Jump to content
Froxlor Forum
JuKu

Letsencrypt SSL_ERROR_RX_RECORD_TOO_LONG

Recommended Posts

Hello everybody,

 

I try to configure a letsencrypt certificate for one of my domains https://jukusoft.com , certificates are already generated by froxlor, but i get this error, if i browse the domain with firefox:

SSL_ERROR_RX_RECORD_TOO_LONG

 

If i search with google there are many threads about this topic, but there isn't any solution for this.

Also there is no good tutorial on froxlor sites. Because i dont know if this is a bug or only a issue about a not-existent documentation, i havent created a issue on github yet.

I also doesnt get any results by your forum search. If this is the wrong forum, please move my topic to the right! thanks!

 

If i try to execute "openssl s_client -showcerts -connect jukusoft.com:443 -servername jukusoft.com" i get this output:

CONNECTED(00000003)
140505437533840:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 310 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1521806504
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

 

I have also configured IP / Port settings:

dd.thumb.PNG.70720f5fcd7a07000e2c64a6d207f42e.PNG

ddKopie.thumb.PNG.92d0d3b336f996f1b3fae88324917f43.PNG

dd.thumb.PNG.9cc821acb106d182f668f4cb5a295ec8.PNG

 

Domain Settings:

dd.thumb.PNG.d7fdcfca32dd668d301eded847a34066.PNG

 

ddKopie.thumb.PNG.e1722a41e04545189f7e17a5710e2060.PNG

 

Where is the problem?
And please, can you write a good tutorial / documentation for SSL & letsencrypt configuration for froxlor?

Share this post


Link to post
Share on other sites

The ssl-enabled IP/Port needs a certificate too, specify that either globally in ssl-settings, per ip/port when editing the corresponding ip/port or via froxlor-vhost (also settings). You also have to activate "generate Vhost container" in the ip/port for this to work

Share this post


Link to post
Share on other sites

@d00p Thanks for this fast answer!

 

vor 5 Stunden schrieb d00p:

The ssl-enabled IP/Port needs a certificate too

How do i get this certificate? Can i generate this or also get a certificate from letsencrypt?

 

vor 5 Stunden schrieb d00p:

specify that either globally in ssl-settings, per ip/port when editing the corresponding ip/port or via froxlor-vhost (also settings).

 

I have already specified this in global ssl settings:

dd.thumb.PNG.db439cd7ac1e9bc75181a3886d683d6a.PNG

ddKopie.thumb.PNG.3eff33ea3ecbac24d381193cdd1b402a.PNG

 

Is this right?

Share this post


Link to post
Share on other sites

You need to manually create this certificate on the Filesystem. Either a selfsigned certificate or one you bought

Share this post


Link to post
Share on other sites

Or you activate lets encrypt in "froxlor vhost settings", but Changes i mentioned before are required

Share this post


Link to post
Share on other sites
Am 25.3.2018 um 08:27 schrieb d00p:

You need to manually create this certificate on the Filesystem. Either a selfsigned certificate or one you bought

Thanks for your answer again!
Can i also use a lets encrypt certificate for this?

Or have i really generate a selfsigned certificate?

 

If yes, how can i do this?

openssl req -new > new.ssl.csr

openssl rsa -in privkey.pem -out new.cert.key
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days NNN
cp new.cert.cert /etc/ssl/certs/server.crt
cp new.cert.key /etc/ssl/private/server.key

 

Am 25.3.2018 um 08:28 schrieb d00p:

Or you activate lets encrypt in "froxlor vhost settings", but Changes i mentioned before are required

I have done this, but it doesnt works.

Share this post


Link to post
Share on other sites
42 minutes ago, JuKu said:

I have done this, but it doesnt works.

