Can't do first Installation SSL_ERROR_RX_RECORD_TOO_LONG

Redoxodron · September 22, 2016, 2:31pm

Hello everyone

I just installed(as far as i came) Nextcloud on my Raspberry Pi 3. I followed these instructions:
http://eigene-cloud-einrichten.de/
http://eigene-cloud-einrichten.de/nextcloud-installieren-und-einrichten-so-gehts
If you can’t read german, please just try to get the steps from the code.

So I’m at the part where you connect to the server via the browser (using Mozilla but getting similar errors with other browsers)
And get the following error (freely translated):
Error: secured connection failed

An error occured while connecting to [MYDOMAINNAME].dyndnss.net. SSL got an entry that exceeded the maximal length. Errorcode: SSL_ERROR_RX_RECORD_TOO_LONG

Thanks for help, please let me know if you need further information.

Redoxodron

anon58843897 · September 22, 2016, 2:36pm

Hello,

Those errors indicate a problem with your web server SSL/TLS configuration. Can you post your web server configuration including the SSL section?

Redoxodron · September 22, 2016, 3:02pm

I think you mean /etc/nginx/sites-available/default
Here the content of the file:

server {
listen 80;
server_name TheDomainNameImUsing.dyndnss.net;
return 301 https://$server_name$request_uri; # enforce https
}

server {
listen 443 ssl;
server_name TheDomainNameImUsing.dyndnss.net;
ssl_certificate /var/www/ssl/cloudssl.crt;
ssl_certificate_key /var/www/ssl/cloudssl.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
root /var/www/cloud;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

anon58843897 · September 22, 2016, 3:37pm

Hi,

The error you are receiving indicates a HTTP response on a HTTPS port. Can you double check that Nginx is not serving up a default HTTP virtual host on port 443?

Regarding the configuration, there are a couple of small issues.

1: Try not to use variables in your return code. For example, ‘return 301 https://$server_name$request_uri;’ could be,

return 301 https://TheDomainNameImUsing.dyndnss.net$request_uri;

2: SSLv3 is known to be insecure. Change ‘ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;’ to,

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

3: The ssl_ciphers can be updated according to Mozilla’s intermediate or modern configuration. See https://mozilla.github.io/server-side-tls/ssl-config-generator/

Redoxodron · September 22, 2016, 5:27pm

Firts thank you for your quick and good response.

So I did what you mentioned in 1 and 2 (what are nice tips), but it didn’t solve the problem…
I am not entierely sure if i updated ssl ciphers right.
I chosed the exact version of my ssl and server version and added all the lines that were there.
Since then i can’t restart the service and if i just change the ciphers line the problem isn’t solved either.

Redoxodron · September 22, 2016, 5:48pm

You said something about a virtual host. I do not remember configuring one. Where can I find the File? Maybe that’s the Problem

anon58843897 · September 22, 2016, 7:01pm

Hello,

A virtual host is basically a server block. Your configuration shows two server blocks. I suspect there is a another server block somewhere, a default block that is responding to your requests. This may be because the default file is not being read.

You mentioned a file, ‘etc/nginx/sites-available/default’. In this case your server blocks should be in a file under ‘/etc/nginx/sites-available/site.conf’ and symlinked to ‘/etc/nginx/sites-enabled/site.conf’.

This tutorial may help better as it seems to match the Nginx layout you are using. See https://www.linode.com/docs/websites/nginx/how-to-configure-nginx

Redoxodron · September 23, 2016, 6:15am

Thank you very much.

I will read trough and try out this at this weekend and then write if i found something out.

Redoxodron · September 26, 2016, 6:23pm

So I read trough the tutorial and think i got everything.
I found out i missconfigured the ssl keys but recreating them didn’t fix much.
Now if I put only my URL in the URL Line in Mozilla it loads and loads until it gets no response.
If i write:https://MYURL the error in the SSL_ERROR_RX_RECORD_TOO_LONG appears again.

I also read trough this http://nginx.org/en/docs/http/ngx_http_ssl_module.html#directives and added most of the important lines (I added just the ones I completly understood)

You mentioned a file, ‘etc/nginx/sites-available/default’. In this case your server blocks should be in a file under ‘/etc/nginx/sites-available/site.conf’ and symlinked to ‘/etc/nginx/sites-enabled/site.conf’

If I ‘ls’ in ‘/etc/nginx/sites-available/’ there only is ‘default’ what is the virtual host that is used by default, I assume.
There I edited the config. The symlink to ./sites-enabled exists ands works.

I used this site to check my SSL:
https://www.sslshopper.com/ssl-checker.html

Which gives following output (before that it says that it can resolve the hostname and the server is apache(i think nginx looks like apache from the outside))
No SSL certificates were found on MYDOMAIN.dyndnss.net. Make sure that the
name resolves to the correct server and that the SSL port (default is
443) is open on your server’s firewall.

Then I ran a Portscanner which said my port 443 is opened.
Maybe there’s something wrong how the server handles the SSL? I don’t know cause I’m not experienced with SSL or webservers.

Thanks for your help so far.

anon58843897 · September 26, 2016, 10:43pm

Nginx has a very specific header. It is unlikely to be confused as Apache. Are you sure you don’t have Apache installed as well?

Redoxodron · September 27, 2016, 7:12am

I did ‘whereis apache2’ and indeed found a folder. There is not much but maybe that is creating the error? I will purge it cause it’s not mentioned in the tutorial I am using. I’m at work right now so I can’t check if it works. I write again when I checked.

anon58843897 · September 27, 2016, 1:14pm

Hi,

You should not need to delete the files. Just double check that Apache is not running.

tflidd · October 8, 2016, 11:35am

You can also check your certificate with ssllabs.com. You can check all running processes with
ps -aux
and the processes behind each port:
netstat -tulpen

Is this an official SSL certificate or self-signed?

Redoxodron · October 9, 2016, 11:41am

Thank you, I will try that. I just not have the time atm.

The certificate is self-signed.