Pokaż wyniki od 1 do 5 z 5

Temat: Błąd po instalacji certyfikatu ssl_error_rx_record_too_long

  1. #1

    Błąd po instalacji certyfikatu ssl_error_rx_record_too_long

    Instalowałem certyfikat zgodnie z https://help.ubuntu.com/8.04/serverg...-security.html jednakże po wpisaniu w przeglądarkę dostaje komunikat:
    Kod:
    Podczas łączenia z serwerem localhost wystąpił błąd.
    
    SSL otrzymał rekord przekraczający największą dozwoloną długość.
    
    (Kod błędu: ssl_error_rx_record_too_long)
    Podam pliki które mogą pomóc
    /etc/apache2/sites-available/default
    Kod:
    <VirtualHost *:80>
    	ServerAdmin webmaster@localhost
    	
    	DocumentRoot /var/www/
    	<Directory />
    		Options FollowSymLinks
    		AllowOverride None
    	</Directory>
    	<Directory /var/www/>
    		Options Indexes FollowSymLinks MultiViews
    		AllowOverride None
    		Order allow,deny
    		allow from all
    	</Directory>
    
    	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    	<Directory "/usr/lib/cgi-bin">
    		AllowOverride None
    		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    		Order allow,deny
    		Allow from all
    	</Directory>
    
    	ErrorLog /var/log/apache2/error.log
    
    	# Possible values include: debug, info, notice, warn, error, crit,
    	# alert, emerg.
    	LogLevel warn
    
    	CustomLog /var/log/apache2/access.log combined
    
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
            Order deny,allow
            Deny from all
            Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
    
    </VirtualHost>
    /etc/apache2/sites-available/default-ssl
    Kod:
    <IfModule mod_ssl.c>
    <VirtualHost  *:443>
    	ServerAdmin webmaster@localhost
    	
    	DocumentRoot /var/www/
    	<Directory />
    		Options FollowSymLinks
    		AllowOverride None
    	</Directory>
    	<Directory /var/www/>
    		Options Indexes FollowSymLinks MultiViews
    		AllowOverride None
    		Order allow,deny
    		allow from all
    	</Directory>
    
    	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    	<Directory "/usr/lib/cgi-bin">
    		AllowOverride None
    		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    		Order allow,deny
    		Allow from all
    	</Directory>
    
    	ErrorLog /var/log/apache2/error.log
    
    	# Possible values include: debug, info, notice, warn, error, crit,
    	# alert, emerg.
    	LogLevel warn
    
    	CustomLog /var/log/apache2/ssl_access.log combined
    
    	Alias /doc/ "/usr/share/doc/"
    	<Directory "/usr/share/doc/">
    		Options Indexes MultiViews FollowSymLinks
    		AllowOverride None
    		Order deny,allow
    		Deny from all
    		Allow from 127.0.0.0/255.0.0.0 ::1/128
    	</Directory>
    
    	#   SSL Engine Switch:
    	#   Enable/Disable SSL for this virtual host.
    	SSLEngine on
    
    	#   A self-signed (snakeoil) certificate can be created by installing
    	#   the ssl-cert package. See
    	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
    	#   If both key and certificate are stored in the same file, only the
    	#   SSLCertificateFile directive is needed.
    	#SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    	#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    	SSLCertificateFile    /etc/ssl/certs/server.crt 
            SSLCertificateKeyFile /etc/ssl/private/server.key 
    	
    	#   Server Certificate Chain:
    	#   Point SSLCertificateChainFile at a file containing the
    	#   concatenation of PEM encoded CA certificates which form the
    	#   certificate chain for the server certificate. Alternatively
    	#   the referenced file can be the same as SSLCertificateFile
    	#   when the CA certificates are directly appended to the server
    	#   certificate for convinience.
    	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
    
    	#   Certificate Authority (CA):
    	#   Set the CA certificate verification path where to find CA
    	#   certificates for client authentication or alternatively one
    	#   huge file containing all of them (file must be PEM encoded)
    	#   Note: Inside SSLCACertificatePath you need hash symlinks
    	#         to point to the certificate files. Use the provided
    	#         Makefile to update the hash symlinks after changes.
    	#SSLCACertificatePath /etc/ssl/certs/
    	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
    
    	#   Certificate Revocation Lists (CRL):
    	#   Set the CA revocation path where to find CA CRLs for client
    	#   authentication or alternatively one huge file containing all
    	#   of them (file must be PEM encoded)
    	#   Note: Inside SSLCARevocationPath you need hash symlinks
    	#         to point to the certificate files. Use the provided
    	#         Makefile to update the hash symlinks after changes.
    	#SSLCARevocationPath /etc/apache2/ssl.crl/
    	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
    
    	#   Client Authentication (Type):
    	#   Client certificate verification type and depth.  Types are
    	#   none, optional, require and optional_no_ca.  Depth is a
    	#   number which specifies how deeply to verify the certificate
    	#   issuer chain before deciding the certificate is not valid.
    	#SSLVerifyClient require
    	#SSLVerifyDepth  10
    
    	#   Access Control:
    	#   With SSLRequire you can do per-directory access control based
    	#   on arbitrary complex boolean expressions containing server
    	#   variable checks and other lookup directives.  The syntax is a
    	#   mixture between C and Perl.  See the mod_ssl documentation
    	#   for more details.
    	#<Location />
    	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
    	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
    	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
    	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
    	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
    	#</Location>
    
