(SOLVED) Let's encrypt SSL_ERROR_RX_RECORD_TOO_LONG

Discussion in 'Installation/Configuration' started by AEG-Simply, Jul 16, 2017.

  1. AEG-Simply

    AEG-Simply New Member

    I need a new ISPConfig server. This is at least my 5th installation attempt with the exact same problem.
    I followed this tutorial : https://www.howtoforge.com/tutorial...8-4-jessie-apache-bind-dovecot-ispconfig-3-1/
    I only skipped
    - 9.1 Install Metronome XMPP Server (optional)
    - 10.2 Install SuPHP (optional, but not recommended)

    I have a A DNS entry : web.mydomain.fr. 0 A 92.222.69.241
    And a CNAME entry : wiki.mydomain.fr. 0 CNAME web.mydomain.
    (OVH DNS PANEL)

    I access to ISPConfig GUI on https://web.mydomain.fr:8080
    I only created a new site : wiki.mydomain.fr

    Without let's encrypt SSL it's fine, I have access to the wiki.mydomain.fr default site, but when I enable the let's encrypt SSL then I get a autoredirect to https (even if I try to got to http) and a "Connexion secure failed" with SSL_ERROR_RX_RECORD_TOO_LONG error message.
    My last 4th installations had the same problem, and I can't figure out why... I would really appreciate some help...

    This is my firewall script :
    Code:
    #!/bin/sh
    
    # Clean
    iptables -t filter -F
    iptables -t filter -X
    
    # Drop all
    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT DROP
    
    # Do not close established connexions
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # loopback
    iptables -t filter -A INPUT -i lo -j ACCEPT
    iptables -t filter -A OUTPUT -o lo -j ACCEPT
    
    #### SECURITY ##
    
    # Flood / DDOS
    iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
    iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
    iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
    
    # Port scans
    iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
    
    #### RULES ####
    
    # ICMP
    iptables -t filter -A INPUT -p icmp -j ACCEPT
    iptables -t filter -A OUTPUT -p icmp -j ACCEPT
    
    # SSH
    iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
    
    # DNS
    iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
    
    # HTTP, HTTPS
    iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
    
    # Mail SMTP
    iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
    
    # NTP
    iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
    
    # FTP
    iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
    iptables --append INPUT --protocol tcp --dport 11000:11100 --jump ACCEPT

    The ISPConfig diagnostic script :
    Code:
    ##### ISPCONFIG #####
    ISPConfig version is 3.1.5
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 5.6.30-0+deb8u1
    [INFO] php-cgi (used for cgi php in default vhost!) is version 5.6.30-0+deb8u1
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
            Apache 2 (PID 986)
    [INFO] I found the following mail server(s):
            Postfix (PID 1476)
    [INFO] I found the following pop3 server(s):
            Dovecot (PID 662)
    [INFO] I found the following imap server(s):
            Unknown process (init) (PID 1)
    [INFO] I found the following ftp server(s):
            PureFTP (PID 1381)
    
