LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-21-2016, 02:31 AM   #1
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Rep: Reputation: 90
Ssl_error_rx_record_too_long


Hi,

I'm trying to configure a https redirection for my website. I'm using Apache on an OpenSUSE 13.2. The structure of the config files is a little bit different from Centos, which I'm more familiar with, and I'm not sure how it all works, even though I understand that all directives are taken into consideration, as long as there's an include directive in the main config (httpd.conf)

The error is: Secure Connection Failed. An error occurred during a connection to mydomain.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

What I did first was simply to add these 3 lines (which work fine on my Centos 7):
Code:
<VirtualHost *:80>
redirect / https://mydomain.com/
</VirtualHost>
I've already configured a letsencrypt certificate, and the result was successful. The files have been created in /etc/letsencrypt/live/mydomain.com/

So I edited ssl-global.conf and added these lines:
Code:
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem
The server is listening both on 80 and 443 ports. I actually wrote Listen 0.0.0.0:443, as netstat was showing that the server was listening on IPv6.



I've already added a <VirtualHost *:443> container in ssl-global.conf, in which the SSLCertificate directives are included, even though I don't think it's necessary to place them within the container.

Any ideas how I'm supposed to attack this problem? Should I offer more information?

P.S. I forgot to mention that I'm using it for owncloud. The weird thing is that if I type in mydomain.com, it doesn't redirect to https, but when I write mydomain.com/owncloud, then it redirects to https and it gives the aforementioned error.

Last edited by vincix; 04-21-2016 at 02:37 AM.
 
Old 04-21-2016, 04:20 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,827

Rep: Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866
Quote:
The error is: Secure Connection Failed. An error occurred during a connection to mydomain.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
The above error means that apache listens on port 443, but it uses the plain http protocol, i.e. SSL is not enabled.
I'm not a Suse user, so better have a look here (skip the initial certificates stuff since you have the certs), about the apache configuration files that need editing.

Regards
 
1 members found this post helpful.
Old 04-21-2016, 04:42 AM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Doesn't owncloud have an "Use ssl" option in the admin area?
 
Old 04-21-2016, 09:48 AM   #4
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 90
Quote:
Originally Posted by Habitual View Post
Doesn't owncloud have an "Use ssl" option in the admin area?
It actually has an 'enforce ssl' option, which is greyed out. Probably because it hasn't identified proper settings for https.

I followed the instructions, but to no avail. I'm not trying to redirect anymore, so that others can use owncloud in the meantime. I'm testing it by prefixing https in the address bar.

The error is the same.

These are my include directives in httpd.conf (I bolded the one I think is relevant):
Code:
Include /etc/apache2/uid.conf
Include /etc/apache2/server-tuning.conf
Include /etc/apache2/sysconfig.d/loadmodule.conf
Include /etc/apache2/listen.conf
Include /etc/apache2/mod_log_config.conf
Include /etc/apache2/sysconfig.d/global.conf
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf
Include /etc/apache2/mod_usertrack.conf
Include /etc/apache2/mod_autoindex-defaults.conf
Include /etc/apache2/mod_mime-defaults.conf
Include /etc/apache2/errors.conf
Include /etc/apache2/default-server.conf
Include /etc/apache2/sysconfig.d/include.conf
And these are the directives in default-server.conf:
Code:
IncludeOptional /etc/apache2/conf.d/*.conf
IncludeOptional /etc/apache2/conf.d/apache2-manual?conf
Include /etc/apache2/vhosts.d/*.conf
Include /etc/apache2/conf.d/*.conf (here there's owncloud, phpmyadmin)
So I configured https in /etc/apache2/vhosts.d/vhost-ssl.conf:
Code:
<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost *:443>
	DocumentRoot "/srv/www/htdocs"
	ErrorLog /var/log/apache2/error_log
	TransferLog /var/log/apache2/access_log
	SSLProtocol all -SSLv2
	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem
	CustomLog /var/log/apache2/ssl_request_log   ssl_combined
</VirtualHost>
</IfDefine>
</IfDefine>

Last edited by vincix; 04-21-2016 at 11:43 AM.
 
Old 04-21-2016, 10:53 AM   #5
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Did you run
Code:
a2enmod ssl
some time during this task?

Seen http://refugeeks.com/owncloud-setup-guide/ ?
 
1 members found this post helpful.
Old 04-21-2016, 11:16 AM   #6
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 90
Quote:
Originally Posted by Habitual View Post
Did you run
Code:
a2enmod ssl
some time during this task?

Seen http://refugeeks.com/owncloud-setup-guide/ ?

a2enmod ssl
"ssl" already present

First I need to solve the https problem. When I try https://mydomain.com, the error is the same. So it's not related to owncloud, at least not at this stage. SSL is not working, and it's related to Apache, not to owncloud.
 
Old 04-21-2016, 11:33 AM   #7
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
http://refugeeks.com/owncloud-setup-...figuring-HTTPS is fairly Apache-specific.
 
