I wanted to achieve. I could not figure the right step by step guide on how to create or enable SSL. All Bitnami docs sound like it's assumed to be working already.
As far as I understood from - https://docs.bitnami.com/aws/components/apache/#https-port the basic certificate is already included into the setup so you can make use of that one without creating your own. The only thing you need is to enable it - That may be wrong assumption, let me know.
Also here on bitnami support it says
Apache waits for HTTPS requests on port 443. Change that by editing
the /opt/bitnami/apache2/conf/bitnami/bitnami.conf file and modifying
the value specified in the Port directive. For example:
Listen 8443
Does that mean that I need to reroute my :5000 port to :8443 ??
I've also found this question - Installing SSL on AWS EC2 Bitnami Mean Stack that didn't recieve a proper answer for more than a year.

Does that mean that I need to reroute my :5000 port to :8443 ??
No, you don't need to redirect that. Your problem is that you're proxy-passing every request from port 80 to 5000 (where your app runs) but when using HTTPS your requests use the port 443. Those request are not being proxy-passed to port 5000 and, therefore, your app doesn't receive them.
What Apache configuration file did you modify including those lines? You need to be sure that both the VirtualHosts for port 80 and the one for port 443 include the ProxyPass redirections. For example, if you edited the file /opt/bitnami/apache2/conf/bitnami/bitnami.conf, ensure you add it in the Virtualhosts <VirtualHost _default_:80> and <VirtualHost _default_:443>
As far as I understood from - https://docs.bitnami.com/aws/components/apache/#https-port the basic certificate is already included into the setup so you can make use of that one without creating your own.
Yes, the Bitnami Stack includes a dummy certificate. However, it's recommended to create your own one since the browsers won't recognize it as a valid one since it's self-signed. You can find more information in the link below:
https://docs.bitnami.com/aws/components/apache/#how-to-create-an-ssl-certificate

Apache localhost already used?! Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName"

I have a problem, I had apache Solr installed and it uses localhost for access on webserver...
now I have installed Apache and startet httpd.exe and I get the warning / error:
Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName"
when I stop solr, I can start and use localhost for apache httpd...
but I want to have the possibility to use both webservices, how can I configure Apache to do that? and get access to service not with localhost, but with another domain name or some configuration in httpd.conf
I tried to change the line "ServerName www.example.com:80" in httpd.conf file but no effect,
sorry but I'm pretty new to webservers and Apache, how should I configure that?

You have several things mixed here:
Installing Solr should in no way be related to other questions, unless it is configured to run on port 80. If that is the case, you simply can not run two services on the same port so you have to pick, or just move Solr to 8080 or whatever.
Could not reliably determine... is just a friendly warning and will not prevent any functionality, and it should disappear when you add ServerName www.example.com:80 in httpd.conf
With default settings, Apache will respond to any http request that comes to port 80, so you don't have to configure anything there (and if you want to modify that, use VirtualHost). You can achieve reaching your webserver by other hostnames by editing hosts file on your machine. If you want others to be able to do that, you have to configure DNS (which is separate issue)

Apache SSL server not starting, "Address already in use"?

I have installed Apache 2.0.58 together with PHP 5.1.4. When I start the server using ./apachectl start, I manage to get the server running to serve HTTP as well as PHP pages, but when I try to start SSL for HTTPS using ./apachectl startssl, I get the error below:
(125)Address already in use: make_sock: could not bind to address [::]:54912
no listening sockets available, shutting down
Unable to open logs
When I run netstat -an | grep 54912 I don't see that port 54912 is being used at all. For reference, I hosted my HTTPS page on port 54912, and while in "httpd.conf" it already has the Listen 54912 directive, I also changed the file "ssl.conf" to Listen 54912 from the default Listen 443for https.
Any idea how I can get my server to run and serve HTTPS?

It's probably because apachectl startssl was deprecated in version 2.0 (and was removed in has version 2.2)
It's likely that apache start has already started the SSL virtual hosts, in particular if these virtual hosts (or other SSL-related options) haven't been defined in a <IfDefine SSL> section (because in Apache 2.0, apachectl startssl is equivalent to apachectl -k start -DSSL): they would be part of the main configuration.

Got the server running! :)
As mentioned by #EJP, the problem is because there are 2 Listen 54912 inside config. So by changing the file httpd.conf to Listen 14912 and retaining the file ssl.conf to Listen 54912, I can now run apachectl startssl and after entering the password, the server is up and running!
Special thanks to Tim Yencken for the help. (Dunno if he's here or not).

I want apache give no response

I am running apache2.2 on my WinXP PC.
I want no body but a specified IP access the site.
I already use httpd.conf to deny other request.
But that's not enough, I now want to set apache to send no response, not 403.
To be simple, I want to hide my server, I don't want others know I am running a webserver.

