0

I received an e-mail recently from LetsEncrypt telling me my website certificate was about to expire - I configured the website to use HTTPS only. The certificates were auto-renewing without any problems until now. I upgraded the OpenSSL libraries on my Ubuntu 18.04 to use the latest TLS, version 1.3. It all seemed to work fine but accessing my website using a Firefox web browser running on Windows 7 displayed the following message:-

SSL_ERROR_RX_RECORD_TOO_LONG

and Apache's "access.log" file on the server has the following when the site is accessed:-

"\x16\x03\x01\x02" 400 499 "-" "-"

Which looks like a TLS handshake and the 400 could be a bad request.

Something, somewhere, isn't configured correctly. How do I find out what the problem is?

EDIT

After looking around for a solution, I found that if I type:-

dfsoftware.ddns.net

into my brower address bar I get an error (on Firefox, the SSL_ERROR...) but if I type:-

http://dfsoftware.ddns.net:443

the page loads correctly. So it seems apache is having trouble with handling a secure connection on port 443 and only accepts vanilla requests on that port. The configuration files look OK (I can upload them if you need to see) so what's going on?

EDIT 2

Here are the apache configuration files that I think are relevant, if others are needed, do ask.

apache2.conf:-

ServerName dfsoftware.ddns.net
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>

ports.conf:-

    Listen 80

<IfModule ssl_module>
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

sites-available/dfsoftare.ddns.net.conf:-

    <VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName dfsoftware.ddns.net
    ServerAlias www.dfsoftware.ddns.net
    DocumentRoot /WebSites/Websites
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    <Directory /WebSites/Websites/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =dfsoftware.ddns.net [OR]
    RewriteCond %{SERVER_NAME} =www.dfsoftware.ddns.net
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

sites-available/dfsoftare.ddns.net-le-ssl.conf:-

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName dfsoftware.ddns.net
    ServerAlias www.dfsoftware.ddns.net
    DocumentRoot /WebSites/Websites
    SSLEngine on
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    <Directory /WebSites/Websites/>
    Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>
    SSLEngine on
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/dfsoftware.ddns.net-    0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/dfsoftware.ddns.net-0001/privkey.pem
</VirtualHost>
</IfModule>
Skizz
  • 111
  • 7
  • There is no TLS 3.1, I assume you mean 1.3. By 'upgrade' do you mean the _packages_ `libssl` _and_ `apache2-bin` which references it (via `mod_ssl`) from the standard repository, or something else like a PPA or building from source? Did you use certbot, or some other method? I can reproduce this by setting `SSLEngine off` (explicitly) in the OOTB config at sites-available/default-ssl.conf , so you might look for something like that, although it seems really odd for certbot or any sane ACME client to do such a thing. – dave_thompson_085 Oct 19 '21 at 05:44
  • oops, yep, got the version number round the wrong way! Mixed up little and big endian lol! (updated question). – Skizz Oct 19 '21 at 16:13
  • @dave_thompson_085: I have the line "SSLEngine on" in that file and the files that "SSLCertificateXXX" refers to do exist. And I did use certbot – Skizz Oct 19 '21 at 16:18
  • After looking around a bit, I saw a post about the SSL not working on port 443 so I tried "http://:443" and lo and behold, it worked. So it seems that apache isn't using SSL on that port. Any ideas about how to enable it? – Skizz Oct 19 '21 at 16:36
  • Please provice your Apache configuration – Gerald Schneider Oct 20 '21 at 11:36

0 Answers0