Failed to setup HTTPS configuration

[Nicolas Michel]

Hi,

I have a CB app which works fine in clear HTTP.

But I need to make it work with HTTPS.

I followed the recipe (copy/paste) I found here :

https://github.com/ChicagoBoss/ChicagoBoss/wiki/Https-example-setup

But it does not work. I've the following error :

17:52:33.010 [error] application: mochiweb, "Accept failed error", "{error,{keyfile,{badmatch,{error,{asn1,{invalid_length,6}}}}}}"
17:52:33.012 [error] CRASH REPORT Process <0.162.0> with 0 neighbours exited with reason: {error,accept_failed} in mochiweb_acceptor:init/3 line 33
17:52:33.014 [error] {mochiweb_socket_server,295,{acceptor_error,{error,accept_failed}}}
17:52:33.016 [error] application: mochiweb, "Accept failed error", "{error,{keyfile,{badmatch,{error,{asn1,{invalid_length,6}}}}}}"
17:52:33.017 [error] CRASH REPORT Process <0.163.0> with 0 neighbours exited with reason: {error,accept_failed} in mochiweb_acceptor:init/3 line 33
17:52:33.018 [error] application: mochiweb, "Accept failed error", "{error,{keyfile,{badmatch,{error,{asn1,{invalid_length,6}}}}}}"
17:52:33.019 [error] CRASH REPORT Process <0.164.0> with 0 neighbours exited with reason: {error,accept_failed} in mochiweb_acceptor:init/3 line 33
17:52:33.022 [error] application: mochiweb, "Accept failed error", "{error,{keyfile,{badmatch,{error,{asn1,{invalid_length,6}}}}}}"
17:52:33.022 [error] CRASH REPORT Process <0.165.0> with 0 neighbours exited with reason: {error,accept_failed} in mochiweb_acceptor:init/3 line 33
17:52:33.111 [error] {mochiweb_socket_server,295,{acceptor_error,{error,accept_failed}}}
17:52:33.212 [error] {mochiweb_socket_server,295,{acceptor_error,{error,accept_failed}}}
17:52:33.313 [error] {mochiweb_socket_server,295,{acceptor_error,{error,accept_failed}}}

Any idea ?

br

Nicolas -

[Kai Janson]

Take a look at the history of the file.  The newer write up has some issues.

Sent from my non-google-device

--
You received this message because you are subscribed to the Google Groups "ChicagoBoss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chicagoboss...@googlegroups.com.
Visit this group at http://groups.google.com/group/chicagoboss.
To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/CAAQ9oZox__LiOQPTj3x-ninrbZzhugmG-yZ_pFogr6PBbaHURA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Nicolas Michel]

Hi,

I followed your advice, and I tried to used an earlier version of the tutorial.

It still does not work.

Here is what I get when I try to connect using https:

(xxx@xxx)1> 21:29:53.661 [error] SSL: certify: tls_connection.erl:2275:Fatal error: unknown ca

21:29:53.665 [error] application: mochiweb, "Accept failed error", "{error,{tls_alert,\"unknown ca\"}}"
21:29:53.668 [error] CRASH REPORT Process <0.162.0> with 0 neighbours exited with reason: {error,accept_failed} in mochiweb_acceptor:init/3 line 33
21:29:53.671 [error] {mochiweb_socket_server,297,{acceptor_error,{error,accept_failed}}}

As stated in the tutorial, it uses a self-signed certificate, so I do not understand the "unknown ca" error.

Any clue ?

Does anybody have managed to setup a HTTPS configuration ?

Many thanks,

Nicolas -

2014/1/21 Kai Janson <kot...@gmail.com>

To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/170066BD-0BD2-440C-96BB-78913F778332%40gmail.com.

[Nicolas Michel]

Hi,

No idea about my question ?

I'm really stuck because being over HTTPS is a strong requirement for the app I'm working on to go live ...

Do my troubles come from the usage of a self-signed certificate ?

Many thanks,

Nicolas -

2014-01-21 Nicolas Michel <nicolas.m...@gmail.com>

[Igor Clark]

Hi Nicolas, I haven't set up CB with SSL before but if it's complaining about "unknown CA" on a self-signed cert I wonder if you need to somehow tell the library not to worry about the CA, as it's self-signed?