You could bind the Apache server to localhost only. I've not tested it, but in ports.conf, you could change:
Listen 80
to
Listen 127.0.0.1:80
That would make apache bind to the IP address 127.0.0.1, which is only available from the machine itself.

This is clearly something very easy to do with a firewall, so you should try to install and configure a firewall.
On the apache side the only thing you could try is using mod_security with the "drop" action. Check this servfault answer for example. But if the connection is closed by apache an attacker could still see the connection was first accepted, so your web server is not really hidden.

SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

I followed the official docs on https setup located here: https://help.ubuntu.com/6.06/ubuntu/serverguide/C/httpd.html#https-configuration
I had to remove the +CompatEnvVars from
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
because it said it was an invalid command or something. So having removed that and following the instructions to the nail it get the error:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
I'm new to SSL, any advice on what's going wrong?

I've just experienced this issue. For me it appeared when some erroneous code was trying to redirect to HTTPS on port 80.
e.g.
https://example.com:80/some/page
by removing the port 80 from the url, the redirect works.
HTTPS by default runs over port 443.

I used
a2ensite default-ssl
and it worked like a charm.
If you want to force e.g. phpmyadmin to use SSL/https you will run into this problem if this link is missing.

I had that same error. I forgot to create a link from sites-enabled/000-default-ssl to the sites-available/default-ssl file.
> ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl

This seems to be the result you see from Firefox when the server is not configured properly for SSL. Chrome, BTW, just gave a generic "ssl failed" code.
What happens is that the browser sends a SSL handshake when the server is expecting an HTTP request. Server responds with a 400 code and an error message that is much bigger that the handshake message that the browser expects. Hence the FF message.
As we can see from the responses here there are many things that can break the SSL configuration but not stop the server starting or give any hints in error.log.
What I did was systematically check down all the answers until I finally found the right one, right at the bottom.
Here is what I had in the access logs:
rfulton.actrix.co.nz:80 192.168.1.3 - - [09/Oct/2016:13:39:32 +1300] "\x16\x03\x01" 400 0 "-" "-"
rfulton.actrix.co.nz:80 192.168.1.3 - - [09/Oct/2016:13:39:46 +1300] "\x16\x03\x01" 400 0 "-" "-"
rfulton.actrix.co.nz:80 192.168.1.3 - - [09/Oct/2016:13:49:13 +1300] "\x16\x03\x01" 400 0 "-" "-"

This error also occurs when you have enabled the SSL module (i.e. you have run e.g. a2enmod ssl) but not yet enabled any SSL site entries (i.e you have not run e.g. a2ensite default-ssl).

I got this error when I was trying to access a url using curl:
curl 'https://example.com:80/some/page'
The solution was to change https to http
curl 'http://example.com:80/some/page'

In my case, I needed to install mod_ssl first
yum install mod_ssl

In my case I copied a ssl config from another machine and had the wrong IP in <VirtualHost wrong.ip.addr.here:443>. Changed IP to what it should be, restarted httpd and the site loaded over SSL as expected.

Finally find out the problem:
the port 443 was listening on HTTP instead of HTTPS, changed to HTTPS solved my issue.

In my case I accidentally used SSL in the Virtualhost configuration for port 80, instead of 443.

In my case, an Ubuntu system, in ports.conf I had
NameVirtualHost *:80
NameVirtualHost 192.168.1.79
Listen 80
And then, inside , I had
NameVirtualHost *:443
Listen 443
All I had to do was remove the line NameVirtualHost 192.168.1.79. Restarted apache and problem solved.

My case is related to Greg B's -- Visual Studio creates two sites when SSL is enabled -- one for secure, and one for normal http requests. However Visual Studio chooses two ports at random, and depending on how you start the debugger you might be pointing towards the wrong page for the request type. Especially if you edit the URL but don't change the port number.
Seeing these posts jogged my memory.
I know this isn't APACHE related, but it is definitely a page that people with that error will find..

I got the same error after enabling TLSv1.2 in webmin. Right after I enabled TLSv1.2 by accident thinking it was SSLv2, I was not able to log in from https://myipaddress:10000 like I did before. I found this link http://smallbusiness.chron.com/disable-ssl-webmin-miniserv-60053.html and it helped me because I was able to access webmin config file and I was able TLSv1.2

If you are upgrading from an older version of apache2, make sure your apache sites-available conf files end in .conf and are enabled with a2ensite

Below Solution worked for me :
Type About:Config in the Address Bar and press Enter.
“This Might void your warranty!” warning will be displayed, click on I’ll be careful, I Promise button.
Type security.ssl.enable_ocsp_stapling in search box.
The value field is true, double click on it to make it false.
Now try to connect your website again.

On My side, Error if nginx.conf like
server {
listen 443;
}
curl: (35) SSL received a record that exceeded the maximum permissible length.
Solution:
server {
listen 443 ssl;
}
It's working fine after adding ssl after 443