ssl_error_rx_record_too_long new server install

Discussion in 'Installation/Configuration' started by bswinnerton, Jun 7, 2010.

  1. bswinnerton

    bswinnerton New Member

    Alright so I moved my server over to a fresh, clean install and I'm not sure how but for some reason the SSL got mixed up in the middle of all this. For some reason on my site now I can't create new CSR's (just nothing comes up after I choose create certificate). And I've also tried uploading the one that I had before (with the intermediate) and I get:

    ssl_error_rx_record_too_long
     
  2. bswinnerton

    bswinnerton New Member

    Okay, I was able to finally bypass that error by blowing away my site and just recreating it. Unfortunately now, I'm getting sec_error_untrusted_issuer because it's self signed (even though that i'm saving the new godaddy one in there).

    What could be the cause of this?
     
  3. bswinnerton

    bswinnerton New Member

    Hmm and to top it off, whenever I try to view anything https:// on my site I just get the default apache webpage.
     
  4. falko

    falko Super Moderator ISPConfig Developer

    Any errors in Apache's error log?
     
  5. bswinnerton

    bswinnerton New Member

    Not really, no. The only thing that is odd is this:

    Code:
    [Mon Jun 07 15:01:28 2010] [error] [client 72.10.126.2] File does not exist: /var/www/webmail
    [Mon Jun 07 15:01:29 2010] [error] [client 72.10.126.2] File does not exist: /var/www/webmail
    [Mon Jun 07 15:01:30 2010] [error] [client 72.10.126.2] File does not exist: /var/www/webmail
    
    I'm trying to access webmail using HTTPS and it seems that it's not going to the right site, it's just going to the /var/www/ directory for everything https
     
  6. bswinnerton

    bswinnerton New Member

    Here is mysite.com.vhost:

    Code:
    <Directory /var/www/mysite.com>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    <VirtualHost *:80>
          DocumentRoot /var/www/mysite.com/web
      
        ServerName mysite.com
        ServerAlias www.mysite.com 
        ServerAlias webmail.mysite.com
        ServerAdmin [email protected]
    
        ErrorLog /var/log/ispconfig/httpd/mysite.com/error.log
    
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 503 /error/503.html
    	
        <Directory /var/www/mysite.com/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client1/web7/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
        # mod_php enabled
        AddType application/x-httpd-php .php .php3 .php4 .php5
        php_admin_value sendmail_path "/usr/sbin/sendmail -t -i [email protected]"	
        php_admin_value upload_tmp_dir /var/www/clients/client1/web7/tmp
        php_admin_value session.save_path /var/www/clients/client1/web7/tmp
        php_admin_value open_basedir /var/www/clients/client1/web7/web:/var/www/clients/client1/web7/tmp:/var/www/mysite.com/web:/srv/www/mysite.com/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin
        
        RewriteEngine on
        RewriteCond %{HTTP_HOST}   ^webmail.mysite.com [NC]
        RewriteRule   ^/(.*)$ /webmail/$1  [R]
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web7 client1
        </IfModule>
    
    
    </VirtualHost>
    
    And SSL is enabled in ISPConfig.
     
  7. maced0n

    maced0n New Member

    You should have something like this in you mysite.com.vhost
    What do you have in Sites > mysite.com > SSL fields.
     
  8. bswinnerton

    bswinnerton New Member

    Yeah, unfortunately it's not there and I can't get ISPConfig to create it for me.
     
  9. Hans

    Hans Moderator ISPConfig Developer

    I have to say that i have similar problems with one site.
    When i installed the SSL-Certicate everything seems to be ok, because everything works....at least for a while, because from time to time http://www.example.com (without SSL) shows the default Apache web page "It works" and at the same website (with SSL) https://www.example.com i see the error "ssl_error_rx_record_too_long".

    Some time later everything is normal again and the site is shown as it should be.
    First, i thought that it has to to something with DNS, but now i'm sure it is not.
    It must be a bug in the latest stable version of ISPConfig3 and i hope it will be fixed soon!
     
  10. bswinnerton

    bswinnerton New Member

    Alright, I was able to resolve the problem by manually deleting all of the certificates in /var/www/mysite.com/ssl

    Once that was done I disabled SSL in ISPConfig, and waited until everything went away in the SSL tab. Once that was done I re-enabled SSL and waited until the certificate appeared in ISPConfig (it does take a few minutes). After that I rekeyed my certificate with GoDaddy with the ISPConfig CSR and pasted the new cert and bundle into the ISPConfig UI and it worked!
     
  11. Hans

    Hans Moderator ISPConfig Developer

    That's good to know, but i did that for 3 times already.
    I have a site with SSL-certicate up und running as well, but several times a day the problem occurs again: from time to time http://www.example.com (without SSL) shows the default Apache web page "It works" and at the same website (with SSL) https://www.example.com i see the error "ssl_error_rx_record_too_long".

    It's not a DNS-problem as all the nameservers are pointing to the same address.
     
