I'm running a (self-signed) SSL cert site on Apache/2.2.14 on Ubuntu 10.04, but various browsers are giving errors on half the connection attempts. Just now saw this transient error from Chrome:
"Error 126 (net::ERR_SSL_BAD_RECORD_MAC_ALERT): Unknown error."
Hit refresh and the problem goes away for a while.
wget too:
$ wget --no-check-certificate https://dev.foo.com/deps/
--2010-09-08 19:30:26-- https://dev.foo.com/deps/
Resolving dev.foo.com... 184.72.53.220
Connecting to dev.foo.com|184.72.53.220|:443... connected.
OpenSSL: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
OpenSSL: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
OpenSSL: error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature
Unable to establish SSL connection.
Run it right away again and it works:
$ wget --no-check-certificate https://dev.foo.com/deps/
--2010-09-08 19:30:29-- https://dev.foo.com/deps/
Resolving dev.foo.com... 184.72.53.220
Connecting to dev.foo.com|184.72.53.220|:443... connected.
WARNING: cannot verify dev.foo.com's certificate, issued by
`/CN=dev.foo.com':
Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 3157 (3.1K) [text/html]
Saving to: `index.html'
100%[======================================>] 3,157 --.-K/s in 0s
2010-09-08 19:30:29 (48.6 MB/s) - `index.html' saved [3157/3157]
In my sites-enabled/default-ssl:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
The cert:
-----BEGIN CERTIFICATE-----
MIIBszCCARwCCQCa0TzNwqLgsTANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNk
ZXYucGFydHlvbmRhdGEuY29tMB4XDTEwMDgyNzA2MzA1N1oXDTIwMDgyNDA2MzA1
N1owHjEcMBoGA1UEAxMTZGV2LnBhcnR5b25kYXRhLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAzXDEULpCUqIc9hV/ESFapkckR2uoYINA81DvG2aQZ9Ot
Q30OwX2ae2CC4bSzJEIVlahU8vjVrWpmpa28NEhQbqh4ywwbl1XDrEVYI6Gkfimf
snJhOKyaVrEhlwutYtBjmsz3ZIqwymMPm/6smVcSS5dJIynlSmtltxX6ivPcO8UC
AwEAATANBgkqhkiG9w0BAQUFAAOBgQBGxHVkpSSOnZjzuySRepjhAlV/yhe9Fx23
fh12WrjQMEi98B7JEuNSLXDWckUN7O6XRc3RzKmazcGHJqzhn0Ov6gAmAE2XjZ/x
VW21xmaLwk+KgYKFJbJJaP3jMSpU7I3aa11wqAkR2Zd4Nkm9N0YXYIzcBdfztTVI
Et8mEHBFdg==
-----END CERTIFICATE-----
The cert is in turn generated via:
$ make-ssl-cert generate-default-snakeoil --force-overwrite
Apache version.
$ apache2 -V
Server version: Apache/2.2.14 (Ubuntu)
Server built: Apr 13 2010 20:22:19
Server's Module Magic Number: 20051115:23
Server loaded: APR 1.3.8, APR-Util 1.3.9
Compiled using: APR 1.3.8, APR-Util 1.3.9
Architecture: 64-bit
Server MPM: Worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT=""
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"
I don't administer the network, hardware, etc. - this is all running on Amazon EC2. I'm not running a load-balancer or anything else in front of the server. I'm making direct TCP connections to that host (AFAIK).
Any ideas? Thanks in advance for any help.
The issue you are having is that intermittently, the signature on the message recieved by the browser is wrong.
This can happen for a very large number of reasons. For instance, you may be experiencing an openssl bug, a hardware failure (bad RAM or CPU), some kind of freak coincidence with your key (astronomically unlikely). Or, you may be experiencing exactly what the MAC is designed to detect: someone may be tampering with your traffic enroute.
Since your certificate is self-signed, go ahead and replace it, restart apache, and continue, just as a troubleshooting step. If this doesn't work, check that you are running the latest version of openssl (or just change the openssl version for the fun of it). If you still get MAC errors, investigate whether you have a hardware failure or network tampering going on.
This part of the error is particularly telling:
This indicates that most likely the message has been modified from the version that was signed, and possibly truncated.
First of all, self-signed certificates are often more pain than a cheap SSL cert for end users. I do not recommend using them if you have any kind of public interfacing, or even a large number of internal users. Broswers are increasingly getting strict on self-signed certificates by denying them default trust.
Second, there are several different trust stores on a machine.
Linux uses NSS generally (mozilla), but alternatives browsers may have their own trust stores too.
It is possible for a certificate to have the incorrect OIDs set, etc. We need to see the actual certificate. PKIs do not really have confidentiality for certificates - only for private keys.
Please use http://pkif.sourceforge.net/pitt.html and tell us what errors you have, or don't have.
Thanks.
I am not programmer so please be lenient with me :)
Couple day ago I have problem with access to my gmail account with Error 126 (net::ERR_SSL_BAD_RECORD_MAC_ALERT) in Chrome. Maybe your problem is similar to my?! So I have find post http://www.luvfree.com/forums/general_discussion/i_cannot_access_to_my_gmailcom_error_126_neterr_ssl_bad_record_mac_alert_in_chro.htm This is dating site luvfree.com but they advice help me.
Maybe your problem also in router.
The fix to this problem was upgrading the firmware in the router.
A lot of things could be going wrong. I don't think anyone can answer this without knowing your network configuration and how Apache is configured, how load balancing is being done, and what type of round-robin its using, as well as other hardware aspects of your network.
To me, it looks like, on the SSL hostname validator, its getting a unexpected response that isn't matching the hostname?