Problems Getting SSL Working

So I’ve talked about my hosting provider before, their tech support isn’t the brightest crayons in the box. It seems whatever issue I have with them, they don’t read what exactly I want. Key word analysis is great guys, I did it when I worked phone support at Symantec. What I didn’t do is misinterpret everything the customer said on every single issue. If something isn’t working you have to fix it.

Warning for the non-geeks that read my site, this is about to get technical.

Let’s go back to the beginning and flash forward to present day. In September I really wanted to implement SSL for the administration section of my blog — simple, easy, and secure. The biggest reason for this was the Wordpress 2.7 series offered better support for SSL, so now why the time to implement instead of hacking around with plugins for support. This turned out to be not so simple.

Online I found my hosting provider is supposed to offer a server self signed certificate, so I sent the following message to tech support:

Is there a shared server certificate for SSL that I can use for my wordpress installation?

Now I’m fast and willing to pick through things on my own, so before technical support could reply I added this second message to my brand new ticket.

I found the SSL manager in cpanel -

1. Do you have instructions on properly generating your SSL key for use with
this (wording might be wrong — but how to configure this so I can use it with
my creeva.com domain?

2. Do you instructions on using this with wordpress?

Simple and straight forward I thought. Here is what I got back:

Hello,

If you install the shared SSL for the domain, you will be getting warning when
you take the site.

It is better to purchase SSL from third party godday.

Please check the link given below for installing SSL.
http://www.cpanel.net/support/docs/11/cpanel/sec_ssl.html

In case you have any more queries, please don’t hesitate to contact us with
all the required details. We’ll be happy to assist you further.

Let’s throw the little bit of broken english aside for a moment and break this down. I am aware (of course they don’t know this) that I will be getting a certificate mismatch error when I login to the SSL site. Problem one I see is that they are sending me a third party, yet they sell an SSL service — I find this odd, but Godaddy (I’m assuming that was what he meant) is cheaper. Good customer service? Maybe. The other problem is that he sent me the instructions to doing this in Cpanel 11, all fine and good, but they have all of their customer on Cpanel 10. The instructions were similar and I followed them. After implementing the changes I attempted to go to my website on HTTPS. Firefox through out the following message:

Secure Connection Failed

An error occurred during a connection to creeva.com.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

The page you are trying to view can not be shown because the authenticity of
the received data could not be verified.

* Please contact the web site owners to inform them of this problem.

I spent a day researching this message, BTW Firefox’s documentation of error message is terrible, hence why it took me a day instead of minutes. Also Firefox’s documentation is wrong as I would find out later. After a few days of trying to get this to work I gave up and wrote this off as a lost cause for the moment and focused on other things.

Flash forward to yesterday, I decided to reopen this ticket since again I wanted SSL. I knew from experience that the shared cerrtificate would not work properly, so I went and generated a free (valid) one from Instant SSL. I wanted to do this before purchasing my own SSL certificate from Godaddy, just to make sure everything was working properly. I went through all of the steps and I go thte same error message. Well I saved the thirteen dollars a valid certificate would have cost, but wasn’t any closer to my end goal of an encrypted Wordpress administration section. I still wanted this so I opened the original ticket back up (tech support hates that BTW) and added the following note:

I’m back to this again — I was considering buying SSL instead of using the
shared cert — but having applied a cert from Comodo — I’m getting the same
error in firefox:

Secure Connection Failed

An error occurred during a connection to creeva.com.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

The page you are trying to view can not be shown because the authenticity of
the received data could not be verified.

* Please contact the web site owners to inform them of this problem.

If I try Internet Explorer it doesn’t even connect

If I use digicerts SSL checker — http://www.digicert.com/help/ I get this:

DNS resolves ‘creeva.com’ to 69.4.229.212
No certificates were found.
Output from ‘openssl s_client’ command:
13127:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:585: CONNECTED(00000003

Now following godaddy’s instructions it seems I need access to cpanel WHM -
which is somethig from a shared hosting perspective I need you to implement.
Can I get this done — also I’m perfectly fine using a self signed server
generated cert (which is what it currently is right now)

Since I’m not using a shopping cart and I’m only going to use SSL for
maintenance of wordpress, it’s perfectly fine for me to receive the security
exception warning in firefox since it will not be a customer facing error, I
only want the encryption side, not the non-repudiation side of SSL.

Also the instructions you sent me are for Cpanel 11 — currently my account uses
cpanel 10 when I login

For those technical people that understand what I’m trying to accomplish, am I unclear on this? Please excuse my muddled use of non-repudiation. Also that stupid Firefox message I stated was vague, well it seems the server wasn’t even completing the connection properly — stupid Firefox error messages. This is the response I got back:

For installing a dedicated SSL certificate on your domain, you will have to
purchase a static IP(dedicated IP) for your domain. For that you need to
contact our billing department.
After obtaining a static IP, we will assign that IP to your domain. You can
upload your cert , key and CA bundle for the site to the server so that we
can install the cert for you.
Also please note that there will be some downtime for the site until the IP
change propagates globally.

