1

I have an API server (Debian Apache2) with OpenSSL installed and working. I also have a staging and production web server (also Debian Apache2, exactly the same spec - they are VM clones). All servers are on the same subnet. I can browse to the wsdl from my local machine on 443 successfully, and I can wget the wsdl successfully from my staging server on 443, but a wget from my production web server will not connect:

--2015-04-16 10:26:18--  https://www.example.com/index.php/api?wsdl
Resolving https://www.example.com (https://www.example.com)... XX.XX.XX.XX
Connecting to https://www.example.com (https://www.example.com)|XX.XX.XX.XX|:443... failed: Connection refused.

I can connect over https from a PHP nusoap client on staging no problem, but the same code on my production server returns:

wsdl error: HTTP ERROR: cURL ERROR: 7: couldn't connect to host
url: https://www.example.com/index.php/api?wsdl
content_type: 
http_code: 0
header_size: 0
request_size: 0
filetime: -1
ssl_verify_result: 0
redirect_count: 0
total_time: 5.272228
namelookup_time: 5.271805
connect_time: 0
pretransfer_time: 0
size_upload: 0
size_download: 0
speed_download: 0
speed_upload: 0
download_content_length: -1
upload_content_length: -1
starttransfer_time: 0
redirect_time: 0
certinfo: Array
primary_ip: XX.XX.XX.XX
primary_port: 443
local_ip: 
local_port: 0
redirect_url:

An openssl s_client -connect from both web servers produces the same output.

After my production server returns connection refused, there are no new entries in the API server's error.log, therefore this must be a client issue.

Is there a Debian-specific/internal firewall config I may have inadvertently changed that would prevent the one client from connecting to a secure web server over HTTPS and not another?

jww
  • 97,681
  • 90
  • 411
  • 885
theonlydavewilliams
  • 31
  • 3
  • Could you check this question, I am not sure it would help? http://askubuntu.com/questions/30080/how-to-solve-connection-refused-errors-in-ssh-connection – a3.14_Infinity Apr 16 '15 at 09:46
  • 1
    maybe locally you are able to connect, but from external client, it is not possible, because it could be that firewall config might be the issue, as you are mentioning. check this link too: http://stackoverflow.com/questions/2333400/what-can-be-the-reasons-of-connection-refused-errors – a3.14_Infinity Apr 16 '15 at 10:06
  • @gansai - thanks for the links, the problem is SSL, not SSH, and I'm not connecting from outside; in fact the servers are right next to each other on the same subnet. I'm not sure it's a firewall problem because `openssl s_client` connects to it fine, but `wget` does not – theonlydavewilliams Apr 16 '15 at 11:16

1 Answers1

0

"Connection refused" usually indicates a failure to complete the initial TCP connection. Things to check include:

  • iptables, firewalls, hosts.deny

  • is apache listening on the interface/ip address the is attempting to connect to?

  • Does wget or curl work from the local server when you use http://127.0.0.1/ but not http://THE-SERVER'S-PUBLIC-IP-ADDRESS/ ?

  • What do you see when you run wget with --debug and --verbose ?

Chad Clark
  • 418
  • 6
  • 12
  • Yes, it turns out that this was a firewall issue; my network admin had not enabled port 443 to this server. The reason why the first client could connect via SSL is because another firewall rulle was routing it's traffic internally whereas the second one was resolving to the public IP. Both clients are now connecting. Thanks – theonlydavewilliams Apr 21 '15 at 11:23