I don’t have enough experience with SSL so I’m not sure of the cause of this one. I was able to access my app on myserver.com:4001 with the following configuration:
I can still start up the app totally fine, but now when I try to visit it at myserver.com:4001, the connection just times out and there’s no new log entry from the app whatsoever.
Could there be a problem with the keyfile/certfile and thus the TLS handshake itself fails? How will I be able to check it if that’s the case? Maybe I’ll have to supply the additional cacertfile argument in this case but I’m not sure.
A quick and dirty test is to just curl -v https://myserver.com:4001 and look at the header portion. For example, curl -V https://elixirforum.com returns this for me:
$ curl -v https://elixirforum.com
* Rebuilt URL to: https://elixirforum.com/
* Trying 176.9.20.99...
* TCP_NODELAY set
* Connected to elixirforum.com (176.9.20.99) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: elixirforum.com
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
> GET / HTTP/1.1
> Host: elixirforum.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 27 Jun 2018 15:14:34 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Discourse-Route: list/latest
< Cache-Control: no-store, must-revalidate, no-cache, private
< X-Request-Id: 6476becc-3338-4156-b0c4-213b36e56f93
< X-Runtime: 0.146542
< X-Discourse-TrackView: 1
< Referrer-Policy: no-referrer-when-downgrade
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
... rest of body elided...
So we can see curl has established a tls connection and displays a bit of the certificate info. What do you see for your server?
Yeah apparently there’s no TLS connection info after * Connected to myserver.com port 4001. Does that mean I didn’t provide my TLS certificates correctly and thus the handshake failed?
I eventually configured HAProxy to use a concatenated version of the certs and it worked. No idea why if I try to configure it in the Phoenix app itself it doesn’t. Maybe it didn’t use the intermediate certificate correctly (even though I did also try to specify cacertfile under https).