SSL RECORD TOO LONG on phpmyadmin

Discussion in 'Installation/Configuration' started by kmchen, Mar 16, 2020.

  1. kmchen

    kmchen Member

  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    has this only started happening recently?
    did you by any chance get new certificates with a different key length prior to this issue?
     
  3. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    that said, and assuming you haven't changed any of the default ports, (have you?). have you got support for tls1.2 and tls1.3 enabled?

    you should also ensure you've disabled support for tls1.0 and tls1.1 and all versions of SSL.
     
  4. kmchen

    kmchen Member

    I can't ensure when this did happened as I did not access to phpmyadmin since a long time on that server.

    All certificates were generated automatically by certbot at server install a few monthes ago. I remember I did change keys from dsa to rsa, perhaps at server change.

    After a recent certs renewall error I recently wanted to let ISPCONFIG manage certs. I removed certbot renew from crontab, deleted all certificates and try to make them with ISPCONFIG. It lead to other errors on vhosts certs disscussed on another post https://www.howtoforge.com/communit...ispconfig-interface-acme-message.83786/page-2

    I did not make any ports changes.

    Does this answers to your questions about TLS ?:
    Code:
    ks307144 ~ > grep -i tls /etc/ssl/openssl.cnf
    MinProtocol = TLSv1.2
    
     
    Last edited: Mar 17, 2020
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The above error happens when you use https:// when there is HTTP:// available only. By default, phpmyadmin listens only on HTTP. You can enable the default SSL ghost on Debian and Ubuntu with:

    a2ensite default-ssl

    and then restart apache.
     
  6. kmchen

    kmchen Member

    The problem is that phpmyadmin http is redirected to https and I don't know where.

    default SSL is already enabled:
    Code:
    ks307144 ~ > a2ensite default-ssl
    Site default-ssl already enabled
    
     
  7. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    just tried wget http://ks307144.kimsufi.com/phpmyadmin/index.php and that didn't make any attempt to redirect to https, just downloaded the file.
    are you specifying http:// on the browser url? if you're just starting from the hostname then maybe your browser is defaulting to https for the request.
     
  8. kmchen

    kmchen Member

    Thanks for that post. I realized there is a browser cache problem too. The url works for me from another browser; if "forget about that site" in Firefox the url works back.
    But how did it cache http://ks307144.kimsufi.com/phpmyadmin/index.php to https://ks307144.kimsufi.com/phpmyadmin/index.php ?

    And how do I put phpmyadmin under https ?
     
  9. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    clearing the browser cache doesn't always clear out stored redirects, a complete restart seems to be needed sometimes.

    also some browsers now will automatically make the original request as https:// unless you specifically use http://

    you can't put phpMyAdmin under https unless you have it installed in it's own vhost. if it's just added in as an alias in /etc/apache2/conf-enabled/phpMyAdmin.conf then it'll use whatever certificate is applied to whatever domain url is used in your browser.
     
  10. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    You seem to be running http on port 443, as @till said that error indicates. http://ks307144.kimsufi.com:443/phpmyadmin/index.php (note http on 443) is probably a functioning phpmyadmin.

    So it seems your default-ssl vhost config does not enable ssl, or that config is not in use. You can check /etc/apache2/sites-available/default-ssl.conf for the former, and run `apachectl -S` to determine the latter.

    Start with enabling the SSL and Lets Encrypt checkboxes in your ks307144.kimsufi.com vhost settings, and troubleshoot till that issues a certificate.

    One last case which might help others searching this thread, if you have loaded an https site https://ks307144.kimsufi.com/ which sends an HSTS header (Strict-Transport-Security) in your browser, it will upgrade all future http requests to https automatically. That is not the case for you, you actually have an almost opposite scenario (running plain http on https port).
     

Share This Page