  12. bswinnerton

    bswinnerton New Member

    What does your vhost file look like in sites-enabled? I think what's happening is that it's bouncing between that and default-ssl
     
  13. Hans

    Hans Moderator ISPConfig Developer

    Hi, thanks for your feedback.

    Here is the content of the vhost file:

    Code:
    <Directory /var/www/www.example.com>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    <VirtualHost 12.34.56.789:80>
          DocumentRoot /var/www/www.example.com/web
      
        ServerName www.example.com
        ServerAdmin [email protected]
    
        ErrorLog /var/log/ispconfig/httpd/www.example.com/error.log
    
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 503 /error/503.html
    	
        <Directory /var/www/www.example.com/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client0/web1/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
        # suexec enabled
        SuexecUserGroup web1 client0
        # php as fast-cgi enabled
        <IfModule mod_fcgid.c>
          # SocketPath /tmp/fcgid_sock/
          IdleTimeout 3600
          ProcessLifeTime 7200
          # MaxProcessCount 1000
          DefaultMinClassProcessCount 3
          DefaultMaxClassProcessCount 100
          IPCConnectTimeout 8
          IPCCommTimeout 360
          BusyTimeout 300
        </IfModule>
        <Directory /var/www/www.example.com/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    	<Directory /var/www/clients/client0/web1/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web1 client0
        </IfModule>
    
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    SSLCertificateChainFile /var/www/clients/client0/web1/ssl/EntrustSecureServerCA.crt
    SSLCertificateChainFile /var/www/clients/client0/web1/ssl/USERTrustLegacySecureServerCA.crt
    </VirtualHost>
    
    
    
    <IfModule mod_ssl.c>
    ###########################################################
    # SSL Vhost
    ###########################################################
    
    <VirtualHost 12.34.56.789:443>
          DocumentRoot /var/www/www.example.com/web
      
        ServerName www.example.com
        ServerAdmin [email protected]
        
        ErrorLog /var/log/ispconfig/httpd/www.example.com/error.log
    
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 503 /error/503.html
    
        SSLEngine on
        SSLCertificateFile /var/www/clients/client0/web1/ssl/www.example.com.crt
        SSLCertificateKeyFile /var/www/clients/client0/web1/ssl/www.example.com.key
        
    	<Directory /var/www/www.example.com/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client0/web1/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
        # suexec enabled
        SuexecUserGroup web1 client0
        # php as fast-cgi enabled
        <IfModule mod_fcgid.c>
          # SocketPath /tmp/fcgid_sock/
          IdleTimeout 3600
          ProcessLifeTime 7200
          # MaxProcessCount 1000
          DefaultMinClassProcessCount 3
          DefaultMaxClassProcessCount 100
          IPCConnectTimeout 8
          IPCCommTimeout 360
          BusyTimeout 300
        </IfModule>
        <Directory /var/www/www.example.com/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    	<Directory /var/www/clients/client0/web1/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web1 client0
        </IfModule>
    
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    SSLCertificateChainFile /var/www/clients/client0/web1/ssl/EntrustSecureServerCA.crt
    SSLCertificateChainFile /var/www/clients/client0/web1/ssl/USERTrustLegacySecureServerCA.crt
    </VirtualHost>
    </IfModule>
     
  14. bswinnerton

    bswinnerton New Member

    Hmm, well the only thing that I see odd there is that there is an IP address for your SSL traffic here:

    Code:
    <VirtualHost 12.34.56.789:443>
    On mine (and most that I've seen) it's usually a star denoting that all incoming ip addreses on port 443. So you may only have it working when coming in on 12.34.56.789. I'd make a backup of that:

    Code:
    cp /etc/apache2/sites-enabled/example.com.vhost /etc/apache2/sites-enabled/example.com.vhost.old
    And then change:

    Code:
    <VirtualHost 12.34.56.789:443>
    to
    Code:
    <VirtualHost *:443>
    And then restart apache:

    Code:
    /etc/init.d/apache2 restart
     
  15. Hans

    Hans Moderator ISPConfig Developer

    Thanks fot your help!

    I use ISPConfig3 so i can just use "*" instead of the dedicated IP-address. If i do so, (not from time to time, but ALL the time) the site http://www.example.com (without SSL) shows the default Apache web page "It works" and at the same website (with SSL) https://www.example.com i see the error "ssl_error_rx_record_too_long". So, that's no good.

    By the way i don't understand that you choose "*" instead of the dedicated IP which belongs to the dedicated domain with SSL.

    For now i use the dedicated IP again in the vhost, because i did that also for the other websites (up and running without problems) with a dedicated IP and SSL-certicate on this server.
     
  16. Hans

    Hans Moderator ISPConfig Developer

    @bswinnerton,
    Thanks for your feedback.

    In the mean the problem has been solved. :)
    It had nothing to do with ISPConfig3.
    The problem was caused by a conflict with the IP-address within my network.
     

Share This Page