It doesnt work is not an error message...please post logs or error messages.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By ZARk
      Hello

      I can't renew certs (or create new certs) since the 0.10 upgrade. was working fine before on 0.9

      I'm basically getting the same output everytime i run this command.
       
      xander /var/www/froxlor # /usr/bin/php7.3 -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt --debug [information] Requesting/renewing Let's Encrypt certificates [information] Creating certificate for Westecheurope.eu [information] Adding SAN entry: Westecheurope.eu [information] Adding SAN entry: www.Westecheurope.eu [Mon 4 Nov 11:23:46 CET 2019] It is recommended to install socat first. [Mon 4 Nov 11:23:46 CET 2019] We use socat for standalone server if you use standalone mode. [Mon 4 Nov 11:23:46 CET 2019] If you don't use standalone mode, just ignore this warning. [information] Checking for LetsEncrypt client upgrades before renewing certificates: [Mon 4 Nov 11:23:45 CET 2019] Installing from online archive. [Mon 4 Nov 11:23:45 CET 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz [Mon 4 Nov 11:23:46 CET 2019] Extracting master.tar.gz [Mon 4 Nov 11:23:46 CET 2019] Installing to /root/.acme.sh [Mon 4 Nov 11:23:46 CET 2019] Installed to /root/.acme.sh/acme.sh [Mon 4 Nov 11:23:46 CET 2019] Good, bash is found, so change the shebang to use bash as preferred. [Mon 4 Nov 11:23:47 CET 2019] OK [Mon 4 Nov 11:23:47 CET 2019] Install success! [Mon 4 Nov 11:23:47 CET 2019] Upgrade success! [Mon 4 Nov 11:23:47 CET 2019] Removing cron job [Mon 4 Nov 11:23:52 CET 2019] get to authz error. [Mon 4 Nov 11:23:52 CET 2019] _authorizations_map='www.westecheurope.eu,{"identifier":{"type":"dns","value":"www.westecheurope.eu"},"status":"pending","expires":"2019-11-07T18:17:12Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077162/e3Lmew","token":"H07E0jvAJ-vnQ4jirnVIxqLeRxDwQ_VC6PQ0RAJgEvU"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077162/rs0T6w","token":"H07E0jvAJ-vnQ4jirnVIxqLeRxDwQ_VC6PQ0RAJgEvU"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077162/ZPjfSg","token":"H07E0jvAJ-vnQ4jirnVIxqLeRxDwQ_VC6PQ0RAJgEvU"}]} westecheurope.eu,{"identifier":{"type":"dns","value":"westecheurope.eu"},"status":"pending","expires":"2019-11-07T18:17:12Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077160/hOWGhQ","token":"Bd7XDicTn8dtJBIYc9Eod2d7eOxZGba42pnnl5aCNyI"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077160/nj7_Ow","token":"Bd7XDicTn8dtJBIYc9Eod2d7eOxZGba42pnnl5aCNyI"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077160/v7Bc7A","token":"Bd7XDicTn8dtJBIYc9Eod2d7eOxZGba42pnnl5aCNyI"}]} ' [Mon 4 Nov 11:23:52 CET 2019] Please add '--debug' or '--log' to check more details. [Mon 4 Nov 11:23:52 CET 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [debug] [Mon 4 Nov 11:23:48 CET 2019] Creating domain key [Mon 4 Nov 11:23:49 CET 2019] The domain key is here: /root/.acme.sh/Westecheurope.eu/Westecheurope.eu.key [Mon 4 Nov 11:23:49 CET 2019] Multi domain='DNS:Westecheurope.eu,DNS:www.Westecheurope.eu' [Mon 4 Nov 11:23:50 CET 2019] Getting domain auth token for each domain [Mon 4 Nov 11:23:52 CET 2019] Getting webroot for domain='Westecheurope.eu' [error] Could not get Let's Encrypt certificate for Westecheurope.eu: [Mon 4 Nov 11:23:48 CET 2019] Creating domain key [Mon 4 Nov 11:23:49 CET 2019] The domain key is here: /root/.acme.sh/Westecheurope.eu/Westecheurope.eu.key [Mon 4 Nov 11:23:49 CET 2019] Multi domain='DNS:Westecheurope.eu,DNS:www.Westecheurope.eu' [Mon 4 Nov 11:23:50 CET 2019] Getting domain auth token for each domain [Mon 4 Nov 11:23:52 CET 2019] Getting webroot for domain='Westecheurope.eu' [information] No new certificates or certificates due for renewal found [notice] Checking system's last guid  
    • By d00p
      Dear Froxlor Community,