    ##### LISTENING PORTS #####
    (seulement              ()
    Adresse         (distante)
    [anywhere]:465          (1476/master)
    [anywhere]:27665                (1383/portsentry)
    [anywhere]:1524         (1383/portsentry)
    [anywhere]:21           (1381/pure-ftpd)
    ***.***.***.***:53              (620/named)
    [localhost]:53          (620/named)
    [anywhere]:22           (617/sshd)
    [anywhere]:119          (1383/portsentry)
    [anywhere]:1080         (1383/portsentry)
    [anywhere]:25           (1476/master)
    [anywhere]:12345                (1383/portsentry)
    [localhost]:953         (620/named)
    [anywhere]:12346                (1383/portsentry)
    [anywhere]:635          (1383/portsentry)
    [anywhere]:49724                (1383/portsentry)
    [anywhere]:540          (1383/portsentry)
    [anywhere]:1            (1383/portsentry)
    [anywhere]:993          (1/init)
    [anywhere]:20034                (1383/portsentry)
    [anywhere]:32771                (1383/portsentry)
    [anywhere]:995          (662/dovecot)
    [anywhere]:32772                (1383/portsentry)
    [anywhere]:40421                (1383/portsentry)
    [anywhere]:32773                (1383/portsentry)
    [anywhere]:32774                (1383/portsentry)
    [localhost]:10023               (751/postgrey.pid)
    [localhost]:10024               (1256/amavisd-new)
    [anywhere]:41256                (579/rpc.statd)
    [localhost]:10025               (1476/master)
    [anywhere]:31337                (1383/portsentry)
    [localhost]:10026               (1256/amavisd-new)
    [localhost]:3306                (979/mysqld)
    [localhost]:10027               (1476/master)
    [anywhere]:587          (1476/master)
    [anywhere]:6667         (1383/portsentry)
    [anywhere]:11           (1383/portsentry)
    [localhost]:11211               (613/memcached)
    [anywhere]:5742         (1383/portsentry)
    [anywhere]:110          (662/dovecot)
    [anywhere]:79           (1383/portsentry)
    [anywhere]:15           (1383/portsentry)
    [anywhere]:143          (1/init)
    [anywhere]:111          (566/rpcbind)
    [anywhere]:54320                (1383/portsentry)
    [anywhere]:2000         (1383/portsentry)
    [anywhere]:10000                (999/perl)
    *:*:*:*::*:465          (1476/master)
    *:*:*:*::*:8081         (986/apache2)
    *:*:*:*::*:21           (1381/pure-ftpd)
    *:*:*:*::*:53           (620/named)
    *:*:*:*::*:22           (617/sshd)
    *:*:*:*::*:25           (1476/master)
    *:*:*:*::*:953          (620/named)
    *:*:*:*::*:443          (986/apache2)
    *:*:*:*::*:993          (1/init)
    *:*:*:*::*:995          (662/dovecot)
    *:*:*:*::*:54787                (579/rpc.statd)
    *:*:*:*::*:10023                (751/postgrey.pid)
    *:*:*:*::*:10024                (1256/amavisd-new)
    *:*:*:*::*:10026                (1256/amavisd-new)
    *:*:*:*::*:587          (1476/master)
    [localhost]10           (662/dovecot)
    [localhost]43           (1/init)
    [localhost]11           (566/rpcbind)
    [localhost]0000         (999/perl)
    *:*:*:*::*:8080         (986/apache2)
    *:*:*:*::*:80           (986/apache2)
    
    ##### IPTABLES #####
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0            state RELATED,ESTABLISHED
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:22
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:53
    ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            udp dpt:53
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:80
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:443
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:8080
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:25
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:21
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpts:11000:11100
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp flags:0x17/0x02 limit: avg 1/sec burst 5
    ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            limit: avg 1/sec burst 5
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 8 limit: avg 1/sec burst 5
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp flags:0x17/0x04 limit: avg 1/sec burst 5
    
    Chain OUTPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0            state RELATED,ESTABLISHED
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:22
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:53
    ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            udp dpt:53
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:80
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:443
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:8080
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:25
    ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            udp dpt:123
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:21
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The error means that this website has no SSL. Check in ispconfig if the ssl and letsencrypt checkboxes of this site are active, if not, activate them again, then wait a minute and check if the site works now.
     
  3. AEG-Simply

    AEG-Simply New Member

    Well. It seems to work now. I don't quite understand. Maybe was I too tired...
    Thanks anyway.
     
  4. AEG-Simply

    AEG-Simply New Member

    I got some updates.
    I checked the let's encrypt ssl on a website and it worked, green locker.

    A bit later, I tried it again on 2 other sites, and I have the "This connexion is not secured", as the ssl certificate was not verified.

    Do I have to wait some time before the ssl cert is verified ?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    It might be that you have to activate that option a second time after about a minute, there is an issue in 3.1.5 which has been resolved already that causes this. As alternative, you can run:

    ispconfig_update.sh

    on the shell as root and select 'git-stable' as version to get this bugfix upfront of the 3.1.6 release.
     
  6. AEG-Simply

    AEG-Simply New Member

    Indeed, the update resolved my issue, thanks a lot ! :)
     

Share This Page