ssl_error_rx_record_too_long and Apache SSL

Learn ssl_error_rx_record_too_long and apache ssl with practical examples, diagrams, and best practices. Covers apache, configuration, ssl development techniques with visual explanations.
Tags:
Categories:

Resolving 'ssl_error_rx_record_too_long' in Apache SSL

Hero image for ssl_error_rx_record_too_long and Apache SSL

Understand and troubleshoot the common 'ssl_error_rx_record_too_long' error when configuring Apache with SSL/TLS, and learn how to fix it.

The ssl_error_rx_record_too_long error is a common and often frustrating issue encountered when setting up or troubleshooting SSL/TLS on an Apache web server. This error typically manifests in web browsers (especially Firefox) and indicates that the client (browser) received an SSL/TLS record that was unexpectedly large or malformed, suggesting a fundamental miscommunication at the SSL/TLS handshake level. This article will delve into the root causes of this error and provide practical solutions to get your Apache SSL configuration working correctly.

Understanding the 'ssl_error_rx_record_too_long' Error

This error message signifies that the client received data on an SSL/TLS port that it did not recognize as a valid SSL/TLS record. The most common reason for this is that the client is trying to establish an SSL/TLS connection (HTTPS) to a port that is either not configured for SSL/TLS at all, or is configured for plain HTTP. Essentially, the server is sending plain HTTP data (or some other non-SSL data) in response to an SSL/TLS handshake request, which the client interprets as an oversized or invalid SSL record.

flowchart TD
    A[Client (Browser)] -->|HTTPS Request (Port 443)| B{Apache Server}
    B -->|Responds with HTTP (Port 80 config)| C[Client (Browser)]
    C -- "ssl_error_rx_record_too_long" --> D[Error Displayed]
    style A fill:#f9f,stroke:#333,stroke-width:2px
    style B fill:#bbf,stroke:#333,stroke-width:2px
    style C fill:#f9f,stroke:#333,stroke-width:2px
    style D fill:#f00,stroke:#333,stroke-width:2px

Typical flow leading to 'ssl_error_rx_record_too_long'

Common Causes and Solutions

The ssl_error_rx_record_too_long error almost always points to a misconfiguration in your Apache server's SSL setup. Here are the primary culprits and their corresponding solutions.

Cause 1: SSL Module Not Loaded

Apache requires the mod_ssl module to handle SSL/TLS connections. If this module is not loaded, Apache will treat requests on port 443 as regular HTTP requests, leading to the error.

1. Verify mod_ssl is loaded

Check your Apache configuration files (e.g., httpd.conf or a file in conf.modules.d/) for the LoadModule ssl_module directive. If it's commented out or missing, uncomment/add it.

2. Enable mod_ssl (Debian/Ubuntu)

On Debian-based systems, you can enable it using sudo a2enmod ssl. Then, restart Apache.

3. Restart Apache

After enabling the module, restart Apache to apply the changes. Use sudo systemctl restart apache2 (systemd) or sudo service apache2 restart (SysVinit).

# In httpd.conf or a relevant module configuration file
LoadModule ssl_module modules/mod_ssl.so

Ensuring mod_ssl is loaded in Apache

Cause 2: Incorrect Listen Directive for Port 443

Apache needs to be explicitly told to listen for HTTPS connections on port 443. If Listen 443 is present but not associated with SSL, or if Listen 443 https is missing, it can cause issues.

# Correct Listen directive for SSL
Listen 443 https

# Or, if using separate VirtualHost blocks, ensure SSL is enabled within the VirtualHost
# Listen 443

Correct Listen directive for HTTPS

Cause 3: SSL Directives in Non-SSL VirtualHost

This is a very common mistake. You might have SSLEngine On or other SSL* directives inside a <VirtualHost *:80> block, or outside any <VirtualHost> block but applying to port 80. SSL directives should only be present within a <VirtualHost *:443> block.

# INCORRECT: SSL directives in HTTP VirtualHost
<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/html
    SSLEngine On # <-- THIS IS WRONG!
    SSLCertificateFile /etc/ssl/certs/example.crt
    SSLCertificateKeyFile /etc/ssl/private/example.key
</VirtualHost>

# CORRECT: SSL directives in HTTPS VirtualHost
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/example.crt
    SSLCertificateKeyFile /etc/ssl/private/example.key
</VirtualHost>

Correct placement of SSL directives

Cause 4: Port Mismatch or Firewall Issues

Ensure that your browser is actually trying to connect to port 443 (HTTPS) and that no firewall (server-side or network-side) is blocking port 443 or redirecting it incorrectly. Sometimes, a proxy or load balancer might be misconfigured, forwarding plain HTTP to Apache on port 443.

1. Check Firewall

Verify that port 443 is open on your server's firewall (e.g., ufw, firewalld, iptables). For ufw: sudo ufw status and sudo ufw allow 'Apache Full'.

2. Test Port Accessibility

Use telnet or nc (netcat) from a client machine to test if port 443 is reachable: telnet your_domain.com 443. If it connects, the port is open. If it hangs or refuses connection, a firewall or service issue exists.

3. Inspect Proxy/Load Balancer

If you're behind a proxy or load balancer, ensure it's correctly configured to forward HTTPS traffic to Apache on port 443, and not attempting to terminate SSL itself and forward plain HTTP to Apache's 443.

Troubleshooting Workflow

When faced with this error, follow a systematic approach to diagnose and resolve it.

flowchart TD
    A[Start: Encounter 'ssl_error_rx_record_too_long'] --> B{Is mod_ssl loaded?}
    B -- No --> C[Load mod_ssl (a2enmod ssl)]
    B -- Yes --> D{Is Listen 443 https present?}
    C --> E[Restart Apache]
    D -- No --> F[Add/Correct Listen 443 https]
    D -- Yes --> G{Are SSL directives ONLY in <VirtualHost *:443>?}
    F --> E
    G -- No --> H[Move SSL directives to <VirtualHost *:443>]
    G -- Yes --> I{Is Port 443 open on firewall/proxy?}
    H --> E
    I -- No --> J[Open Port 443 / Check Proxy Config]
    I -- Yes --> K[Check Apache Error Logs]
    J --> E
    K --> L[Review SSL Certificate/Key Paths]
    L --> M[Test with curl -v https://yourdomain.com]
    M --> N[Problem Solved / Further Investigation]

Troubleshooting workflow for 'ssl_error_rx_record_too_long'

By systematically checking these common causes, you should be able to identify and resolve the ssl_error_rx_record_too_long error. Remember that this error is almost always a server-side configuration issue, not a client-side problem.