niccolox

niccolox

Websocket problems; Letsencrypt / Certbot config for Plug with Phoenix 1.4 (non proxy)?

I am trying to simplify my life and try to only use Cowboy, Plug and Phoenix 1.4 i.e. no Nginx or other proxy for now

websockets are connecting, they crash in production

HTML pages are served up ok

wget https://phxmono.domain.com
--2018-05-28 20:10:51--  https://phxmono.domain.com/
Resolving phxmono.domain.com (phxmono.domain.com)... 45.33.96.32
Connecting to phxmono.domain.com (phxmono.domain.com)|45.33.96.32|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19035 (19K) [text/html]
Saving to: ‘index.html’

index.html                                         100%[================================================================================================================>]  18.59K  --.-KB/s    in 0s      

2018-05-28 20:10:51 (171 MB/s) - ‘index.html’ saved [19035/19035]

my config/prod.exs

config :www_domain_com_web, WwwDomaintCom.Web.Endpoint,
  url: [host: "my.domain.com", port: 443, scheme: "https"],
  https: [
    port: 443,
    otp_app: :www_domain_com_web,
    keyfile: "/etc/letsencrypt/live/my.domain.com/privkey.pem",
    cacertfile: "/etc/letsencrypt/live/my.domain.com/chain.pem",
    certfile: "/etc/letsencrypt/live/my.domain.com/cert.pem",
    secure_renegotiate: true,
    reuse_sessions: true
  ],
  force_ssl: [hsts: true],
  code_reloader: false,
  check_origin: true,
  cache_static_manifest: "priv/static/cache_manifest.json",
  debug_errors: true,
  server: true,
  root: ".",
  version: 1,
  load_from_system_env: false

I am getting an error

> 19:42:54.521 [info]  Child {:acceptor, #PID<0.2955.0>, 99} of Supervisor #PID<0.2955.0> (:ranch_acceptors_sup) started
> Pid: #PID<0.3054.0>
> Start Call: :ranch_acceptor.start_link(#Port<0.26503>, :ranch_tcp, #PID<0.2954.0>)
> Restart: :permanent
> Shutdown: :brutal_kill
> Type: :worker
> 
> 19:42:54.521 [info]  Child {:acceptor, #PID<0.2955.0>, 100} of Supervisor #PID<0.2955.0> (:ranch_acceptors_sup) started
> Pid: #PID<0.3055.0>
> 19:42:54.625 [info] ['TLS', 32, 'server', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'connection', 32, 'received CLIENT ALERT: Fatal - Bad Certificate', 10]

the channel crashes and restarts

> ==> error.log <==
> 19:43:14.128 [error] Ranch protocol #PID<0.3059.0> of listener WwwDomainCom.Web.Endpoint.HTTPS (cowboy_protocol) terminated
> ** (exit) exited in: Phoenix.Endpoint.CowboyWebSocket.resume()
>     ** (EXIT) an exception was raised:
>         ** (ArgumentError) argument error
>             :erlang.phash2({#PID<0.3059.0>, #Reference<0.2100111952.431489025.212712>}, 0)
>             (phoenix) lib/phoenix/socket/pool_supervisor.ex:11: Phoenix.Socket.PoolSupervisor.start_child/3
>             (phoenix) lib/phoenix/channel/server.ex:45: anonymous fn/3 in Phoenix.Channel.Server.join/4
>             (www_domain_com_web) lib/www_domain_com_web/endpoint.ex:1: WwwFolkbotCom.Web.Endpoint.instrument/4
>             (phoenix) lib/phoenix/socket.ex:590: Phoenix.Socket.handle_in/4
>             (phoenix) lib/phoenix/endpoint/cowboy_websocket.ex:84: Phoenix.Endpoint.CowboyWebSocket.websocket_handle/3
>             (cowboy) /var/www/www_domain_com_umbrella/deps/cowboy/src/cowboy_websocket.erl:588: :cowboy_websocket.handler_call/7
>             (phoenix) lib/phoenix/endpoint/cowboy_websocket.ex:54: Phoenix.Endpoint.CowboyWebSocket.resume/3
>             (cowboy) /var/www/www_domain_com_umbrella/deps/cowboy/src/cowboy_protocol.erl:442: :cowboy_protocol.execute/4

