0

I used certbot to generate a Let's encrypt certificate for my website, but Yaws gives me an SSL accept failed: timeout error when I try to connect to it (after it times out of course). Interestingly it works when I redirect example.com to the local ip address of the server in the hosts file on my machine and connect to example.com:8080, but not when I connect to example.com without editing the hosts file or when I connect from my phone over 4G. Here's my webserver's configuration file (it is the only configuration file in conf.d):

<server www.example.com>
    port = 8080
    listen = 0.0.0.0
    docroot = /usr/share/yaws
    <ssl>
        keyfile = /etc/letsencrypt/live/example.com/privkey.pem
        certfile = /etc/letsencrypt/live/example.com/fullchain.pem
    </ssl>
</server>

I made sure that the keyfile and the certificate are both readable by the yaws user. Next to the keyfiles is a README that contains the following:

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

So I'm relatively sure I've used the right file (the other ones gave me errors like badmatch and {tls_alert,"decrypt error"}). I also tried trivial things like writing https:// before the URL, but it didn't fix the issue, also, everything works fine when the server is running without SSL. The version of Erlang running on my server is Erlang/OTP 19. Also, if it's unclear, the domain isn't actually example.com.

Also, example.com is redirected via cname to examplecom.duckdns.org, if that matters.

UPDATE:

My server was listening on port 8080, that was forwarded from the external port 80, for https connections, when the default https port is port 443. My other mistake was connecting to http://example.com instead of https://example.com. Forwarding the external port 443 to the internal port 8443 and configuring yaws to listen on port 8443 fixed everything.

user1792131
  • 37
  • 1
  • 6

1 Answers1

0

Just to be sure to understand, when you do something like curl -v https://example.com:8080, you get a timeout, that's it ? (here https protocol and port 8080 are mandatory of course)

SSL timeout during accept can be triggered when an unencrypted request is received on a SSL vhost.

Could you also provide the output of the following command:

echo -e "HEAD / HTTP/1.0\r\n\r\n" | openssl s_client -connect mysite.com:8080 -ign_eof

And finally, which version of Yaws are you running ? on which OS ?

capflam
  • 1
  • Turns out I goofed up the port forwarding, ungoofing it fixed the problem. I edited the details into my original post. – user1792131 Jan 24 '17 at 23:29