So I inherited a Nodes.js app which I am running on a Vagrant box.
I have the app binding to "0.0.0.0", and it has its own server.key and certs in the securekey folder.
var https = require('https');
var fs = require('fs');
var ssl_options = {
key: fs.readFileSync('./securekey/server.key'),
cert: fs.readFileSync('./securekey/server.crt'),
ca: fs.readFileSync('./securekey/ca.crt')
};
https.createServer(ssl_options, app).listen(3001, '0.0.0.0');
When I run the app, I expected to be able to access it on my Windows (Vagrant is running on my Windows PC) browser via the URL https://localhost:3001
But I get "Secure Connection Failed" on Mozilla.
I did tried this on Windows pc using Cygwin:
$ openssl s_client -host 127.0.0.1 -port 3001
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 316 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1461923745
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
And
$ curl -v -k 'https://localhost:3001'
* STATE: INIT => CONNECT handle 0x6000574a0; line 1103 (connection #-5000)
* Rebuilt URL to: https://localhost:3001/
* Added connection 0. The cache now contains 1 members
* Trying 127.0.0.1...
* STATE: CONNECT => WAITCONNECT handle 0x6000574a0; line 1156 (connection #0)
* Connected to localhost (127.0.0.1) port 3001 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x6000574a0; line 1253 (connection #0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x6000574a0; line 1267 (connection #0)
* Unknown SSL protocol error in connection to localhost:3001
* Curl_done
* Closing connection 0
* The cache now contains 0 members
curl: (35) Unknown SSL protocol error in connection to localhost:3001
But these commands are returning successful connections when run on the Vagrant vm terminal!
What do I need to do to get my Windows PC/browser to accept the app's certificates so that I can access the app from Mozilla Firefox? Since it already has server.key and certs, surely I do not need to generate my own keys again for the app to use?
EDIT: Here is my Vagrant file:
Vagrant.configure(2) do |config|
config.vm.box = "centos7"
config.vm.network "forwarded_port", guest: 3000, host: 3000, auto_correct: true
config.vm.network "forwarded_port", guest: 3001, host: 3001, auto_correct: true
end
I've only got the port forwarding configs..the rest are default.
And when the app is running on Vagrant, netstat shows that the port is listening for connection
$ netstat -an | grep 3001
TCP 0.0.0.0:3001 0.0.0.0:0 LISTENING
And when I access https://localhost:3001 on the browser, I see this:
netstat -an | grep 3001
TCP 0.0.0.0:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3001 127.0.0.1:49651 ESTABLISHED
TCP 127.0.0.1:49651 127.0.0.1:3001 ESTABLISHED
Seems like the port connections are fine, but vm is not able to return data.
After much digging around I stumbled upon this comment: https://unix.stackexchange.com/a/255404
Because I was on CentOS 7, disabling firewalld did the trick for me. I didn't realize the change. In a sense, the note from joelnb to check iptables in his answer comments is the right direction (thanks!). Do check your OS's firewall and try disabling it to see if it helps with the issue. If yes, then you can proceed to configure a rule for the port if you wish.
For CentOS 7, to open a port on firewalld: centos 7 - open firewall port
I hope this helps somebody.