0

I'm in the process of creating a website using the ASP.Net MVC 4 framework. I'm having difficulty getting SSL working with that (or any sort of basic) site.

I purchased an SSL certificate for the domain in question (let's just call it "example.com"). I have gone into IIS, and have configured the https binding for the Default Web Site for port 443. If I open the non-SSL version of the site, it works. (In this case, the site is the stock, basic IIS start page). If I attempt to access the site over https, it times out and fails to display the page.

I've verified using netsh that port 443 is open, and that there is nothing else listening on the port. I've double checked to make sure that Windows Firewall is allowing traffic on port 443, and it is. If I fire up Wireshark and listen for traffic on port 443, then attempt to access the web page, I get the following:

enter image description here

I'm not an expert at interpreting these results, but it would seem that something is still blocking the outbound connection. Again, the regular http web page loads fine, but the https version of the same page times out.

I'm about at my wits end trying to figure this out. Any ideas what might be going on here?

Joel B
  • 801
  • 1
  • 11
  • 30

2 Answers2

0

Either something is blocking the connections on port 443 on their way to the server or something is blocking the responses. From the wireshark screenshot I see that the server and your client are in separate networks, so there is obviously at least one router in between, maybe other firewalls too. You might check with traceroute or tracepath how far your request travels (e.g. specify port 80 in one try and port 443 in another try and compare) and where the filtering device might be.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Just for kicks, I momentarily turned off the firewall on the server. It seemed to have no effect. – Joel B Jan 27 '14 at 15:34
  • If I attempt to "telnet localhost 443" on the local server, I get a message saying that 'Connecting to localhost... Could not open connection to the host, on port: 443: Connection failed'. This makes me think it is some configuration setting somewhere on the server that is the issue. – Joel B Jan 27 '14 at 15:41
  • Oh, I've expected you to check that the server is running locally before posting. If the server is not running on port 443 you will not be able to connect to it, for sure :) – Steffen Ullrich Jan 27 '14 at 15:53
  • I double checked things, and sure enough, I had reverted IIS to show the old version of the site. I switched it back around, and I get the following results on the server: telnet localhost 80: works. telnet localhost 443: works. telnet [ip address] 80: works. telnet [ip address] 443: Could not open connection to the host, on port 443: Connection failed. – Joel B Jan 27 '14 at 15:59
  • Another note: If I run "netsh firewall show state", port 443 is listed under the "Ports currently open on all network interfaces", and is open for TCP traffic. – Joel B Jan 27 '14 at 16:12
  • did you try 'telnet [ip address]:443' on the IIS machine itself or from a remote machine? If you tried in on the server itself and it failed than IIS is listening with port 443 on localhost, but not on the other IP. If its from the remote machine make sure that there are no other routers/firewalls in between. – Steffen Ullrich Jan 27 '14 at 17:18
  • I did the "telnet [ip address] 443" on the IIS machine. It fails to connect. When I do a "netstat -ano" I can see that the server is indeed listening on port 443. – Joel B Jan 27 '14 at 17:46
  • is it listening on all IP or 0.0.0.0 or only on selected IP ? – Steffen Ullrich Jan 27 '14 at 17:48
  • Hm, looks fine. But am I wrong or is the local address for the machine 172.31.44.19 different from the address of the https server you try to reach in the initial wireshark dump? There is the source 172.31.44.19 (e.g. the machine where your webserver is running on according to netstat) but the server is expected at 54.213.163.113. – Steffen Ullrich Jan 27 '14 at 18:33
  • As it turned out, everything was fine - it was an Amazon EC2 setting that was disallowing traffic on port 443. This explains why no matter what I was doing, it still wasn't working. – Joel B Jan 28 '14 at 19:31
0

This took a bit of digging, but I finally figured it out.

It would appear that, by default, https access to an Amazon EC2 instance is blocked. This explains why it didn't matter what I did in IIS, it wouldn't work. This would also explain why having the correct binding, having the proper ports open on the firewall, and anything else I tried didn't work. It had to do with Amazon, and how they've got things configured on their end.

To enable traffic on port 443, I did the following:

  1. In the Amazon web console (https://console.aws.amazon.com/ec2), click on the Security Groups link on the left
  2. Under the security group that your instance is running, set up a new Inbound rule to allow HTTPS traffic from any IP.
  3. Set up a new Outbound rule to allow HTTPS traffic to any IP.

It wasn't necessary to delete/recreate/restart the instance. As soon as I applied the rules, I tried hitting the https site in my browser on my local machine, and it worked.

Steffen, thanks for the help.

(Related: HTTPS setup in Amazon EC2)

Community
  • 1
  • 1
Joel B
  • 801
  • 1
  • 11
  • 30