mix.exs

defmodule WwwDomainCom.Web.Mixfile do
  use Mix.Project

  def project do
    [app: :www_domain_com_web,
     version: "0.0.1",
     build_path: "../../_build",
     config_path: "../../config/config.exs",
     deps_path: "../../deps",
     lockfile: "../../mix.lock",
     elixir: "~> 1.4",
     elixirc_paths: elixirc_paths(Mix.env),
     compilers: [:phoenix, :gettext] ++ Mix.compilers,
     start_permanent: Mix.env == :prod,
     aliases: aliases(),
     deps: deps()]
  end

  def application do
    [mod: {WwwDomainCom.Web.Application, []},
     applications: [:www_domain_com, :phoenix, :phoenix_html, :cowboy, :logger, :gettext,
                    :phoenix_ecto, :postgrex, :comeonin, :runtime_tools, :logger_file_backend, :phoenix_html_simplified_helpers]]
  end

  defp elixirc_paths(:test), do: ["lib", "test/support"]
  defp elixirc_paths(:ci),   do: ["lib", "web", "test/support"]
  defp elixirc_paths(_),     do: ["lib"]

  defp deps do
    [{:arc, "~> 0.8.0"},
     {:arc_ecto, "~> 0.7.0"},
     {:bamboo, "~> 0.7"},
     {:burnex, "~> 1.0"},
     {:bcrypt_elixir, "~> 1.0"},
     {:cloak, "~> 0.6.2"},
     {:comeonin, "~> 4.1"},
     {:cowboy, "~> 1.0"},
     {:ex_money, "~> 1.0"},
     {:gettext, "~> 0.11"},
     {:poison, "~> 2.2"},
     {:jose, "~> 1.4"},
     {:logger_file_backend, "~> 0.0.10"},
     {:phoenix, github: "phoenixframework/phoenix", override: true},
     {:phoenix_active_link, "~> 0.2.0"},
     {:phoenix_pubsub, "~> 1.0.2"},
     {:phoenix_ecto, "~> 3.3"},
     {:phoenix_html, "~> 2.10.2"},
     {:phoenix_live_reload, "~> 1.1.5"},
     {:phoenix_html_simplified_helpers, "~> 1.3"},
     {:phoenix_markdown, "~> 1.0"},
     {:phoenix_integration, "~> 0.5.0"},
     {:timex, "~> 3.1"},
     {:www_domain_com, in_umbrella: true}]
  end

  defp aliases do
    ["ecto.setup": ["ecto.create", "ecto.migrate", "run priv/repo/seeds.exs"],
     "ecto.reset": ["ecto.drop", "ecto.setup"],
     "db.archive": ["ecto.dump"],
     "db.migrate": ["ecto.migrate", "ecto.dump"],
     "db.rollback": ["ecto.rollback", "ecto.dump"],
     "test": ["ecto.drop", "ecto.create", "ecto.migrate", "test"]]
  end
end

more

$ iex --app ssl
Erlang/OTP 20 [erts-9.2] [source] [64-bit] [smp:1:1] [ds:1:1:10] [async-threads:10] [kernel-poll:false]

