SSL received a record that exceeded the maximum permissible length


(Pad Pors) #1

some of our users get this error when they try to open our forum in firefox:

SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

no matter what, they can’t open the forum.there were some thread in stackoverflow, stating that it’s about port 80 rather than port 443:

but based on this howto document to run https using let’s encrypt, both ports are already exposed.

does anyone have similar issue? do you have any suggestion how to solve this?


Site doesn't launch after bringing back nginx reverse proxy
(Bhanu Sharma) #2

I have seen that issue quite frequently when the SSL is not configured properly from the server side.

Are you using the default letsencrypt shipped with discourse docker image or have you installed some kind of reverse proxy in front of your install?


(Pad Pors) #3

Thanks @itsbhanusharma, we are using a reverse proxy using this howto:

as well as cloudflare and let’s encrypt.


(Bhanu Sharma) #4

Very first thing to try will be to check if cloudflare is causing this!

What do You get if You disable cloudflare optimizations?


(Pad Pors) #5

:+1:

inactivating Rocket Loader™ & ** Brotli** does the magic!

inactivation of Brotli makes the page to load, but empty page (removal of the error).
inactivation of rocket loader as well, makes everything work fine.

but then when I open a private browsing with tracking protection window in firefox, I get the same error: SSL_ERROR_RX_RECORD_TOO_LONG. is it because of the nature of private windows?


(Bhanu Sharma) #6

I don’t think so!
I’d still highly doubt it’s cloudflare trying to do funny things with your site!
What SSL mode is your certificate in on the cloudflare side? Is it “flexible” for some reason? If so, try changing to “full” and try again?
SSL settings are under Crypto tab.


(Pad Pors) #7

I see.

no it’s full, changing it to full (strict) doesn’t help either.


(Bhanu Sharma) #8

Can You redact identifiable information and post the configuration for your reverse proxy?


(Pad Pors) #9

here is the templates and port at app.yml.

and for the /etc/nginx/sites-enabled/discourse.conf it looks like this:

I hope this is what you meant.


(Bhanu Sharma) #10

It seems like the problem is your probably expired certificates. if I’m not mistaken you’re using the nginx outside the docker container to utilize the certificates originally generated by discourse. What I understand is that those certificates can not be renewed anymore (because we disable the web.ssl template) and hence, that might be causing the issue!

Do you mind following a different guide or maybe using cloudflare to manage termination by removing your internal nginx if that doesn’t serves a purpose? because technically there should be only one location that handles the ssl termination and if you use cloudflare then they should be the one handling it not you!


(Pad Pors) #11

I see, to be sure if this is the case: this error only happens only to some firefox sessions, and not all of them. is that ok?

is there any howto guide for using https alongside cloudflare? I couldn’t find any, I’d appreciate if you can guide me.

won’t this cause any further error? I’m also not sure how to use cloudflare for this purpose.

update: here is the information of the certificate when the site loads correctly:


(Bhanu Sharma) #12

I can think of a lot of reasons why that might be the case! primary one being that your SSL is being cached with the cloudflare responses.

There isn’t a guide to use cloudflare with SSL on your server because that isn’t feasible at all. for SSL thing to happen (in case of letsencrypt anyway) your server needs to say hello on port 80 & 443 which in the case of cloudflare is proxied by their servers so the ACME server doesn’t gets the desired response and SSL creation/renewal fails.
for Site to work in SSL, easiest way is to use the cloudflare template on your server and use their certificate in flexible mode. You can as well remove your nginx server installed on your server and simply open port 80 in for docker. if you need additional security, you can set up firewall to disallow connections from anything other than cloudflare IPs to your server.

hmmm … I’m not sure. I’ve never had a good time with cloudflare and discourse. There had been a lot of issues in setting it up and even after I managed to get it up & running, most of the things failed on me because there are a lot of tools in cloudflare which do very aggressive caching and discourse doesn’t likes it.

final choice still would be yours if you have to have cloudflare then use the method I suggested. this is the “most likely would work” type of situation but I won’t take any responsibility if cloudflare decides to be funny and doesn’t lets it work.

that speaks for itself! this is the cloudflare proxy ssl not the one being served from your server.


(Pad Pors) #13

thanks for your help :heart: , hopefully one last question:

there were people typing www.padpors.com to go to our forum, as a result we used the reverse proxy to redirect www to https. is there any other way, rather than using nginx out of the docker, to solve this?


(Pad Pors) #14

no such error has been reported after we brought back our nginx inside the docker, and removed the reverse proxy.