HTTPS SSL Phoenix 1.4

Been trying to generate a self-signed certificate for HTTPS testing on a webserver hosted on an AWS EC2 instance. When I run MIX_ENV=prod mix phx.server I get the error:

19:09:05.450 [error] Failed to start Ranch listener BlackbookWeb.Endpoint.HTTPS in 
:ranch_ssl:listen([cacerts: :..., key: :..., cert: :..., alpn_preferred_protocols: ["h2", "http/1.1"], 
next_protocols_advertised: ["h2", "http/1.1"], reuse_sessions: true, secure_renegotiate: true, certfile: 
'/home/ubuntu/documents/blackbook/_build/prod/lib/blackbook/priv/cert/selfsigned.pem', keyfile: 
'/home/ubuntu/documents/blackbook/_build/prod/lib/blackbook/priv/cert/selfsigned_key.pem', port: 443]) for 
reason :eacces (permission denied)

Did I generate the cert wrong with mix phx.gen.cert?
When I try setting up Let’s Encrypt using certbot certonly it gives me a failed authorization procedure as well.

I’ve added only: ~w(css fonts images js favicon.ico robots.txt .well-known) to my endpoint.ex under Plug.Static.

My config looks like:

config :blackbook, BlackbookWeb.Endpoint,
  load_from_system_env: true,
  http: [port: 4000],
  server: true, 
  secret_key_base: Application.get_env(:blackbook, :secret_key_base),
  url: [host: "bb.bba.com", port: 443],
  cache_static_manifest: "priv/static/cache_manifest.json",
  https: [port: 443,
          otp_app: :blackbook,
          keyfile: Application.get_env(:blackbook, :keyfile),
          certfile: Application.get_env(:blackbook, :certfile)
          ],
  force_ssl: [hsts: true]

Having trouble finding my error. Do I need to tell my Ubuntu EC2 instance to listen on 443? My admin says he has forwarded the port already, though it’s possible he did it incorrectly.

To me, that looks like the app doesn’t have permission to read the cert files.

1 Like

how do I give it permission to read the cert files?

:wave:

With chmod, probably.

2 Likes

Do you have an example? Relatively new to Ubuntu.

whoami under the same user that you run mix tasks will give you the username, then sudo chown -R username:username /home/ubuntu/documents/blackbook to make this user (and their group) own the project root and all dirs / files recusrsively

1 Like

Standard users are usually not allowed to listen on ports lower than 1024. You need to use another port.

I do assume, that /home/ubuntu/ is the homefolder of the user that you are using to run the application. And I therefore I usually assume that the certificates have proper permissions set.

1 Like

There was recently a PR with a very detailed guide on this topic opened on Plug.

https://github.com/elixir-plug/plug/pull/803

4 Likes

Standard users are usually not allowed to listen on ports lower than 1024

thanks @NobbZ, that was a good hint for me! (+ a note for my-future-self: check What's the best way to serve restricted ports (e.g. 80, 443) with Phoenix?