After following the documentation for HTTPS with OneClick, we are seeing the error message "SSL_ERROR_RX_RECORD_TOO_LONG"

book

Article ID: 144822

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

With using the server.xml file from the Spectrum documentation from "Configure OneClick for Secure Sockets Layer" we see that the port 8443 is running but it isn`t possible to connect with browser to https://<hostname>:8443/spectrum/ => errorcode: SSL_ERROR_RX_RECORD_TOO_LONG
Error message "java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens"
However, it is possible to connect to  http://<hostname>:8443/spectrum/

 

 

Cause

Details of investigation:

1. Listed the certificates in the keystore with this command:

./keytool -list -v -keystore /usr/Spectrum/custom/keystore/cacerts > keystore.out

2. Noticed in keystore.out file that the Alias of tomcatssl was only a trustedCertEntry as below:

Alias name: tomcatssl

Creation date: Jan 27, 2020

Entry type: trustedCertEntry

 

We would expect the entry type to be a PrivateKeyEntry, private key has accidentally overwritten when trying to import the signed CA from the CSR.

 

Environment

Spectrum 10.4.x
Spectrum 10.3.x
Spectrum 10.2.x

Resolution

1. Restore a backup of keystore

2. Verify OneClick works as expected.

As a best practice, always take a backup of keystore.

See "Import a Certificate Authority-Signed Certificate" from the doc link below from Additional Information. The signed CA Certificate must be the exact same one that the CSR was created from, otherwise you will overwrite your PrivateKeyEntry when you import the Signed Certificate.

 

Additional Information

Configure OneClick for Secure Sockets Layer

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/configure-oneclick-for-secure-sockets-layer.html