What This Error Actually Means
You’re trying to load a site via HTTPS, but Firefox hits a wall and displays a secure connection failure. Specifically, it shows the SSL_ERROR_RX_RECORD_TOO_LONG code. This isn't your standard "expired certificate" warning; it's a fundamental protocol mismatch. You won't find a "Proceed anyway" button here because the browser and server aren't even speaking the same language.
The Root Cause: HTTP vs. HTTPS
This error triggers when Firefox expects an encrypted TLS handshake but receives a plain, unencrypted HTTP response instead. It usually happens when a server is listening on port 443 but isn't configured to use SSL/TLS on that specific port.
Why the "record too long" wording? A standard TLS record has a maximum length of 16,384 bytes (16 KB). When Firefox connects, it sends a "Client Hello." If the server responds with plain text—like HTTP/1.1 404 Not Found—Firefox tries to interpret those first few ASCII characters as a binary length field. The resulting number is massive, far exceeding the 16 KB limit, which forces the browser to kill the connection for safety.
Fix 1: Repairing Nginx Configurations
Server administrators running Nginx often trigger this by omitting the ssl parameter in the listen directive. If your config looks like the snippet below, you've found the culprit:
server {
listen 443;
server_name example.com;
# Error: Port 443 is open, but SSL is not active
}
To fix this, append ssl to your listen line and define your certificate paths. Modern setups should also specify TLS versions to avoid older, vulnerable protocols:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Use TLS 1.2 and 1.3 for better security
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}
Before leaving the terminal, validate your syntax and reload the service:
sudo nginx -t
sudo systemctl reload nginx
Fix 2: Correcting Apache VirtualHosts
Apache users face this issue if the SSLEngine is turned off within a port 443 block. Even with valid certificates linked, Apache defaults to plain text unless you explicitly toggle encryption on.
Check your configuration file (usually in /etc/apache2/sites-available/) for these lines:
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.pem
SSLCertificateKeyFile /etc/ssl/private/example.key
</VirtualHost>
If you just installed a new certificate, make sure the SSL module is actually running. Run these commands to be sure:
sudo a2enmod ssl
sudo a2ensite your-ssl-config.conf
sudo systemctl restart apache2
Fix 3: Resolving Cloudflare Proxy Mismatches
If your traffic routes through Cloudflare or a similar CDN, the error often stems from an "SSL termination" loop. This happens when the proxy expects one protocol, but your origin server provides another.
- **The Flexible SSL Trap:** In "Flexible" mode, Cloudflare connects to your server via port 80 (HTTP). If your server has a forced redirect to port 443 but isn't configured for SSL there, the handshake will fail.
- **Full/Strict Mode:** This is the preferred setting. It requires your origin server to have a valid certificate (even a self-signed one for "Full" mode) and to communicate over port 443 using actual encryption.
Switch your Cloudflare settings to Full or Full (strict). Then, verify that your origin server isn't accidentally serving plain HTTP on port 443.
Fix 4: Local Browser Troubleshooting
Does the site work in Chrome or Safari but fail in Firefox? The issue might be a local caching glitch or a proxy conflict within the browser itself.
- **Force a Hard Refresh:** Hit `Ctrl + F5` (or `Cmd + Shift + R` on Mac) to bypass the local cache.
- **Check Firefox Proxy Settings:** Navigate to **Settings** > **Network Settings**. Ensure it's set to "No proxy" unless your environment specifically requires one.
- **Reset the Startup Cache:** Type `about:support` in the address bar and select **Clear startup cache...** to wipe temporary architectural data.
How to Verify the Fix
Don't just rely on the browser. Use curl to see exactly what the server is sending back. Run this command in your terminal:
curl -vI https://yourdomain.com
Look for the line * SSL connection using TLSv1.3. If you see Received HTTP/0.9 when not allowed, the server is still outputting plain text on an encrypted port. If the handshake completes successfully, your Firefox error should vanish immediately.