Invalid SSL on new server

Question

I have just migrated to new VPS server from a GoDaddy server.

The domain has a wildcard SSL that I have re-keyed and installed on the new server.

I have recently updated the name servers for the domain but SSL does not seem to be working on the new server.

The IP for the old server is 188.121.45.1 The IP for the new server is 5.189.128.253

The server is running Nginx.

How can I check the SSL certificate is installed correctly? Could it just be because the domain is not fully propagated?

Help !?!?

If I view the domain with https: `https://www.appifiny.co.uk/`, I get this error in firefox: `An error occurred during a connection to www.appifiny.co.uk. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)` — Asa Carter, Nov 25 '15 at 01:52
I have tried `openssl s_client -connect appifiny.co.uk:443` in SSH on the new server and it works fine. I have also tried it in terminal on my mac and I get an error. — Asa Carter, Nov 25 '15 at 01:57
It's not failing for me. How long ago did you change the DNS? — Michael Hampton, Nov 25 '15 at 01:57
Only about 1 hour ago. In that case it maybe is just domain propagation. — Asa Carter, Nov 25 '15 at 02:04

Michael Hampton · Accepted Answer · 2015-11-25T02:12:13.997

3

Your DNS TTL on your address record is set to 86400 (seconds, which is one day). Thus, when you make a change, resolvers on the Internet which have cached the old record may not update it until as long as a day has passed.

It's best practice to shorten the TTL to as low as possible (usually 60 seconds) in advance of the actual change of IP address, so that when you do change it, the change will be "propagated" almost immediately. (There's no such thing as DNS propagation; it's actually caching.) If your TTL was set to 86400, then the TTL must be lowered at least 86400 seconds before you change the address. The TTL can be raised again after or at the same time as the address change, if desired.

(And while you're fixing things, your SSL configuration needs a lot of work. Visit https://www.ssllabs.com/ssltest/ to test your site, and https://cipherli.st/ to get a secure configuration.)

edited Nov 25 '15 at 02:12

answered Nov 25 '15 at 02:04

Michael Hampton

244,070
43
506
972

If I change the TTL now will it make any difference? – Asa Carter Nov 25 '15 at 02:08
The damage is done. The TTL (time to live) tells resolvers how long they can cache a record. You have to change the TTL _before_ the change of address, so that after the cache expires, they get a record with the shorter TTL. – Michael Hampton Nov 25 '15 at 02:09
In the case of 86400 seconds, 1 day in advance? – Asa Carter Nov 25 '15 at 02:10
1

Exactly! Or more than that. – Michael Hampton Nov 25 '15 at 02:10

Invalid SSL on new server

1 Answers1