Previously working configuration does no longer work.

Question

Previously working configuration does no longer work.

AlastorMordrek opened this issue 3 years ago · comments

I have a pair of cowboy web servers started as such:

cowboy:start_clear(
main_http_listener,
[{port, 8080}],
#{env => #{dispatch => routes()}}).

cowboy:start_tls(
main_https_listener,
[
{port, 8443},
{cacertfile, "..../chain.pem"},
{certfile , "..../cert.pem"},
{keyfile , "..../privkey.pem"}
],
#{env => #{dispatch => routes()}}).

The certificates where generated successfully using LetsEncrypt/Certbot standard process.

This used to work a couple of months ago on older versions of erlang/cowboy/ranch/cowlib/etc...
But now it doesn't.

The respective ports are open.
When I test the connection with the clear server over "ws://....:8080" it works as normal.
But the connection using "wss://.....:8443" does not work.
On the server I get no debug messages indicating any error.

I also made a simple hello world "index.html"
You can check the server "hello world" here:

http://api.thegamblrr.com:8080/ <-- this one works
https://api.thegamblrr.com:8443/ <-- this one doesn't work, even though the dispatch routes are the same

I have a domain: "thegamblrr.com" which has an "A" record pointed to another IP (where my cowboy server is).
This are the values for the record:
Type A, Name: api, Value: 3.143.198.148
With these values the certbot authentication worked OK, same with connections using "HTTP" and "WS" protocol,
but "HTTPS" and "WSS" don't connect and I don't get any errors or warnings.

My versions are.

Erlang/OTP: 23
ERTS: 11.1.6
cowlib: 2.9.1
ranch: 1.7.1
cowboy,: 2.8.0

Do you have any clue what I might be missing?
Any info I could provide to help track this issue down?

Loïc Hoguin commented 3 years ago

Yes.

Loïc Hoguin · Answer 1 · Mon Apr 26 2021 00:51:49 GMT+0800 (China Standard Time)

Check that the files are correct. The server seems to close the connection immediately.

AlastorMordrek · Answer 2 · Mon Apr 26 2021 01:01:42 GMT+0800 (China Standard Time)

They seem fine, also the server seems to load them correctly at startup.
Both servers return ok tuples.

AlastorMordrek · Answer 3 · Mon Apr 26 2021 01:03:47 GMT+0800 (China Standard Time)

Would some startup output help?.

Loïc Hoguin · Answer 4 · Mon Apr 26 2021 01:17:13 GMT+0800 (China Standard Time)

There's no loading involved when files are used.

Any output helps, but it would be better to try a simple ssl:listen and accept in the shell to see if the problem is unrelated to Cowboy. It usually is because Cowboy defers everything to the ssl application.

AlastorMordrek · Answer 5 · Mon Apr 26 2021 01:31:06 GMT+0800 (China Standard Time)

Could you give me an example of the commands?, I've not used ssl directly before.

Loïc Hoguin · Answer 6 · Mon Apr 26 2021 01:34:44 GMT+0800 (China Standard Time)

https://erlang.org/doc/apps/ssl/using_ssl.html#setting-up-connections

AlastorMordrek · Answer 7 · Mon Apr 26 2021 01:48:38 GMT+0800 (China Standard Time)

OK, I'm getting this error on this step:

server> {ok, Socket} = ssl:handshake(TLSTransportSocket).

** exception error: no match of right hand side value
{error,{options,{certfile,"/etc/letsencrypt/live/api.thegamblrr.com/cert.pem",
{error,eacces}}}}

client> {ok, Socket} = ssl:connect("localhost", 8443, [], infinity).

** exception error: no match of right hand side value {error,closed}

AlastorMordrek · Answer 8 · Mon Apr 26 2021 01:49:06 GMT+0800 (China Standard Time)

Is it what I think it is?
FIle permissions?.