1

I created a server running Apache 2.4.52 on Debian 11 (it came with the installation), I use this server with Wordpress, Nextcloud and Webmin for my work, as a portfolio.

I set up a self-signed SSL certificate to add security to it, as I intend to advertise the site on the internet and Nextcloud to my customers, but I can't get SSL to work, I've looked in many places and many settings, but I can't access it, both from the internal and external network.

The browser displays the following errors:

Firefox: SSL_ERROR_RX_RECORD_TOO_LONG

Chrome: ERR_SSL_PROTOCOL_ERROR

I made the settings to forward http to https automatically, and it's working, if I access the link without the certificate, it redirects to the secure link, but it always gives this error.

My Apache is working on port 3, because unfortunately I can't use the default 80, I don't know if this has something to do with it, because I've been reading in some places that it's not very relevant in this case (the ports were opened on the router, both to 3 as to 443).

Can anyone give me some help? Appreciate!

Note: my site worked normally without SSL, both on LAN and WAN, I even thought of using it without the certificate, just the firewalls, but I don't know if this would be safe for a public site, my goal is not to get information, just to show content .

Sorry for the layman's vocabulary, I'm a beginner in this area, thanks.

Follow my configuration files:

Apache2.conf

DefaultRuntimeDir ${APACHE_RUN_DIR}

PidFile ${APACHE_PID_FILE}

Timeout 300

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 5

User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

HostnameLookups Off


ErrorLog ${APACHE_LOG_DIR}/error.log


LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Include ports.conf

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>


LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/*.conf

ServerName 127.0.0.1

ports.conf

Listen 3

<IfModule ssl_module>
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

000-default.conf

<VirtualHost _default_:*>
    
    Redirect "/" "https:// my external ip"
    ServerAdmin corsisdesign@gmail.com

    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ServerName 127.0.0.1

</VirtualHost>

default-ssl.conf

<IfModule mod_ssl.c>

    <VirtualHost *:443>
        ServerAdmin corsisdesign@gmail.com

        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on

        SSLCertificateFile  /etc/ssl/certs/apache-selfsigned.crt
        SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">

            SSLOptions +StdEnvVars
        </FilesMatch>

        <Directory /usr/lib/cgi-bin>

            SSLOptions +StdEnvVars
        </Directory>

    </VirtualHost>
</IfModule>

ssl-params.conf

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
NatCorsi
  • 11
  • 3
  • This question provides no detailed and reproducible information of what exactly you did, i.e. exact server configuration, how you accessed the server etc. This means the details to answer your question are missing and thus the question cannot be answered. – Steffen Ullrich Jan 14 '22 at 12:43
  • Hello, I really don't know what to insert anymore, as I said in the question, I'm a beginner, would you have an example of additional information that I can give, because I really don't know. Thanks! – NatCorsi Jan 14 '22 at 13:25
  • I'm not sure what is unclear with what I requested: *"exact server configuration, how you accessed the server"*. Also, see similar posts like [ssl_error_rx_record_too_long and Apache SSL](https://stackoverflow.com/questions/119336/), [Apache2 SSL "SSL_ERROR_RX_RECORD_TOO_LONG"](https://stackoverflow.com/questions/59809129/), [Apache2 SSL_ERROR_RX_RECORD_TOO_LONG behind proxy](https://serverfault.com/questions/851096) and [maybe more](https://www.google.com/search?q=site%3Astackoverflow.com+apache+SSL_ERROR_RX_RECORD_TOO_LONG) for the the amount of detail provided and possible solutions. – Steffen Ullrich Jan 14 '22 at 13:31
  • I added my main configuration files that I used in the configuration process, if you need more information, you can let me know, as I said before, I've tried looking for the answer in many places, including here on stackoverflow, but unfortunately I haven't been able to solve it yet, thanks for the attention! I followed this tutorial exactly: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-debian-10 – NatCorsi Jan 14 '22 at 13:57
  • Still missing is *"how you accessed the server"*. If you try something like `https://hostname:3/` then it will not work since HTTPS is only enabled for port 443. Also, check the error.log of the server. – Steffen Ullrich Jan 14 '22 at 14:06
  • I tried with: `https://hostname:3/` - `https://hostname/` and `https://hostname:443/`, but none were, my apache server unfortunately is only working with another port than 80, because it's the only one I can't access from the external network, despite my internet provider swearing that it's not blocked, when I try to access the domain without port 3 from the internal network, it goes straight to the router, is this the problem? – NatCorsi Jan 14 '22 at 15:41
  • Like I said, HTTPS is only enabled on port 443 in your config, so it will not work with `https://hostname:3/` but lead to the error you describe. The other two should work if port 443 is reachable and properly from outside. The problem seems to be though that you router is claiming port 80 and 443 for itself, i.e. it's not your ISP but your router who is causing the block. – Steffen Ullrich Jan 14 '22 at 15:53
  • If you want HTTPS on port 3 you need to set a virtual host with HTTPS to it, i.e. what you currently do for port 443, only for port 3. – Steffen Ullrich Jan 14 '22 at 15:57
  • I installed xampp on my work pc, with it working `https://localhost/dashboard/`, I can access normally, however, my server that should work, doesn't even go by decree, even if I change the port from the server to 80, when I try to access the external ip, even with the internal network, it insists on putting the :3 in the url, I even installed a browser that operates on the cell phone, and even though I never accessed it, the domain insists on going to the port 3, do you have any other configuration files besides ports.conf? Thank you very much for your attention. – NatCorsi Jan 14 '22 at 16:02
  • I'm also thinking that my router (HUAWEI WiFi WS5200) is stealing port 80, I'll try to look for some configuration, or try to create a virtualhost for port 80, thanks for the tips, any news I'll update here! :) – NatCorsi Jan 14 '22 at 16:06
  • *"when I try to access the external ip, even with the internal network .... also thinking that my router (HUAWEI WiFi WS5200) is stealing port 80"* - routers need to support NAT loopback if you want to access the external IP from the inside. Many routers don't support this. *"the domain insists on going to the port 3"* - there is likely some permanent redirect you've added somewhere in your config, see also the instruction you've linked to about this redirect. – Steffen Ullrich Jan 14 '22 at 16:08

2 Answers2

0

I was able to access the site with https, finally! I changed the 000-default.conf file.

I changed <VirtualHost _default_:*> to <VirtualHost _default_:3> and entered the ssl settings that were in default-ssl.conf, and it worked to access port 3 with the certificate.

Now I'm trying to find a way to validate a self-signed certificate so that it doesn't show the unsecured message, but it's difficult. I'll create a new question here to see if anyone else knows any way!

Thank you so much for the tips, they were very helpful!! :D

NatCorsi
  • 11
  • 3
0

I had this error after trying to fix a 403 access issue with some website. In my case I'm using Ubuntu 22.04 on the server and local machine. Debian may be different.

It had been working fine before that with the standard Apache default index.html page. For a certificate I had previously obtained one from Certbot and it worked well, giving https access readily.

Trouble arose when I uploaded a real website's files and copied them across to the /var/www/html/mysite.com directory. No matter what permissions were given the webfiles, it wouldn't show.

I deleted the mysite.com folder and tried to rebuild all the associated config files in apache2/sites-available.

After this I had SSL_ERROR_RX_RECORD_TOO_LONG . Only after reinstalling the existing Certbot certificate did I get rid of it.

So now I am back too that pesky 403 access error . . . which I fixed with making /var/www/html/mysite.com owned by my-user-account and in the www-data group with permissions 750.

Trunk
  • 742
  • 9
  • 24