      I am proud to finally release the stable version of a new API based froxlor. Due to massive internal improvements and changes in the core (almost 600 commits since 0.9.40.1) users are now able to list/create/edit/delete resources and entities of froxlor via API (requires activation of api-usage in the settings and a user based API-key). The froxlor frontend itself uses the API backend too.
      Froxlor now uses composer to include some of its requirements like phpMailer, Logger, IdnaConvert and TwoFactorAuth libraries. All required files will be included in the official tarball so you do not need to worry about installing and using composer (only if you are using / testing the git-master, see https://github.com/Froxlor/Froxlor/wiki/Install-froxlor-from-git-sources).
      Most important changes:
      froxlor now requires at least php-7.0 or newer, php-5.6 is no longer supported because of its EOL almost a year ago you can access data via API, for more information see https://api.froxlor.org/doc/. An example can be found here: https://github.com/Froxlor/Froxlor/tree/master/doc/example PHPUnit tested API backend with MySQL 5.6, 5.7 and 8 as well as MariaDB 10.3 and 10.4, see https://travis-ci.com/Froxlor/Froxlor compatibility for MySQL8 2FA (two-factor-authentication) for admins/resellers/customers (email or authenticator app) all froxlor-database tables will automatically be converted to the InnoDB engine added support for Debian 10 (buster) and Ubuntu 18.04 (bionic beaver) implemented Let's Encrypt via acme.sh - Note: all your current Let's Encrypt certificates will be removed and re-created due to another structure customizable error/access log handling for webserver (format, level, pipe-to-script, etc.) deprecated Debian 7 (wheezy) and Ubuntu 14.04 (trusty tahr) support dropped support for Ubuntu 12.04 (precise pangolin) dropped ticketsystem Changes in 0.10.1:
      allow/disallow API access on a per-customer base new API parameters for Admins.add(), Admins.update(), Customers.add() and Customers.update() bool $api_allowed (default: false for Customers, true for Admins) add explicit tlsv1.3 ciphersuite setting fixed wrong behaviour in Ftps.add() if customer is newly created and setting customer.ftpatdomain is true added expiration date to SSL certificates loaded via API request fixed wrong return in Certificates.get() if given domain does not have a certificate allow setting http2 flag for (sub)domains in customer view, fixes #725 Changes in 0.10.2:
      force Let's Encrypt ACMEv2 API, fixed #728 added default-ssl-vhost settings and optionally allow including of non-ssl default-vhost settings, fixes #727 new API parameters for Domains.add() and Domains.update() string $ssl_specialsettings bool $include_specialsettings bool $dont_use_default_ssl_ipandport_if_empty removed API parameters in Domains.add() bool $use_default_ssl_ipandport_if_empty new API parameters for IpsAndPorts.add() and IpsAndPorts.update() string $ssl_specialsettings bool $include_specialsettings string $ssl_default_vhostconf_domain bool $include_default_vhostconf_domain implemented DomainZones.listing() to return custom stored dns entries fix registration and termination date to flip between empty-value and 0000-00-00 Changes in 0.10.3:
      fallback to /tmp/froxlor.log if file-log is activated but no file given or not writeable; fixes #737 added tls-settings per domain for admins with change_serversettings-flag set; fixes #519 new API parameter for Domains.add() and Domains.update() bool $override_tls (default: false) array $ssl_protocols string $ssl_cipher_list string $tlsv13_cipher_list preserve downward compatibility for 0.10.1 updaters regarding specialsettings for ssl-enabled domains; fixes #739 Changes in 0.10.4:
      added support for CIDR/netmask in mysql-access-hosts; fixes #564 fixed invalid handling of escape-sequences in api-endpoint, fixes #746 fixed an issue with adding the default ftp user for new customer when added by admin/reseller with no ftp-resources; fixes #741 fixed nginx configuration issue with fastcgi_split_path_info option; fixes #744 Changes in 0.10.5:
      bugfix release due to errors in Let's Encrypt re-new check; fixes #747 Download: 0.10.5

