How to fix ERR_SSL_PROTOCOL_ERROR : example.com sent an invalid response.

In Chrome you might get a cryptic error message saying

This site can’t provide a secure connection


example.com sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

In Firefox, the error message is

Secure Connection Failed

An error occurred during a connection to your-domain-nameexample.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

Why do I get this error?

The error messages are not clear in describing what the problem is. HTTP and HTTPS are different protocols for the browser to talk to the server.

In HTTP when the browser requests a webpage from the webserver, the webserver sends a response as plain text. This text is prefixed with a Header which instructs the browser on the type of response, it's length and other features that the browser will need to process the response etc. Usually the response is html text but it can also take other forms like audio, video, json, xml etc.

In HTTPS, the HTTP content is encrypted so that no one else other than the browser and the server can read the response. So the HTTP header is also encrypted. Another HTTPS specific header is prefixed to the start of the encrypted message to instruct the browser how to decrypt the actual response.

Thus HTTP and HTTPS have different protocol and likewise different headers.

In our case the browser requests a https url, it expects a response with fixed length header. Unfortunately, it has received a HTTP response with variable header size and different attributes. This causes the error.

Finding a solution for this can be very daunting but let us approach this slowly. There are two things that we know for certain here.

 

Cause of the Error

 

The error could originate either at webserver or at one of the intermediaries ( like local proxy server, reverse proxy, load balancer etc)

 

At this point, if the SSL itself is configured in your web server, then that is where we will look.

 

In that case, we can be sure of two things.

1. Your webserver is listening at the right port for https which is 443.

2. The webserver is serving plain text content instead of encrypted content.

 

Now I am going to how to fix this problem when you are running Apache webserver. <small>This is because all the cases I have encountered were running Apache. If you run into the same problem but run a different webserver, I am very curious. Ping me at sharmi@sitefitnesshq.com and lets fix it together</small>

 

There are multiple configuration issues that may result in this error. Lets go over the solution for each one by one.

 

The config files are found inside `/etc/httpd` or `/etc/apache2` depending on the linux distribution. From now on, I will be using `<apache-etc>` for simplicity sake. Please do remember that on your machine it could be either `/etc/httpd` or `/etc/apache2`.

 

Solution

The first thing we are going to look at is your website's config file in the folder `<apache-etc>/sites-enabled/<your-domain-name.conf>` .

 

To make the webserver support http and https it has to listen at both 80 and 443. The default port number used for http is 80 and https is 443. We need to ensure that there are different `Listen` directives and `VirtualHost`s for http and https. For a template please see example below.

 

LoadModule ssl_module modules/mod_ssl.so

 

Listen 443

Listen 80

NameVirtualHost *:80

NameVirtualHost *:443 /*NameVirtualHost directive should be specified only once*/

<VirtualHost *:80>

    ServerName www.your-domain-name.com

    SSLEngine off

    ...

</VirtualHost>

 

<VirtualHost *:443>

    ServerName www.your-domain-name.com

    SSLEngine on

    SSLCertificateFile "/path/to/www.your-domain-name.com.cert"

    SSLCertificateKeyFile "/path/to/www.your-domain-name.com.key"

    ...

</VirtualHost>

 

The NameVirtualHost directive should be specified only once. It indicates which ports and interfaces will be having an VirtualHost associated with it. Sometimes it is defined by default includes (like `<apache-etc>/ports.conf`). If so, we should not specify it here.

 

For more examples, check out Apache2’s official documentation

 

Things to watch out for

  • VirtualHost uses pattern matching to find which incoming requests from clients should be served by which VirtualHost directive.

    • Ensure that no VirtualHost is a catch-all. i.e like <VirtualHost *>. This will prevent the https requests to match with the VirtualHost with SSL. At the very least, the VirtualHost should also have the port specified. i.e <VirtualHost *:80> for non-https requests and <VirtualHost *:443>
  • Using FQDN('Fully qualified domain name') in the VirtualHost also causes errors. (i.e) don't use <VirtualHost example.com:443>. Instead some valid VirtualHost names you can use are

    • <VirtualHost *:443>
    • <VirtualHost _default_:443>
    • <VirtualHost [Ip Address]:443> where you replace the [Ip Address] with your server's ip(eg: 192.168.1.1). If you do not know the right IP to use, you are safer to use one of the above two options

 

If you have any issues in figuring it out, we are here to help. Please email to sharmi@sitefitnesshq.com or use the chat window at the bottom and we will help you.

Comments

No comments yet.

Post your comment