Apache 2.4 on Debian 8 - SSL_ERROR_RX_RECORD_TOO_LONG

Question

I have read that the general solution to this issue is to add

NameVirtualHost *:80

and

NameVirtualHost *:443

to the VirtualHosts. However Apache 2.4 tells me:

AH00548: NameVirtualHost has no effect and will be removed in the next release

I have no idea what to do:

My ports.conf:

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

Adding

<IfModule mod_ssl.c>
        Listen 443
</IfModule>

instead of the ssl_module section above does not change a thing.

My VirtualHost looks like

<VirtualHost *:443>
        ServerAdmin me@name.tdl
        ServerName www.example.org

        DocumentRoot /var/www/htdocs/mw/

...

    <IfModule mod_ssl.c>
            SSLEngine on
            SSLCertificateFile /etc/letsencrypt/live/example.org/fullchain.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/example.org/privkey.pem
            SSLCertificateChainFile /etc/letsencrypt/live/example.org/chain.pem
            SSLProtocol all -SSLv2 -SSLv3
            SSLHonorCipherOrder on
            SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNUL$
    </IfModule>

...
</VirtualHost>

I have no idea why it is so painful to add a VirtualHost for SSL. I believe to have followed the instructions.

Thanks for your time.

score 1 · Answer 1 · edited May 23 '17 at 12:41

1

There is a lot of stuff about this at stackoverflow, interestingly the solution here was doing the very opposite of what is suggested there. I had to change

<VirtualHost *:443>

to

<VirtualHost example.org:443>

That's pretty much confusing. I wonder what will happen when I add a second domain. Let's just wait for this.

Another question: Is there a solution that allows for

<VirtualHost *:443>

in every VirtualHost rather that specifying the domain. I suspect that I will not be getting an answer to this.

edited May 23 '17 at 12:41

Community

1

answered Apr 12 '16 at 21:55

kghbln

411
2
10
20

This does not work eigther because now all websites on the server are directed to the "example.org" website. – kghbln Apr 13 '16 at 08:05
The same applies to changing to in your default-ssl.conf and you ports.conf. All websites are served from one VirtualHost. – kghbln Apr 13 '16 at 13:21
Thanks for down-voting and disliking the question. However an answer or link to an answer is not provided at the same time. That is very encouraging. Indeed. I refer to another forum and will post the solution as soon as it comes available. – kghbln Apr 20 '16 at 11:16

score 0 · Answer 2 · answered Aug 23 '16 at 14:37

0

You cannot have multiple named hosts on the same IP address or if you do you need ONE certificate to encompass all addresses. the error you are recieving is related to the SSL negociation. How can the correct certificate be chosen when the hostname is sent later (after the SSL negociation) apache wiki has more info here: http://wiki.apache.org/httpd/NameBasedSSLVHosts

answered Aug 23 '16 at 14:37

cormpadre

414
2
6

Thanks a lot for you information and input. Will work from here! – kghbln Sep 14 '16 at 16:18

Apache 2.4 on Debian 8 - SSL_ERROR_RX_RECORD_TOO_LONG

2 Answers2