      Note: Debian/Ubuntu packages are available as of 21th of October 2019 - Note that there are no packages for oldoldstable (jessie) anymore
      Attention: The auto-update feature is currently not working correctly for updaters from 0.9.x due to the archive taking a bit longer to extract and froxlor trying to redirect too soon thus leading to an internal server error. A quick reload does "fix" the problem. To avoid that please use the manual update options, see https://github.com/Froxlor/Froxlor/wiki

      Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net for support, help, participation or just a chat

      Thank you,
      d00p
    • By nisamudeen97
      Hi,
      Our froxlor server is behiend NAT and it uses the local IP  192.168.73.40.  We have enabled letsencrypt module in froxlor and tried validating SSL for a domain in the server.  SSL generation is getting failed with 403 error.  See the debug log information.      Replaced domain name and main IP.    Can any one help me regarding the issue.
       
      [information] Updating Let's Encrypt certificates [information] Updating domain-name.com [information] Adding SAN entry: domain-name.com [information] Adding SAN entry: www.domain-name.com [information] letsencrypt-v2 Using 'https://acme-v02.api.letsencrypt.org' to generate certificate [information] letsencrypt-v2 Using existing account key [information] letsencrypt-v2 Starting certificate generation process for domains [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order [information] letsencrypt-v2 Requesting challenge for domain-name.com [information] letsencrypt-v2 Got challenge token for domain-name.com [information] letsencrypt-v2 Token for domain-name.com saved at /var/www/froxlor/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k and should be available at http://domain-name.com/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [information] letsencrypt-v2 Sending request to challenge [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/803008408/k46kFQ [information] letsencrypt-v2 Verification pending, sleeping 1s [information] letsencrypt-v2 Verification pending, sleeping 1s [error] Could not get Let's Encrypt certificate for domain-name.com: Verification ended with error: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [212.224.xxx.xxx]: \"<!DOCTYPE html>\\n<html lang=\\\"en-CA\\\" class=\\\"html_stretched responsive av-preloader-active av-preloader-enabled av-default-lightbox\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/803008408\/k46kFQ","token":"vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","validationRecord":[{"url":"http:\/\/www.domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"www.domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"},{"url":"http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"}]} [information] Let's Encrypt certificates have been updated  
    • By Jason Szymanski
      Hallo,
       
      ich habe leider ein Problem mit Froxlor.
      Zu meiner Situation: Froxlor läuft auf der Subdomain web01.meinedomain.net
      Jetzt möchte ich die Domain aber auch noch weiter Nutzen und habe mich daher als Kunde angelegt und die Domain meineDomain.net als Domain hinzugefügt.
      Dort kann ich auch weitere Subdomains hinzufügen. Das scheint soweit auch zu klappen ich sehe das er VHosts anlegt und auch die Verzeichnisse im FTP anlegt.
      Wenn ich jetzt allerdings versuche auf meinedomain.net oder eine andere Subdomain unter dieser Domain zuzugreifen leitet er mich auf web01.meinedomain.net
      Ich habe mich schon in den Einstellungen umgeschaut konnte aber keine entsprechende Einstellung finden an der das liegen könnte.
      Wie verhindere ich also das er mich auf Froxlor umleitet?
       
      Mit Freundlichen Grüßen
      Jason Szymanski
×
×
  • Create New...