Fix Debian Apache2 SSL Errors: ssl_error_rx_record_too_long

The error code ssl_error_rx_record_too_long in Apache2 typically indicates a misconfiguration related to SSL/TLS settings. This error occurs when the client attempts to initiate an SSL connection to a non-SSL port, or when the server is improperly configured to handle SSL connections.

Here’s a step-by-step guide to diagnose and resolve this issue on a Debian server running Apache2:

1. Check Apache Configuration

a. Ensure SSL Module is Enabled

First, verify that the SSL module is enabled in Apache.

sudo a2enmod ssl

After enabling the module, restart Apache:

sudo systemctl restart apache2

b. Verify SSL Configuration in Virtual Hosts

Make sure you have the correct SSL configuration in your Virtual Hosts files.

For SSL, the configuration should be under a file such as /etc/apache2/sites-available/default-ssl.conf or similar. Check if the following directives are present and correctly configured:

<VirtualHost *:443>
    ServerName yourdomain.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/your_certificate.crt
    SSLCertificateKeyFile /etc/ssl/private/your_private_key.key

    # Optional, if you have a CA certificate
    SSLCertificateChainFile /etc/ssl/certs/your_ca_certificate.pem
</VirtualHost>

Ensure that the SSLCertificateFile, SSLCertificateKeyFile, and optionally SSLCertificateChainFile paths are correctly pointing to your certificate and key files.

c. Enable SSL Site

Enable the SSL site configuration if not already done:

sudo a2ensite default-ssl.conf

Restart Apache to apply changes:

sudo systemctl restart apache2

2. Check Port Configuration

a. Verify Listening Ports

Ensure that Apache is configured to listen on the correct ports for SSL. This is usually port 443. Check the ports.conf file:

sudo nano /etc/apache2/ports.conf

Ensure it includes:

Listen 443
<IfModule ssl_module>
    Listen 443
</IfModule>

3. Verify Firewall Settings

Ensure that your firewall allows traffic on port 443.

For ufw (Uncomplicated Firewall), you can check and allow the port with:

sudo ufw status
sudo ufw allow 443/tcp

For iptables, you can check the rules with:

sudo iptables -L

If necessary, add a rule to allow traffic on port 443:

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

4. Check for Misconfigurations

a. Non-SSL Port Configuration

Ensure that you’re not trying to serve SSL content on port 80 or any other non-SSL port. Verify this in your VirtualHost configuration. There should be a clear distinction between configurations for port 80 and port 443.

b. Syntax and Configuration Check

Run a configuration test to ensure there are no syntax errors or misconfigurations:

sudo apache2ctl configtest

Look for any errors or warnings and fix them as needed.

5. Verify Certificate Files

Ensure that your SSL certificate and key files are valid and not corrupted. You can check if they match using the following commands:

# Check certificate
openssl x509 -noout -modulus -in /etc/ssl/certs/your_certificate.crt | openssl md5
# Check key
openssl rsa -noout -modulus -in /etc/ssl/private/your_private_key.key | openssl md5

Both commands should output the same hash if the certificate and key match.

6. Browser and Client-Side Issues

Sometimes, client-side issues (like browser cache or proxy settings) can cause the error. Clear your browser cache or try a different browser or device to rule out these possibilities.

7. Log Files

Check Apache error logs for any specific messages related to SSL. Logs can provide detailed clues about the problem.

sudo tail -f /var/log/apache2/error.log

Summary

By following these steps, you should be able to diagnose and resolve the ssl_error_rx_record_too_long error in Apache2 on Debian. Ensure that your Apache SSL configuration is correct, that the appropriate ports are open and properly configured, and that your certificate files are valid and properly linked. If you still encounter issues, review the logs for additional hints.