Yaws with SSL gives the error "SSL accept failed: timeout" - ssl

I used certbot to generate a Let's encrypt certificate for my website, but Yaws gives me an SSL accept failed: timeout error when I try to connect to it (after it times out of course). Interestingly it works when I redirect example.com to the local ip address of the server in the hosts file on my machine and connect to example.com:8080, but not when I connect to example.com without editing the hosts file or when I connect from my phone over 4G. Here's my webserver's configuration file (it is the only configuration file in conf.d):
<server www.example.com>
port = 8080
listen = 0.0.0.0
docroot = /usr/share/yaws
<ssl>
keyfile = /etc/letsencrypt/live/example.com/privkey.pem
certfile = /etc/letsencrypt/live/example.com/fullchain.pem
</ssl>
</server>
I made sure that the keyfile and the certificate are both readable by the yaws user. Next to the keyfiles is a README that contains the following:
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
So I'm relatively sure I've used the right file (the other ones gave me errors like badmatch and {tls_alert,"decrypt error"}). I also tried trivial things like writing https:// before the URL, but it didn't fix the issue, also, everything works fine when the server is running without SSL. The version of Erlang running on my server is Erlang/OTP 19. Also, if it's unclear, the domain isn't actually example.com.
Also, example.com is redirected via cname to examplecom.duckdns.org, if that matters.
UPDATE:
My server was listening on port 8080, that was forwarded from the external port 80, for https connections, when the default https port is port 443. My other mistake was connecting to http://example.com instead of https://example.com. Forwarding the external port 443 to the internal port 8443 and configuring yaws to listen on port 8443 fixed everything.

Just to be sure to understand, when you do something like curl -v https://example.com:8080, you get a timeout, that's it ? (here https protocol and port 8080 are mandatory of course)
SSL timeout during accept can be triggered when an unencrypted request is received on a SSL vhost.
Could you also provide the output of the following command:
echo -e "HEAD / HTTP/1.0\r\n\r\n" | openssl s_client -connect mysite.com:8080 -ign_eof
And finally, which version of Yaws are you running ? on which OS ?

Related

Iredmail local server with pfsense, nginx and ssl problems

I have a problem that bothers me for few days. I have 2 local servers on same IP, at my office, on one we run an apache webapp that uses port 443 and port 80, and on the other one i tried to install ubuntu iredmail server, all good until i asked for a letsencrypt certificate, and tried to open the mail domain url. I changed the ssl port in 00-default-ssl.conf to 8443, i stopped the nftables, no firewall installed or active on the mail server, just the pfsense working on network level. if i try to open the mail domain with port 8443 i get the no page, if i try to run with 443 i cant connect to it. If i try to open the main domain, not the mail, the root domain, with default port for ssl i get the page from the other server that runs the apache app, that should be linked to another domain.
I tried to obtain a ssl and i got an error that says the cert cant be downloaded on the server due to a possible firewall misconfiguration. I readout somewhere that pfsense might be the culprit, because he cant read the redirects from request header.
Can you please help me fix it ? I start loosing my patience.
I am trying to install iredmail on a local server with static IP and pfsense.

Use Stunnel to connect wss to wsServer

I am trying to use stunnel to turn a wss connection into a ws connection because wsServer doesn't support wss. The server is running Ubuntu, and the client I'm using is Chrome, if it matters.
This is my stunnel.conf file
foreground = yes
debug = info
output = /var/log/stunnel.log
[wsServer]
cert = /etc/letsencrypt/live/myurl.com/fullchain.pem
key = /etc/letsencrypt/live/myurl.com/privkey.pem
accept = 0.0.0.0:8443
connect = 127.0.0.1:8080
I'm trying to connect to it with a javascript call:
const socket = new WebSocket('wss://myurl.com:8433');
But I consistantly get a connection error:
(index):13 WebSocket connection to 'wss://myurl.com:8433/' failed: (anonymous) # (index):13
Here's what I've checked:
That my port forwarding/system firewalls aren't eating the connection. If I kill stunnel and setup a regular socket listening on either port 8080 or 8433, I can connect to that socket from the client machine.
wsServer accepts non-encrypted traffic, if I instead connect with ws://myurl.com:8080 it works fine
wsServer accepts connections from localhost just fine, which I understand is necessary when stunnel is running on the same machine as the server
Chrome accepts my cert when used for https pages under the same domain, so I don't think I have a cert signing error, but I don't know how to tell if the cert is related to the connection failing
Stunnel does not print any errors when starting up
Nothing gets printed to /var/log/stunnel.log, although the file was created after I added the output field to the .conf file
Any ideas about what else I can try? Is there some reason the cert that works for https wouldn't work with wss?
Do people recommend using ProxyPass through apache and avoiding stunnel altogether?
Not a solution, but a next troubleshooting step. Get yourself openssl and attempt to connect to 8443. This should spit back the certificate information and at least confirm stunnel is presenting the certificate.
openssl s_client -connect myurl.com:8443
It's been awhile since I configured stunnel, but IIRC you can't put a password on your key.