Please confirm if you need a static IP for the domain, so that we can forward
this to the concerned department.

Now what part my message did they not understand I did state that I was perfectly fine with an error message, that I wanted to use the shared certificate. I think I implied fairly well that I would prefer to use the shared certificate, that way I wouldn’t have to actually buy my own. This is the problem you get into when you do keyword scanning, at least the first guy with broken english understood my question better. My response:

Like I said in my previous e-mail — I do not need a static IP, nor do I need
a dedicated SSL certificate — I’m fine using the standard shared SSL
certificate — as was/is advertised online that all plans came with a shared
server SSL cert — that is what I would like to use and that is what is not
working.

Maybe they’ve finally understood my issue?

We are checking your query regarding shared SSL in detail. We will get back to
you with the updates soon.

Soon came about thirty minutes later:

After careful review of this ticket, we have decided that you could be better
assisted in another department within our company.

For this reason, we are transferring your ticket. Please expect a short period
of time where this ticket is not updated, as it is queued up at its
destination.

We make every effort possible to take care of every ticket as quickly as we
can. We will contact you shortly.

Thank you for understanding,

Was was nice enough to leave off the names of their technical support staff. What I don’t understand is why I have to go to another department — maybe I’m going to the server admins who actually make the changes? Any time I have an issue it seems that I have to go through a lot of back and forth in the technical support team. If you techies read my inquiries as unclear, please let me know. As I get more information I’ll be updating the comments.

Grrrrrrrrrrrrrr

UPDATE — not often I get to update — it seems HTTPS is now working on my domains — well kind of. I still have more configuration to complete on my side, but it is at least answering now. Only took thirteen hours.

Raam Dev

I found this post searching Google for "ssl_error_rx_record_too_long". Here's my situation and how I eventually fixed it (I run my own web host, so I have access to WHM and cPanel):

A customer purchased and installed a certificate through cPanel, however he did not realize that he needed a dedicated IP address.

When I changed his domain to use a dedicated IP address, the SSL error "ssl_error_rx_record_too_long" was displayed in the browser when he tried accessing https://domain.com.

The problem was that when changing the domain to use a dedicated IP through WHM, the Apache Virtual Hosts entry gets reset and no longer contains the configuration for the SSL certificate.

The solution was for me to reinstall the certificate using WHM: "WHM -> SSL/TLS -> Install a SSL Certificate and Setup the Domain", then enter the domain in the Domain field and press Tab. WHM should search for the existing SSL Certificate for that domain and upon finding it, fill out all the fields on the page. Then simply press Submit to reinstall the certificate on the new dedicated IP address. After doing this, everything worked fine.

Hope this helps someone!

majnoona

You seem to be the only one in the whole internet who knows how to fix this -- thank you for sharing! (now just need this to work it's way up to the first Google result ;-)

creeva

I didn't realize that you needed a dedicated IP either (or use the long ass directory path which is what I do for my SSL side). So that's great information. Ironic that I understand the SSL handshake and the protocol but didn't grasp that more fully.

The problem is the error is too ambiguous - so yes I do hope that your comment does help someone - thanks for leaving it.

Chrisko

Great post! Exactly what I was looking for, but I have access to Web Host Manager. Is there any information you could give me in order to get mine working? Having the same problem, have spent all day on it.

creeva

I would say you need the full path to the directory on your server - email
me at creeva (at) gmail.com and I can get a bit more in depth.

Chrisko

What a great post! You are having exactly the same problem as I am, same error message and all. The only difference is the web admin has given me access to WHM (WebHost Manager), any pointers as to what I do now?

Is it essential that I have a static Ip also?

Eric James

I stumbled on this page while searching for a specific TLS error code... but since I'm here I figured I'd comment

The simple answer to everything is ....You need to find a new host. As a Server Admin for a hosting company I'm amazed when I see blog after blog of things like this and the people (like you) just stay there anyway. Usually it's that people will put up with crappy support and techs that don't really speak or understand simple English because it's cheap. I'm not saying that this is why you stay there... but if it is or if price is a major factor on where you host... then in my opinion you really need to understand that you get what you pay for.

That's my 2 cents

stephen

haha, and now I'm here after googling to solve the ssl_error_rx_record_too_long error as I get it for all SSL sites....guess it is not going to be so easy...

creeva

My thoughts - have you removed your root certificates from your browser? Have you tried a different browser? If it's still not working to any sites after trying a different browser - your ISP maybe doing something strange upstream to your https traffic.

creeva

wanted to add - SSL is now working great

Creeva’s World 2.0

My life unfolding and being told online – 1 byte of information at a time.