SSL connection fails on new virtual server with ssl_error_rx_record_too_long

whippy · January 17, 2012, 2:29am

I have a stable server running Virtualmin with 9 sites on it. 3 are currently using SSL and have their own IP addresses - all working fine.

I’ve added a new site (naturapetstaging.com) which works ok. I’ve assigned it a new IP address which works fine. Its IP restricted for testing purposes btw.

I’ve then set SSL website enabled? and IP-based virtual FTP enabled? in its features but SSL is not working:

On accessing the site using https/naturapetstaging.com I get

Secure Connection Failed
An error occurred during a connection to naturapetstaging.com.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

The error log shows:

[Tue Jan 17 12:00:05 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jan 17 12:00:05 2012] [warn] RSA server certificate CommonName (CN) `www.naturapetstaging.com' does NOT match server name!?

As the site is for testing I’m happy using a self signed cert. I tried recreating one but I still get the same error.

I’ve gone through all the Virtualmin settings for a working site (e.g. animalhealthstore.com.au) and compared them to the non working naturapetstaging.com and the naturapetstaging.com ones look right.

Any idea how I can fix/research this further?

whippy · January 19, 2012, 1:20am

Trying openssl for more info - here’s one working site and the borked one on the server:

~ $ openssl s_client -connect naturapetstaging.com:443
CONNECTED(00000003)
9692:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:601:
~ $ openssl s_client -connect animalhealthstore.com.au:443
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
...

Looks like its just not set up right.

whippy · January 19, 2012, 4:32am

I ran ‘apache2 -S’ and noticed

...

     114.111.133.225:*      is a NameVirtualHost
     default server naturapetstaging.com (/etc/apache2/sites-enabled/naturapetstaging.com.conf:1)
     port 80 namevhost naturapetstaging.com (/etc/apache2/sites-enabled/naturapetstaging.com.conf:1)
     port 443 namevhost naturapetstaging.com (/etc/apache2/sites-enabled/naturapetstaging.com.conf:48)
...

/etc/apache2/sites-available # find . -exec grep -l '114.111.133.225' '{}' \;
./naturapetstaging.com.conf

The naturalpetproducts.com.au was using the 225 IP and naturapetstaging.com was previously a non SSL site but the grep implies to me that the only place that this IP is now used is with naturapetstaging but it must be set somewhere else too…

     /etc/apache2 # grep 114 apache2.conf
     NameVirtualHost 114.111.133.224:80
     NameVirtualHost 114.111.133.225
     NameVirtualHost 114.111.133.224:443

 That looks very wrong.
 Deleting the defaulting 225 line cured the problem. Wonder why Virtualmin put it there:

Eric · January 19, 2012, 2:21pm

Hrm, that is indeed odd! Nice find though.

Virtualmin shouldn’t add an entry like that… it should always add it in the format:

x.y.z.q:port

So deleting that one line is good.

Also, you may want to look in /etc/apache2/sites-enabled, to make sure there’s no VirtualHost line in the .conf files there which matches that incorrect line.

-Eric

leray · January 26, 2012, 6:15pm

today faced the same problem

new virtual server -> new ssl cert
ssl enabled, cert paths ok, but ssl not working

httpd.conf contained:
NameVirtualHost xxx.yyy.zzz.qqq without a port, fixing the line solved the problem