I created a server running Apache 2.4.52 on Debian 11 (it came with the installation), I use this server with WordPress, Nextcloud and Webmin for my work, as a portfolio.
I set up a self-signed SSL certificate to add security to it, as I intend to advertise the site on the internet and Nextcloud to my customers, but I can’t get SSL to work, I’ve looked in many places and many settings, but I can’t access it, both from the internal and external network.
The browser displays the following errors:
Firefox: SSL_ERROR_RX_RECORD_TOO_LONG
Chrome: ERR_SSL_PROTOCOL_ERROR
I made the settings to forward http to https automatically, and it’s working, if I access the link without the certificate, it redirects to the secure link, but it always gives this error.
My Apache is working on port 3, because unfortunately I can’t use the default 80, I don’t know if this has something to do with it, because I’ve been reading in some places that it’s not very relevant in this case (the ports were opened on the router, both to 3 as to 443).
Can anyone give me some help? Appreciate!
Note: my site worked normally without SSL, both on LAN and WAN, I even thought of using it without the certificate, just the firewalls, but I don’t know if this would be safe for a public site, my goal is not to get information, just to show content .
Sorry for the layman’s vocabulary, I’m a beginner in this area, thanks.
Follow my configuration files:
Apache2.conf
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" vhost_combined
LogFormat "%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
ServerName 127.0.0.1
ports.conf
Listen 3
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
000-default.conf
<VirtualHost _default_:*>
Redirect "/" "https:// my external ip"
ServerAdmin [email protected]
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName 127.0.0.1
</VirtualHost>
default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin [email protected]
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
2
Answers
I was able to access the site with https, finally! I changed the 000-default.conf file.
I changed
<VirtualHost _default_:*>to<VirtualHost _default_:3>and entered the ssl settings that were in default-ssl.conf, and it worked to access port 3 with the certificate.Now I'm trying to find a way to validate a self-signed certificate so that it doesn't show the unsecured message, but it's difficult. I'll create a new question here to see if anyone else knows any way!
Thank you so much for the tips, they were very helpful!! :D
I had this error after trying to fix a 403 access issue with some website. In my case I’m using Ubuntu 22.04 on the server and local machine. Debian may be different.
It had been working fine before that with the standard Apache default index.html page. For a certificate I had previously obtained one from Certbot and it worked well, giving https access readily.
Trouble arose when I uploaded a real website’s files and copied them across to the /var/www/html/mysite.com directory. No matter what permissions were given the webfiles, it wouldn’t show.
I deleted the mysite.com folder and tried to rebuild all the associated config files in apache2/sites-available.
After this I had SSL_ERROR_RX_RECORD_TOO_LONG . Only after reinstalling the existing Certbot certificate did I get rid of it.
So now I am back too that pesky 403 access error . . . which I fixed with making /var/www/html/mysite.com owned by my-user-account and in the www-data group with permissions 750.