Failing that, if it's really urgent, you could try using nginx to terminate SSL and proxy to your CB instance. I've done this, including proxying websockets, and it worked very well.

Cheers

Igor

[Nicolas Michel]

Hi Igor,

I made some tests with ssl, and I managed to establish a secured connection between a server and a client, each one running in its own erl instance, using a self-signed certificate.

Encouraged by this humble success, I updated my boss.config file as following :

...

{ssl_enable, true},
{ssl_options, [
                   {keyfile, "ssl/server.key"},
                   {certfile, "ssl/server.crt"}
               ]}
...

I'm experiencing something strange : using wget --no-check-certificate "https:..." I successfully downloaded the secured URL.

But when I'm trying to browse the same URL, the browser fails. I tried with firefox and chrome.

Do you have any idea ?

Thanks for your help, I really appreciate.

Regards,

nicolas -

2014-01-27 Igor Clark <igor....@gmail.com>

To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/603e000b-7df0-4acc-8bf8-c6acf92a0dfb%40googlegroups.com.

[Igor Clark]

Hi Nicolas, when you say "the browser fails", what message does it give? Is it warning that the certificate is self-signed? If so, you won't be able to get round that (to my knowledge), as that's built in to the browser.

But, if that is the only error, then it sounds like it's set up correctly, and when you add a "real" (externally-signed) certificate to the configuration, it should work.

Cheers,

Igor

[Nicolas Michel]

Hi Igor,

2014-01-28 Igor Clark <igor....@gmail.com>

Hi Nicolas, when you say "the browser fails", what message does it give? Is it warning that the certificate is self-signed? If so, you won't be able to get round that (to my knowledge), as that's built in to the browser.

Here is what I get with Firefox (26.0):

The key does not support the requested operation.
(Error code: sec_error_invalid_key)

It's the same if I try to manually add a Security Exception for my server (I read something about that somewhere ...).

 

But, if that is the only error, then it sounds like it's set up correctly, and when you add a "real" (externally-signed) certificate to the configuration, it should work.

I hope :)

I'm still wondering how do other people to test their stuff, without having to request a real certificate. It leaves me with the feeling I'm missing something important.

I must be totally out the right path ...

Thank you for your help.

Best regards,

Nicolas -

 

To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/959ea54c-6f12-41ae-bf30-66e1e59acd46%40googlegroups.com.

[ark...@gmail.com]

both browser and wget cause errors on CA check. May be the ca-cert file is corrupted or unreadable (e.g. because of permissions) or something like that.

I used CA.pl script (part of openssl) to create self-signed certs (ca and server) and it worked ok. Yes, the browser complained first for unknown CA, but after pressing 'proceed anyway' everything was good. And after importing ca-cert file into the browser, it worked smooth and quiet.

It was for version 0.8.7

-- 

Best wishes,

[Nicolas Michel]

Hi,

2014-01-29 <ark...@gmail.com>:

both browser and wget cause errors on CA check. May be the ca-cert file is corrupted or unreadable (e.g. because of permissions) or something like that.

This is why I find strange that I managed to get the page with wget and not with the browser. At the SSL level things are supposed to behave roughly the same way ...

 

I used CA.pl script (part of openssl) to create self-signed certs (ca and server) and it worked ok. Yes, the browser complained first for unknown CA, but after pressing 'proceed anyway' everything was good. And after importing ca-cert file into the browser, it worked smooth and quiet.

It was for version 0.8.7

I'm using CB 0.8.5

I'll try with CA.pl script. What does the SSL part of boss.config look like in a working config ?
Many thanks

Regards,

Nicolas -

 

To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/41a4b71a-fb83-43c3-b161-e160ab8f75e6%40googlegroups.com.

[ark...@gmail.com]

well, it was long ago. I rechecked and found that ssl does not work with mochiweb. I don't know why. Switching to cowboy helps. Setting nginx as a frontend that handles ssl helps too. My config is pretty much the same as doc recommends - https://github.com/ChicagoBoss/ChicagoBoss/wiki/Https-example-setup

[Nicolas Michel]

Thanks for your help.

Things are not as straightforward as I expected ...

Nicolas -

2014-01-30 <ark...@gmail.com>:

To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/abfd493b-5a72-487d-ad50-afb1a059db2e%40googlegroups.com.