SSL certicate on add on domain error

On a user account primary domain example.com with it's own ip address for account (working 100% fine) with add-on domain add-on-domain.com, generated self signed ssl cert (with built in generator and with XCA in case there was a problem with cert) for add-on-domain.com.  The cert installed OK, but while it would operate fine on port 443 for example.com (after authorising in browser of course) and on https://ip-address, when attempting to access https://add-on-domain.com it throws this error on browser :

An error occurred during a connection to add-on-domain.com SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

I would suspect a problem with setup but for the fact main url works ok.

port 80 http works as expected - no problems

I have checked entry in vhosts-ssl.conf looks fine

got me beat, can anyone suggest what might be going on here please ?

Update - I deleted add on domain and created separate account on own ip address added the subject domain as primary for new account then added same ssl cert and it worked fine no errors (other than self signed error in browser), so as all parameters are the same, I suspect that there is a bug in panel when adding cert to add on domain, some field not needed on primary domain is not being added or updated to use with add on domain... this is speculation, I am no apache guru, so I am not sure what to check. FYI: running centos7 with cwp7 - so apache 2.4.

Also I have added self signed ssl certs to addon domains in cpanel before now without issue and have not struck this problem there....

check the cert and private key should match or reissue the certs vy generating new CSR

check the cert and private key should match or reissue the certs vy generating new CSR

Yes cert & key match and I have tried regen several times and for more than one domain as well. besides they were generated by built in SSL generator - self signed so no csr required other than what is generated automatically.  This works fine on primary domain names but fails on add on domains and also now I discover on subdomains as well i.e generate cert for  sub.example.com and add cert to that subdomain the same problem occurs. I have tried every possible (I can think off) combination and nothing works or apache fails to restart if mismatch between cert and domain name where I tried adding cert for add on  or subdomain to main domain to see if that might be a workaround.

I really am now convinced this is a bug - unless there is something I am totally missing here. Are U not able to test this yourselves ?

I also generated cert for primary domain and added, worked 100% on that domain, now I should be able to access subdomains and add on domains using https on the same account, of course browser will complain about security and ask if I want to add exception - however that is not happening I am getting "An error occurred during a connection to secure.example.net. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG," this is with self signed and a legit CA auth signed cert as well that works as described below on cPanel - TESTED!!. 

To confirm that what I say is correct try https://centos-webpanel.com/ will do just as I say, message "Your connection is not secure The owner of centos-webpanel.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website." - click on advanced - add exception - view certificate status gives  "Common Name (CN) support.centos-webpanel.com issued by cPanel etc etc" this is what should be happening with this panel.

OK - UPDATE - AND A WORKING FIX FOR THOSE THAT NEED IT

Finally found a fix - bearing in mind that in this case each account has separate IP address, this was ssl-conf as generated by CWP panel before fix:

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

NameVirtualHost x.x.x.111:443
NameVirtualHost x.x.x.110:443
NameVirtualHost x.x.x.112:443

adding this line to end manually fixed the problem (SNI related I think)

NameVirtualHost *:443

also in vhosts-ssl.conf for each entry relating to ssl enabled addon domain or subdomain change ip address from x.x.x.x:443 to *:443

correct cert then loading for domains, this works for add-on and subdomains

dont forget to restart apache

Hope this solves the issue for anyone else who experiences hours of grief trying to figure it out ! 

You can also edit your "/usr/local/apache/conf.d/vhosts-ssl.conf" and on the first lines you'll find this:

Here where you have your server IP, for example "1.1.1.1"
<VirtualHost 1.1.1.1:443>

You just need to replace it by *, like this:
<VirtualHost *:443>

And it will work

NameVirtualHost is only needed with apache 2.2 and cwp default and latest is 2.4 so you should upgrade to latest

Code: [Select]

yum update cwp-httpd --enablerepo=cwp