1 members found this post helpful.
Old 04-21-2016, 12:04 PM   #8
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,827

Rep: Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866
Quote:
Originally Posted by vincix View Post
a2enmod ssl
"ssl" already present

First I need to solve the https problem. When I try https://mydomain.com, the error is the same. So it's not related to owncloud, at least not at this stage. SSL is not working, and it's related to Apache, not to owncloud.
From the link in my previous post, you may need to also do the following (at least the 2nd one):
Quote:
Edit the /etc/sysconfig/apache2 file.

APACHE_START_TIMEOUT="10"
APACHE_SERVER_FLAGS="SSL"
 
1 members found this post helpful.
Old 04-21-2016, 12:25 PM   #9
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 90
Quote:
Originally Posted by bathory View Post
From the link in my previous post, you may need to also do the following (at least the 2nd one):
I completely missed that. This is a big step forward. Now I can see finally that Apache is actually reading vhost-ssl.conf! But now the problem is that several directives which seem completely legitimate are interpreted as invalid.
Code:
Invalid command 'SSLCipherSuite', perhaps misspelled or defined by a mo...
Invalid command 'SSLEngine', perhaps misspelled or defined by a module...
Invalid command 'SSLEngine', perhaps misspelled or defined by a module...
Invalid command 'SSLCertificateFile', perhaps misspelled or defined by...
Invalid command 'SSLCertificateFile', perhaps misspelled or defined by...
And so on, and so forth. Any ideas why it would do that?
 
Old 04-21-2016, 12:34 PM   #10
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 90
Following habitual's link, I had enabled an "owncloud-ssl" module (which didn't exist on my machine anyway) and disabled ssl. That's where the errors came from and that's why apache was seeing legitimate directives as invalid. Then I enabled ssl and disabled owncloud-ssl again.

After enabling SSL in /etc/sysconfig/apache2, ssl_request_log has also been generated under /var/log.

Even so, when I try https://mydomain.com(/owncloud), I get the same error.
 
Old 04-21-2016, 12:43 PM   #11
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 90
Quote:
Originally Posted by vincix View Post
Following habitual's link, I had enabled an "owncloud-ssl" module (which didn't exist on my machine anyway) and disabled ssl. That's where the errors came from and that's why apache was seeing legitimate directives as invalid. Then I enabled ssl and disabled owncloud-ssl again.

After enabling SSL in /etc/sysconfig/apache2, ssl_request_log has also been generated under /var/log.

Even so, when I try https://mydomain.com(/owncloud), I get the same error.

Later edit:
I changed the Virtualhost directive from mydomain.com to *:443 and ssl seems to be working. The letsencrypt certificate is recognized by the browser. The only problem now is that I get a 403 forbiden error when prefixing with https, both with or without /owncloud.

Unbelievable! It works. The problem was that <Directory "/srv/www/htdocs"> was included in the <VirtualHost *:80>. I placed it outside and it works!

Thanks to both of you. You've been really helpful But the /etc/sysconfig/apache2 proved to be essential. It never crossed my mind, of course, because it doesn't exist in CentOS. A rather sad inconsistency between linux distros which made me spent a whole day on this... but I guess it was worth it in the end

Last edited by vincix; 04-21-2016 at 12:48 PM.
 
Old 04-21-2016, 01:27 PM   #12
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Glad it worked out.
FWIW: I have never touched any /etc/sysconfig/apache2 getting all my https working.
httpd on CentOS and httpd on Ubuntu are not the same thing, as you have found out.
 
Old 04-21-2016, 02:53 PM   #13
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 90
Quote:
Originally Posted by Habitual View Post
Glad it worked out.
FWIW: I have never touched any /etc/sysconfig/apache2 getting all my https working.
httpd on CentOS and httpd on Ubuntu are not the same thing, as you have found out.
I had also asked a very knowledgeable person, but he couldn't come up with this solution. He was thinking of tinkering with the VirtualHost directive and so on, and so forth. So yeah. I don't like using too many distros, I'd prefer using only Centos/Redhat, but it can't be helped in this case.
 
Old 04-21-2016, 03:33 PM   #14
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
I used https://www.digitalocean.com/communi...r-ubuntu-12-04
before I had Owncloud EE and that has it's own SSL chain built-in, I believe.
 
Old 04-23-2016, 07:18 AM   #15
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Original Poster
Rep: Reputation: 90
Quote:
Originally Posted by Habitual View Post
I used https://www.digitalocean.com/communi...r-ubuntu-12-04
before I had Owncloud EE and that has its own SSL chain built-in, I believe.
What did you use owncloud EE for?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Upgrading Squeeze To Wheezy : phpmyadmin = ssl_error_rx_record_too_long pun_Krawk Debian 2 01-21-2014 04:50 PM
SSL (Error code: ssl_error_rx_record_too_long) nortonz Linux - Server 5 05-25-2012 10:59 AM
Error code: ssl_error_rx_record_too_long cccc Debian 1 04-14-2010 05:59 AM
webmin error ssl_error_rx_record_too_long Toadman Linux - Server 4 11-30-2009 11:14 AM
ssl_error_rx_record_too_long RMLinux Red Hat 1 08-31-2008 05:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration