HTTPS SSL Phoenix 1.4

Codball · December 19, 2018, 7:18pm

Been trying to generate a self-signed certificate for HTTPS testing on a webserver hosted on an AWS EC2 instance. When I run MIX_ENV=prod mix phx.server I get the error:

19:09:05.450 [error] Failed to start Ranch listener BlackbookWeb.Endpoint.HTTPS in 
:ranch_ssl:listen([cacerts: :..., key: :..., cert: :..., alpn_preferred_protocols: ["h2", "http/1.1"], 
next_protocols_advertised: ["h2", "http/1.1"], reuse_sessions: true, secure_renegotiate: true, certfile: 
'/home/ubuntu/documents/blackbook/_build/prod/lib/blackbook/priv/cert/selfsigned.pem', keyfile: 
'/home/ubuntu/documents/blackbook/_build/prod/lib/blackbook/priv/cert/selfsigned_key.pem', port: 443]) for 
reason :eacces (permission denied)

Did I generate the cert wrong with mix phx.gen.cert?
When I try setting up Let’s Encrypt using certbot certonly it gives me a failed authorization procedure as well.

I’ve added only: ~w(css fonts images js favicon.ico robots.txt .well-known) to my endpoint.ex under Plug.Static.

My config looks like:

config :blackbook, BlackbookWeb.Endpoint,
  load_from_system_env: true,
  http: [port: 4000],
  server: true, 
  secret_key_base: Application.get_env(:blackbook, :secret_key_base),
  url: [host: "bb.bba.com", port: 443],
  cache_static_manifest: "priv/static/cache_manifest.json",
  https: [port: 443,
          otp_app: :blackbook,
          keyfile: Application.get_env(:blackbook, :keyfile),
          certfile: Application.get_env(:blackbook, :certfile)
          ],
  force_ssl: [hsts: true]

Having trouble finding my error. Do I need to tell my Ubuntu EC2 instance to listen on 443? My admin says he has forwarded the port already, though it’s possible he did it incorrectly.

alexgaribay · December 19, 2018, 8:14pm

To me, that looks like the app doesn’t have permission to read the cert files.

Codball · December 19, 2018, 8:29pm

how do I give it permission to read the cert files?

idi527 · December 19, 2018, 8:30pm

With chmod, probably.

Codball · December 19, 2018, 8:36pm

Do you have an example? Relatively new to Ubuntu.

yurko · December 19, 2018, 8:43pm

whoami under the same user that you run mix tasks will give you the username, then sudo chown -R username:username /home/ubuntu/documents/blackbook to make this user (and their group) own the project root and all dirs / files recusrsively

NobbZ · December 19, 2018, 9:06pm

Standard users are usually not allowed to listen on ports lower than 1024. You need to use another port.

I do assume, that /home/ubuntu/ is the homefolder of the user that you are using to run the application. And I therefore I usually assume that the certificates have proper permissions set.

Gazler · December 21, 2018, 8:04am

There was recently a PR with a very detailed guide on this topic opened on Plug.

patrickdm · June 11, 2019, 11:36pm

Standard users are usually not allowed to listen on ports lower than 1024

thanks @NobbZ, that was a good hint for me! (+ a note for my-future-self: check What's the best way to serve restricted ports (e.g. 80, 443) with Phoenix?

SZJX · September 9, 2024, 12:04pm

For some reason the chown still didn’t work in my case. I had to start the server with sudo: sudo MIX_ENV=prod mix phx.server. It might have something to do with the way this particular server is configured.