SSL_ERROR_RX_RECORD_TOO_LONG after migrating a server

Question

I had a fully fonctionnal website on an OVH VPS (debian, apache, SSL). I tried to migrate it to a scaleway VPS. I changed the DNS entries, I copied the apache config files and the certificate files but it did not work. Then I tried to generate a new certificate with letsencrypt, but I still get SSL_ERROR_RX_RECORD_TOO_LONG when I try to connect my website via https.

Here is my apache config file :

Listen 80
Listen 443 https

<VirtualHost mydomain.fr:80>
        ServerName mydomain.fr
        DocumentRoot /var/www/html
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost mydomain.fr:443>
        ServerName mydomain.fr
        DocumentRoot /var/www/html

        SSLCertificateFile /etc/letsencrypt/live/mydomain.fr/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.fr/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>

What surprises me is that the certbot script returns a success but the ssllabs.com site diagnoses a problem.

certbot certonly -d mydomain.fr

gives me

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.fr
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/001_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mydomain.fr/fullchain.pem. Your cert
   will expire on 2017-11-29. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

what's in that "/etc/letsencrypt/options-ssl-apache.conf" file? At least try to provide some meaningful info, such as the SSLProtocols you allow, the ciphers you permit, the openssl version your httpd version is compiled against, etc. — Daniel Ferradal, Aug 30 '17 at 17:11
I didn't change de letsencrypt options-ssl-apache.conf default file (which use to work before). SSLProtocol : all -SSLv2 -SSLv3, OpenSSL 1.1.0f. Almost everything is the latest version for debian 9. — Hugo Trentesaux, Aug 30 '17 at 19:21
A simple way to investigate the generated certificate is `openssl x509 -in /etc/letsencrypt/live/mydomain.fr/fullchain.pem -noout -text` — anx, Aug 31 '17 at 04:54
Make sure `SSLEngine on` is set either in your VirtualHost block or the letsencrypt/options it includes. — dave_thompson_085, Aug 31 '17 at 19:44
It happens that changing `` to `` solved the problem. But it is not reproducible... — Hugo Trentesaux, Feb 05 '18 at 14:27

Hugo Trentesaux · Accepted Answer · 2018-05-26T18:58:47.603

-1

Try to change your virtualhost to

<VirtualHost _default_:443>
        ServerName mydomain.fr
        DocumentRoot /var/www/html
</VirtualHost>

The default tag, or * might work for unknown reason.

edited May 26 '18 at 18:58

answered May 23 '18 at 07:03

Hugo Trentesaux

121
8

op's problem ssems related to port 443, not to port 80 – bgtvfr May 23 '18 at 11:00

SSL_ERROR_RX_RECORD_TOO_LONG after migrating a server

1 Answers1