My app is accessible when run on HTTP but connection times out when I try to add SSL

I don’t have enough experience with SSL so I’m not sure of the cause of this one. I was able to access my app on with the following configuration:

config :app, APP.Endpoint,
  url: [host: ""],
  http: [port: 4001],
  cache_static_manifest: "priv/static/cache_manifest.json"

However, if I try to change it to

config :app, APP.Endpoint,
  url: [host: ""],
  http: [port: 4002],
  https: [port: 4001,
            keyfile: "/etc/pki/tls/private/key.epm",
            certfile: "/etc/pki/tls/certs/cert.pem"],
  cache_static_manifest: "priv/static/cache_manifest.json"

I can still start up the app totally fine, but now when I try to visit it at, the connection just times out and there’s no new log entry from the app whatsoever.

Could there be a problem with the keyfile/certfile and thus the TLS handshake itself fails? How will I be able to check it if that’s the case? Maybe I’ll have to supply the additional cacertfile argument in this case but I’m not sure.

A quick and dirty test is to just curl -v and look at the header portion. For example, curl -V returns this for me:

$ curl -v
* Rebuilt URL to:
*   Trying
* Connected to ( port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
> GET / HTTP/1.1
> Host:
> User-Agent: curl/7.54.0
> Accept: */*
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 27 Jun 2018 15:14:34 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Discourse-Route: list/latest
< Cache-Control: no-store, must-revalidate, no-cache, private
< X-Request-Id: 6476becc-3338-4156-b0c4-213b36e56f93
< X-Runtime: 0.146542
< X-Discourse-TrackView: 1
< Referrer-Policy: no-referrer-when-downgrade
<!DOCTYPE html>
<html lang="en">
    <meta charset="utf-8">
... rest of body elided...

So we can see curl has established a tls connection and displays a bit of the certificate info. What do you see for your server?

Yeah apparently there’s no TLS connection info after * Connected to port 4001. Does that mean I didn’t provide my TLS certificates correctly and thus the handshake failed?

I eventually configured HAProxy to use a concatenated version of the certs and it worked. No idea why if I try to configure it in the Phoenix app itself it doesn’t. Maybe it didn’t use the intermediate certificate correctly (even though I did also try to specify cacertfile under https).

One thing that I have found useful for debugging SSL issues is running the openssl low level client, e.g.
openssl s_client -connect

1 Like