Ubuntu

SSL Certificate exceeds maximum permissible length — error:(ssl_error_rx_record_too_long)

Bug #592420 reported by Jeff Thompson
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu
Invalid
Undecided
Unassigned

Bug Description

Description: Ubuntu 8.04.3 LTS
Release: 8.04

apache2 (Version: 2.2.8-1ubuntu0.15)
openssl (Version: 0.9.8g-4ubuntu3)

I have Ubuntu Server 8.04 installed as a Mail Server with iRedMail-0.6.0 using RoundCube Webmail installed. I am only getting the SSL Cerificate exceeds maximum permissible length -- error:(ssl_error_rx_record_too_long) {this error happens in every Browser on Linux and Windows} when I am outside of my internal network and I try to get to the following address on my network --

https://mail.warezwaldo.us/mail/ or https://mail.warezwaldo.us/webmail/

What I mean by that is, when I am at home, on my network, I can get to both of those address with no issues and no problems outside of the excepting the SSL Certificate error (that is with every browser -- the standard SSL Security Error) but when I am at school, or my parents, or any of my friends houses and I try to connect to my mail servers Web Interface I get the SSL Certificate exceeds maximum permissible length -- error:(ssl_error_rx_record_too_long).

I have read many posts and I have tried almost every one of them with no success to include the following actions:
1) I have replaced the standard iRedMail.pem & iRedMail.key with SSL files that I have generated to include 1 using 256bit count, 1 using 512bit count, 1 using 1024bit count, 1 using 2048bit count.
2) I jave tried to use the SnakeOil files that come with iRedMail and still same error.
3) I have verified that SSL Support for apache is running -- I can get to https://mail.warezwaldo.us/mail/ from my house on my network.
4) I verified that the /etc/apache2/sites-available & /etc/apache/sites-enabled both have the Correct info for Host and Directories for all files

Modified Configuration -- from sites-available
NameVirtualHost *:443
<VirtualHost *:443>
    ServerAdmin <email address hidden>
    DocumentRoot /var/www

    # Enable SSL.
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Alias /mail "/usr/share/apache2/roundcubemail/"
Alias /webmail "/usr/share/apache2/roundcubemail/"
Alias /roundcube "/usr/share/apache2/roundcubemail/"
Alias /phpmyadmin "/usr/share/apache2/phpmyadmin/"
Alias /mysql "/usr/share/apache2/phpmyadmin/"
Alias /postfixadmin "/usr/share/apache2/postfixadmin/"
Alias /awstats-icon "/usr/share/awstats/icon/"
ScriptAlias /awstats "/usr/lib/cgi-bin/awstats/"
</VirtualHost>

Original Configuration -- from sites-available

NameVirtualHost *:443
<VirtualHost *:443>
    ServerAdmin <email address hidden>
    DocumentRoot /var/www

    # Enable SSL.
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/iRedMail_CA.pem
    SSLCertificateKeyFile /etc/ssl/private/iRedMail.key
Alias /mail "/usr/share/apache2/roundcubemail/"
Alias /webmail "/usr/share/apache2/roundcubemail/"
Alias /roundcube "/usr/share/apache2/roundcubemail/"
Alias /phpmyadmin "/usr/share/apache2/phpmyadmin/"
Alias /mysql "/usr/share/apache2/phpmyadmin/"
Alias /postfixadmin "/usr/share/apache2/postfixadmin/"
Alias /awstats-icon "/usr/share/awstats/icon/"
ScriptAlias /awstats "/usr/lib/cgi-bin/awstats/"
</VirtualHost>

sites-enabled
NameVirtualHost *:443
<VirtualHost *:443>
    ServerAdmin <email address hidden>
    DocumentRoot /var/www

    # Enable SSL.
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Alias /mail "/usr/share/apache2/roundcubemail/"
Alias /webmail "/usr/share/apache2/roundcubemail/"
Alias /roundcube "/usr/share/apache2/roundcubemail/"
Alias /phpmyadmin "/usr/share/apache2/phpmyadmin/"
Alias /mysql "/usr/share/apache2/phpmyadmin/"
Alias /postfixadmin "/usr/share/apache2/postfixadmin/"
Alias /awstats-icon "/usr/share/awstats/icon/"
ScriptAlias /awstats "/usr/lib/cgi-bin/awstats/"
</VirtualHost>

5) I ran apt-get update & apt-get upgrade before installing iRedMail-0.6 to ensure that I had the latest packages.
6) I have tried all of the modifications listed for each of the web browsers and still get same error.
7) I have reset my PK5000 Qwest DSL Modem with no effect
8) I have re-done all routing and port forwarding on that DSL Modem/Router again with no effect
9) I have ran wireshark to verifiy that the packets being recieved from both the Internal Network and External Networks match and they are the same outside of IP addresses.

I am at a loss with why I can get to my mail servers web page from my network but cannot once I go outside of my network.

Can Anyone Please Help Me with this Issue, its starting to drive me NUTS and I really want to get this fixed.

Thanks in advance for your Help

# -- Added July 10th, 2010

OK since about Jun 25th I have solved this issue, and it was my DSL Modem that was causing the problem. I have posted a Comment with what I had to do to fix the issue. So if you are having a similar issue this might be a good place to look for a Solution to your problem.

See original description
Revision history for this message
s34n (s34n) wrote :

I recall having a similar issue trying to set up Zoneminder's web interface to use ssl.
The info on this page http://www.tc.umn.edu/~brams006/selfsign_ubuntu.html got me through it.
I'm guessing it is likely an error in your config and not a bug.

I think what finally resolved it for me was creating a separate file /etc/apache2/sites-available/ssl with the config for the ssl stuff, then creating the symlink /etc/apache2/sites-enabled/ssl pointing to it, while leaving /etc/apache2/sites-available/default as it was.

Attached is my /etc/apache2/sites-available/ssl in case you may find it helpful.

Revision history for this message
warezwaldo (jokerplsc) wrote :

Thanks s34n for the Reply and reminder that I post this.

After some very extensive testing I found that the Qwest supplied Actiontec PK5000 DSL modem was the culprit to the issue that I was having. There is according to Actiontec a "Glitch" in their Software. So what I originally did to configure Port Forwarding on the PK5000 was under the Advanced Port Forwarding Section of the Web Interface of the Modem. I had set ports 25, 110, 143, 443, 585, 993, 995 to forward to my mail server, and ports 22, 80 to forward to web server, with ports 53, 953 forwarded to dns server. So all of the sudden that configuration stopped working and 443 was being forwarded by the DSL modem to the web server which didn't have https running, nor open for traffic.

How I fixed this issue was as follows:
I not only used the Advanced Port Forwarding section but also under Application Forwarding Section I created 3 custom rules one for dns servers with 53, 953 being forwarded, one for web server with 22, 80 being forwarded, and one for mail server with 25, 110, 143, 443, 585, 993, 995 being forwarded. Once I had both rules under Advanced Port Forwarding, and Application Forwarding it started allowing traffic to my Mail Server via HTTPS and I no longer get that SSL error.

I have since replaced the Actiontec Pk5000 with the D-Link DSL-2540b and have been very happy so far with the replacement. The D-Link was just as easy to set-up as the Actiontec, and didn't require having settings in multiple locations just to get a Single service to work.

So I apologize for posting as a bug with Ubuntu when it was really a bug for Actiontec.

warezwaldo (jokerplsc)
description: updated
Revision history for this message
kurt belgrave (trinikrono) wrote :

I am closing this bug from watching your last comment. Please continue to file bugs and make ubuntu better :D

Changed in ubuntu:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.