My app is accessible when run on HTTP but connection times out when I try to add SSL

Phoenix Forum Questions / Help
, ,
1

I don’t have enough experience with SSL so I’m not sure of the cause of this one. I was able to access my app on myserver.com:4001 with the following configuration:

config :app, APP.Endpoint,
  url: [host: "myserver.com"],
  http: [port: 4001],
  cache_static_manifest: "priv/static/cache_manifest.json"

However, if I try to change it to

config :app, APP.Endpoint,
  url: [host: "myserver.com"],
  http: [port: 4002],
  https: [port: 4001,
            keyfile: "/etc/pki/tls/private/key.epm",
            certfile: "/etc/pki/tls/certs/cert.pem"],
  cache_static_manifest: "priv/static/cache_manifest.json"

I can still start up the app totally fine, but now when I try to visit it at myserver.com:4001, the connection just times out and there’s no new log entry from the app whatsoever.

Could there be a problem with the keyfile/certfile and thus the TLS handshake itself fails? How will I be able to check it if that’s the case? Maybe I’ll have to supply the additional cacertfile argument in this case but I’m not sure.

2

A quick and dirty test is to just curl -v https://myserver.com:4001 and look at the header portion. For example, curl -V https://elixirforum.com returns this for me:

$ curl -v https://elixirforum.com
* Rebuilt URL to: https://elixirforum.com/
*   Trying 176.9.20.99...
* TCP_NODELAY set
* Connected to elixirforum.com (176.9.20.99) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: elixirforum.com
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
> GET / HTTP/1.1
> Host: elixirforum.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 27 Jun 2018 15:14:34 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Discourse-Route: list/latest
< Cache-Control: no-store, must-revalidate, no-cache, private
< X-Request-Id: 6476becc-3338-4156-b0c4-213b36e56f93
< X-Runtime: 0.146542
< X-Discourse-TrackView: 1
< Referrer-Policy: no-referrer-when-downgrade
<
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
... rest of body elided...

So we can see curl has established a tls connection and displays a bit of the certificate info. What do you see for your server?

3

Yeah apparently there’s no TLS connection info after * Connected to myserver.com port 4001. Does that mean I didn’t provide my TLS certificates correctly and thus the handshake failed?

4

I eventually configured HAProxy to use a concatenated version of the certs and it worked. No idea why if I try to configure it in the Phoenix app itself it doesn’t. Maybe it didn’t use the intermediate certificate correctly (even though I did also try to specify cacertfile under https).

5

One thing that I have found useful for debugging SSL issues is running the openssl low level client, e.g.
openssl s_client -connect myserver.com:4001.

1 Like