Phoenix release with SSL not connecting

Phoenix Forum Questions / Help
, ,
1

Hello! I’m trying to deploy my phoenix app using releases with SSL. I am able to successfully get a release running locally (console outputs “Access MyAppWeb.Endpoint at https://localhost:4001”). However, when I try and actually load the page in a browser (Firefox), I get the following error message:

Secure Connection Failed
An error occurred during a connection to localhost:4001. PR_END_OF_FILE_ERROR

I cannot access the https site in any other browsers either. However, I am able to access the http version without any trouble.

I am testing locally using self-signed certificates. This works fine when running in development mode, but does not work when running a release.

The relevant section of my config/releases.ex file looks like this:

config :my_app, MyAppWeb.Endpoint,
  server: true,
  secret_key_base: secret_key_base,
  url: [host: "localhost"],
  http: [
    port: 4000,
    transport_options: [socket_opts: [:inet6]]
  ],
  https: [
    port: 4001,
    otp_app: :my_app,
    cipher_suite: :strong,
    keyfile: System.get_env("SSL_KEY_PATH"),
    certfile: System.get_env("SSL_CERT_PATH")
  ]

I would really like to try and get this running without having to use nginx. Any help would be greatly appreciated!

2

This likely means the certificate and/or key files in the release can’t be read, so the TLS handshake gets aborted. Try starting the release with my_app start_iex, then check if the files specified in the configuration can be read and contain the expected certificate/key in PEM format:

iex(1)> https = Application.get_env(:my_app, MyAppWeb.Endpoint)[:https]
[
  port: 4001,
  otp_app: :my_app,
  cipher_suite: :strong,
  certfile: "priv/cert/selfsigned.pem",
  keyfile: "priv/cert/selfsigned_key.pem"
]
iex(2)> File.read(https[:certfile])
{:ok, ...}
iex(3)> File.read(https[:keyfile])
{:ok, ...}

If the file contents look ok, try adding transport_options: [socket_opts: [log_level: :info]] to your Endpoint’s https configuration, and see if :ssl logs any alerts.

BTW, I would recommend using a CLI tool such as curl -v -k https://... or openssl s_client -connect localhost:4001 ... rather than a browser to debug such issues, as they tend to produce much more helpful output, instead of PR_END_OF_FILE_ERROR.

2 Likes