Interactive Elixir (1.6.5) - press Ctrl+C to exit (type h() ENTER for help)
iex(1)> :ssl.cipher_suites
[
  {:ecdhe_ecdsa, :aes_256_gcm, :null, :sha384},
  {:ecdhe_rsa, :aes_256_gcm, :null, :sha384},
  {:ecdhe_ecdsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdhe_rsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdh_ecdsa, :aes_256_gcm, :null, :sha384},
  {:ecdh_rsa, :aes_256_gcm, :null, :sha384},
  {:ecdh_ecdsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdh_rsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdhe_ecdsa, :chacha20_poly1305, :null, :sha256},
  {:ecdhe_rsa, :chacha20_poly1305, :null, :sha256},
  {:dhe_rsa, :chacha20_poly1305, :null, :sha256},
  {:dhe_rsa, :aes_256_gcm, :null, :sha384},
  {:dhe_dss, :aes_256_gcm, :null, :sha384},
  {:dhe_rsa, :aes_256_cbc, :sha256},
  {:dhe_dss, :aes_256_cbc, :sha256},
  {:rsa, :aes_256_gcm, :null, :sha384},
  {:rsa, :aes_256_cbc, :sha256},
  {:ecdhe_ecdsa, :aes_128_gcm, :null, :sha256},
  {:ecdhe_rsa, :aes_128_gcm, :null, :sha256},
  {:ecdhe_ecdsa, :aes_128_cbc, :sha256, :sha256},
  {:ecdhe_rsa, :aes_128_cbc, :sha256, :sha256},
  {:ecdh_ecdsa, :aes_128_gcm, :null, :sha256},
  {:ecdh_rsa, :aes_128_gcm, :null, :sha256},
  {:ecdh_ecdsa, :aes_128_cbc, :sha256, :sha256},
  {:ecdh_rsa, :aes_128_cbc, :sha256, :sha256},
  {:dhe_rsa, :aes_128_gcm, :null, :sha256},
  {:dhe_dss, :aes_128_gcm, :null, :sha256},
  {:dhe_rsa, :aes_128_cbc, :sha256},
  {:dhe_dss, :aes_128_cbc, :sha256},
  {:rsa, :aes_128_gcm, :null, :sha256},
  {:rsa, :aes_128_cbc, :sha256},
  {:ecdhe_ecdsa, :aes_256_cbc, :sha},
  {:ecdhe_rsa, :aes_256_cbc, :sha},
  {:dhe_rsa, :aes_256_cbc, :sha},
  {:dhe_dss, :aes_256_cbc, :sha},
  {:ecdh_ecdsa, :aes_256_cbc, :sha},
  {:ecdh_rsa, :aes_256_cbc, :sha},
  {:rsa, :aes_256_cbc, :sha},
  {:ecdhe_ecdsa, :aes_128_cbc, :sha},
  {:ecdhe_rsa, :aes_128_cbc, :sha},
  {:dhe_rsa, :aes_128_cbc, :sha},
  {:dhe_dss, :aes_128_cbc, :sha},
  {:ecdh_ecdsa, :aes_128_cbc, :sha},
  {:ecdh_rsa, :aes_128_cbc, :sha},
  {:rsa, :aes_128_cbc, :sha},
  {:ecdhe_ecdsa, :"3des_ede_cbc", :sha},
  {:ecdhe_rsa, :"3des_ede_cbc", :sha},
  {:dhe_rsa, :"3des_ede_cbc", ...},
  {:dhe_dss, ...},
  {...},
  ...
]

seems like the front facing Letsencrypt works ok

root@phxmono:~# openssl s_client -connect phxmono.domain.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = phxmono.domain.com
verify return:1
---
Certificate chain
 0 s:/CN=phxmono.domain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgISA36FyBc2ncKCOV/PHC1udJ6tMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MjYyMTQ2MjJaFw0x
ODA4MjQyMTQ2MjJaMB4xHDAaBgNVBAMTE3BoeG1vbm8uZm9sa2JvdC5jb20wggEi

REDACTED

21IYAUYUXxHXv0sBFtNoPwJzCRywSVtxU3ReV6JeVJz+3fZq5gl6U0OemW1mXxnP
t2M39LKMi6p+8byj4exaQrGMLOHRuunY9pbPKBZhfGIK5AmtJ+ZZuqilUatvcihK
hej3+n8DD4hpDiOAcipYVjKAc58yp7xNVSBaI6z277MxbyNK3S94Vi8OVTL80YBl
aqexqRP4JHlVMf5SG3JBBzyoV38WTuKWNJRPdRSFgOsvwkDqmdfm+QjaYblLMKU=
-----END CERTIFICATE-----
subject=/CN=phxmono.domain.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3265 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A665C2AF3D3A3REDACTED5E6849FFF
    Session-ID-ctx: 
    Master-Key: 3D876REDACTED3DF3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1527537943
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
closed

Where Next?

Popular in Questions Top

senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
shahryarjb
Hello, I get Persian date from my client and convert it to normal calendar like this: def jalali_string_to_miladi_english_number(persi...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" =&gt; #BSON.ObjectId&lt;58eb1a7a9ad169198c3dXXXX&gt;, "email" =&gt; ...
New

Other popular topics Top

danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29377 241
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
msaraiva
Surface is an experimental library built on top of Phoenix LiveView and its new LiveComponent API that aims to provide a more declarative...
564 43622 214
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
klo
Got a question about when to concat vs. prepending items to list then reversing to achieve appending. So i know lists boil down to [1 | ...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
marick
I had some trouble figuring out how to make many-to-many associations work. Once I got it working, I wrote a blog post. Because I’m a nov...
New
sergio
Kind of like when jquery came out, it was super necessary. Existing drag and drop libraries have a bunch of baggage to support old browse...
New

We're in Beta

About us Mission Statement