Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to configure a https redirection for my website. I'm using Apache on an OpenSUSE 13.2. The structure of the config files is a little bit different from Centos, which I'm more familiar with, and I'm not sure how it all works, even though I understand that all directives are taken into consideration, as long as there's an include directive in the main config (httpd.conf)
The error is: Secure Connection Failed. An error occurred during a connection to mydomain.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
What I did first was simply to add these 3 lines (which work fine on my Centos 7):
The server is listening both on 80 and 443 ports. I actually wrote Listen 0.0.0.0:443, as netstat was showing that the server was listening on IPv6.
I've already added a <VirtualHost *:443> container in ssl-global.conf, in which the SSLCertificate directives are included, even though I don't think it's necessary to place them within the container.
Any ideas how I'm supposed to attack this problem? Should I offer more information?
P.S. I forgot to mention that I'm using it for owncloud. The weird thing is that if I type in mydomain.com, it doesn't redirect to https, but when I write mydomain.com/owncloud, then it redirects to https and it gives the aforementioned error.
The error is: Secure Connection Failed. An error occurred during a connection to mydomain.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
The above error means that apache listens on port 443, but it uses the plain http protocol, i.e. SSL is not enabled.
I'm not a Suse user, so better have a look here (skip the initial certificates stuff since you have the certs), about the apache configuration files that need editing.
Doesn't owncloud have an "Use ssl" option in the admin area?
It actually has an 'enforce ssl' option, which is greyed out. Probably because it hasn't identified proper settings for https.
I followed the instructions, but to no avail. I'm not trying to redirect anymore, so that others can use owncloud in the meantime. I'm testing it by prefixing https in the address bar.
The error is the same.
These are my include directives in httpd.conf (I bolded the one I think is relevant):
Code:
Include /etc/apache2/uid.conf
Include /etc/apache2/server-tuning.conf
Include /etc/apache2/sysconfig.d/loadmodule.conf
Include /etc/apache2/listen.conf
Include /etc/apache2/mod_log_config.conf
Include /etc/apache2/sysconfig.d/global.conf
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf
Include /etc/apache2/mod_usertrack.conf
Include /etc/apache2/mod_autoindex-defaults.conf
Include /etc/apache2/mod_mime-defaults.conf
Include /etc/apache2/errors.conf
Include /etc/apache2/default-server.conf
Include /etc/apache2/sysconfig.d/include.conf
And these are the directives in default-server.conf:
Code:
IncludeOptional /etc/apache2/conf.d/*.conf
IncludeOptional /etc/apache2/conf.d/apache2-manual?conf
Include /etc/apache2/vhosts.d/*.conf
Include /etc/apache2/conf.d/*.conf (here there's owncloud, phpmyadmin)
So I configured https in /etc/apache2/vhosts.d/vhost-ssl.conf:
First I need to solve the https problem. When I try https://mydomain.com, the error is the same. So it's not related to owncloud, at least not at this stage. SSL is not working, and it's related to Apache, not to owncloud.
First I need to solve the https problem. When I try https://mydomain.com, the error is the same. So it's not related to owncloud, at least not at this stage. SSL is not working, and it's related to Apache, not to owncloud.
From the link in my previous post, you may need to also do the following (at least the 2nd one):
From the link in my previous post, you may need to also do the following (at least the 2nd one):
I completely missed that. This is a big step forward. Now I can see finally that Apache is actually reading vhost-ssl.conf! But now the problem is that several directives which seem completely legitimate are interpreted as invalid.
Code:
Invalid command 'SSLCipherSuite', perhaps misspelled or defined by a mo...
Invalid command 'SSLEngine', perhaps misspelled or defined by a module...
Invalid command 'SSLEngine', perhaps misspelled or defined by a module...
Invalid command 'SSLCertificateFile', perhaps misspelled or defined by...
Invalid command 'SSLCertificateFile', perhaps misspelled or defined by...
And so on, and so forth. Any ideas why it would do that?
Following habitual's link, I had enabled an "owncloud-ssl" module (which didn't exist on my machine anyway) and disabled ssl. That's where the errors came from and that's why apache was seeing legitimate directives as invalid. Then I enabled ssl and disabled owncloud-ssl again.
After enabling SSL in /etc/sysconfig/apache2, ssl_request_log has also been generated under /var/log.
Following habitual's link, I had enabled an "owncloud-ssl" module (which didn't exist on my machine anyway) and disabled ssl. That's where the errors came from and that's why apache was seeing legitimate directives as invalid. Then I enabled ssl and disabled owncloud-ssl again.
After enabling SSL in /etc/sysconfig/apache2, ssl_request_log has also been generated under /var/log.
Later edit:
I changed the Virtualhost directive from mydomain.com to *:443 and ssl seems to be working. The letsencrypt certificate is recognized by the browser. The only problem now is that I get a 403 forbiden error when prefixing with https, both with or without /owncloud.
Unbelievable! It works. The problem was that <Directory "/srv/www/htdocs"> was included in the <VirtualHost *:80>. I placed it outside and it works!
Thanks to both of you. You've been really helpful But the /etc/sysconfig/apache2 proved to be essential. It never crossed my mind, of course, because it doesn't exist in CentOS. A rather sad inconsistency between linux distros which made me spent a whole day on this... but I guess it was worth it in the end
Glad it worked out.
FWIW: I have never touched any /etc/sysconfig/apache2 getting all my https working.
httpd on CentOS and httpd on Ubuntu are not the same thing, as you have found out.
Glad it worked out.
FWIW: I have never touched any /etc/sysconfig/apache2 getting all my https working.
httpd on CentOS and httpd on Ubuntu are not the same thing, as you have found out.
I had also asked a very knowledgeable person, but he couldn't come up with this solution. He was thinking of tinkering with the VirtualHost directive and so on, and so forth. So yeah. I don't like using too many distros, I'd prefer using only Centos/Redhat, but it can't be helped in this case.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
But the /etc/sysconfig/apache2 proved to be essential. It never crossed my mind, of course, because it doesn't exist in CentOS. A rather sad inconsistency between linux distros which made me spent a whole day on this... but I guess it was worth it in the end 