    	#   SSL Engine Options:
    	#   Set various options for the SSL engine.
    	#   o FakeBasicAuth:
    	#     Translate the client X.509 into a Basic Authorisation.  This means that
    	#     the standard Auth/DBMAuth methods can be used for access control.  The
    	#     user name is the `one line' version of the client's X.509 certificate.
    	#     Note that no password is obtained from the user. Every entry in the user
    	#     file needs this password: `xxj31ZMTZzkVA'.
    	#   o ExportCertData:
    	#     This exports two additional environment variables: SSL_CLIENT_CERT and
    	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    	#     server (always existing) and the client (only existing when client
    	#     authentication is used). This can be used to import the certificates
    	#     into CGI scripts.
    	#   o StdEnvVars:
    	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
    	#     Per default this exportation is switched off for performance reasons,
    	#     because the extraction step is an expensive operation and is usually
    	#     useless for serving static content. So one usually enables the
    	#     exportation for CGI and SSI requests only.
    	#   o StrictRequire:
    	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
    	#     under a "Satisfy any" situation, i.e. when it applies access is denied
    	#     and no other module can change it.
    	#   o OptRenegotiate:
    	#     This enables optimized SSL connection renegotiation handling when SSL
    	#     directives are used in per-directory context.
    	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    	<FilesMatch "\.(cgi|shtml|phtml|php)$">
    		SSLOptions +StdEnvVars
    	</FilesMatch>
    	<Directory /usr/lib/cgi-bin>
    		SSLOptions +StdEnvVars
    	</Directory>
    	SSLOptions +StrictRequire
    
    
    	#   SSL Protocol Adjustments:
    	#   The safe and default but still SSL/TLS standard compliant shutdown
    	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
    	#   the close notify alert from client. When you need a different shutdown
    	#   approach you can use one of the following variables:
    	#   o ssl-unclean-shutdown:
    	#     This forces an unclean shutdown when the connection is closed, i.e. no
    	#     SSL close notify alert is send or allowed to received.  This violates
    	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
    	#     this when you receive I/O errors because of the standard approach where
    	#     mod_ssl sends the close notify alert.
    	#   o ssl-accurate-shutdown:
    	#     This forces an accurate shutdown when the connection is closed, i.e. a
    	#     SSL close notify alert is send and mod_ssl waits for the close notify
    	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
    	#     practice often causes hanging connections with brain-dead browsers. Use
    	#     this only for browsers where you know that their SSL implementation
    	#     works correctly.
    	#   Notice: Most problems of broken clients are also related to the HTTP
    	#   keep-alive facility, so you usually additionally want to disable
    	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
    	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
    	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
    	#   "force-response-1.0" for this.
    	BrowserMatch ".*MSIE.*" \
    		nokeepalive ssl-unclean-shutdown \
    		downgrade-1.0 force-response-1.0
    
    </VirtualHost>
    </IfModule>
    Wiem, że jest dużo podobnych na Google tematów ale żaden z nich nie pomógł rozwiązać problemu?

  2. #2
    Nie masz w wirtualce dyrektywy ServerName, do której nazwy porównywana jest wartość z certyfikatu.

  3. #3
    Nie masz w wirtualce dyrektywy ServerName, do której nazwy porównywana jest wartość z certyfikat.
    A możesz napisać jak to miałoby wyglądać bo ja za bardzo nie wiem?

  4. #4
    Kod:
    <VirtualHost  *:443> 
        ServerAdmin webmaster@localhost
        ServerName www.twojadomena.pl
    ...
    </VirtualHost>
    I z taką też nazwą (www.twojadomena.pl) musisz mieć wygenerowany certyfikat, jeżeli w nazwie ServerName będziesz miał twojadomena.pl, a w certyfikacie będzie www.twojadomena.pl to też dostaniesz błąd.

    Przykład:
    http://www.debian-administration.org/articles/349

  5. #5
    Jak dla mnie to jest trochę dziwne bo mimo że wpisuję gdy generuje w polu Common Name (eg, YOUR name) nazwę swojej domeny, a potem dopisuje do wirtualek w polu ServerName tez taka samo nazwę domeny wywala ten sam błąd
    Kod:
    SSL otrzymał rekord przekraczający największą dozwoloną długość.
    
    (Kod błędu: ssl_error_rx_record_too_long)
    Może jeszcze jakieś sugestie?

Podobne wątki

  1. Odpowiedzi: 2
    Ostatni post/ autor: 04-03-2012, 07:43
  2. [+] WebSVN - weryfikacja certyfikatu
    By Micki in forum Serwer
    Odpowiedzi: 4
    Ostatni post/ autor: 26-08-2010, 13:29
  3. Instalacja certyfikatu dla domeny
    By pablow in forum Serwer
    Odpowiedzi: 3
    Ostatni post/ autor: 10-03-2010, 11:09
  4. Błąd instalacji gruba po instalacji Windows
    By gizm00 in forum Software
    Odpowiedzi: 1
    Ostatni post/ autor: 02-07-2008, 09:36
  5. Thunar błąd instalacji w KDE
    By deix in forum Desktop
    Odpowiedzi: 5
    Ostatni post/ autor: 18-04-2008, 19:22

Uprawnienia

  • Nie możesz zakładać nowych tematów
  • Nie możesz pisać wiadomości
  • Nie możesz dodawać załączników
  • Nie możesz edytować swoich postów
  •