SSL Connection to Apache server port 443 in CentOS 7

I am trying to set up an Apache server on CentOS. Following this article up to the step "Create Virtual Host". Here I replace "80" with "443":
<VirtualHost *:443>
Note that I do not configure firewalld as per that article, though.
In the /etc/httpd/conf/httpd.conf file, I also change the Listen 80 line to Listen 443.
The I start the server with :
sudo systemctl start httpd
I check the deployment with
wget https://my_dns
I get this error:
Resolving my_dns (my_dns)... xx.xxx.xx.xxx
Connecting to my_dns (my_dns)|xx.xxx.xx.xxx|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
If I try (test port 80)
wget my_dns
I get Connection refused, which makes sense.
So, it appears the server is on port 443. But what is this SSL issue and how do I resolve it?
Listening on port 443 does not imply that you are using SSL. You can listen for HTTP requests on any port you specify. Does this work?
wget http://my_dns:443

Lestencrypt: Invalid certificate chain because of port

I have app (backend part) running e.g. on: https://bla.com:8443. I created a certificate for it via letsencrypt for domain bla.com.
When I tried to receive payments (webhook) from www.stripe.com I end up with TLS error. After some investigation I figure out that problem is with invalid certificate chain for https://bla.com:8443 and if I would run it on https://bla.com:443 everything would be ok.
I can't change it to port 443 because on https://bla.com:443 is running frontend part of the app.
I thought about 2 solutions, but my technical knowledge is quite limited so I am not sure if its possible:
create certificate for domain + port
run frontend & backend part on same port: https://bla.com:443 and configure apache2 to forward all /backend-api/* to https://bla.com:8443/backend-api/*
My question is, is any of the proposals possible and more importantly is there any better solution which I am missing?
Thanks for any suggestions!
A certificate is not bound to a port. It is perfectly fine to use the same certificate on port 443 and 8443. But the servers on port 443 and 8443 have a different configuration. If it works on 443 but not on 8443 this is likely due to some error in the configuration on port 8443. The fix is thus to have the correct configuration and not to work around with a different certificate or somehow to reverse proxy it from port 443.
Unfortunately details on how to exactly fix it cannot be given since the current configuration is not known.
Configuring the program to use fullchain.pem instead of cert.pem fixed it for me.

squid sslbump works with private connection warning

I use squid 3.5 with its sslbump feature for https traffic filtering. I generated my private key and cert files with openssl. However,the browser received the warning message when i open https websites that the certificate was issued by an unknown authority. I created ssl certificates with comodo but i still got the same warning message.
Is there a way to remove this warning?
# Squid normally listens to port 3128
http_port 3128 ssl-bump cert=/var/tmp/example.com.cert key=/var/tmp/example.com.private
# Squid listen Port
cert=/var/tmp/example.com.cert
# SSL Bump Config
always_direct allow all
ssl_bump server-first all
url_rewrite_program /usr/bin/sh /var/tmp/middle_squid_wrapper.sh start -C /var/tmp/middle_squid_config.rb
# required to fix HTTPS sites (if SslBump is enabled)
acl fix_ssl_rewrite method GET
acl fix_ssl_rewrite method POST
url_rewrite_access allow fix_ssl_rewrite
url_rewrite_access deny all
You don't say what client OS you are using, but it sounds very much like you didn't import your squid certificate to the correct certificate store on the client.
When you install the certificate on a Windows client it should be imported into the Trusted Root Certificate Authorities'->'certificates folder.
The client should then trust the certificate.