4

So I inherited a Nodes.js app which I am running on a Vagrant box.

I have the app binding to "0.0.0.0", and it has its own server.key and certs in the securekey folder.

var https = require('https');
var fs = require('fs');
var ssl_options = {
    key: fs.readFileSync('./securekey/server.key'),
    cert: fs.readFileSync('./securekey/server.crt'),
    ca: fs.readFileSync('./securekey/ca.crt')
     };

https.createServer(ssl_options, app).listen(3001, '0.0.0.0');

When I run the app, I expected to be able to access it on my Windows (Vagrant is running on my Windows PC) browser via the URL https://localhost:3001

But I get "Secure Connection Failed" on Mozilla.

I did tried this on Windows pc using Cygwin:

$ openssl s_client -host 127.0.0.1 -port 3001
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 316 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1461923745
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

And

$ curl -v -k 'https://localhost:3001'
* STATE: INIT => CONNECT handle 0x6000574a0; line 1103 (connection #-5000)
* Rebuilt URL to: https://localhost:3001/
* Added connection 0. The cache now contains 1 members
*   Trying 127.0.0.1...
* STATE: CONNECT => WAITCONNECT handle 0x6000574a0; line 1156 (connection #0)
* Connected to localhost (127.0.0.1) port 3001 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x6000574a0; line 1253 (connection #0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x6000574a0; line 1267 (connection #0)
* Unknown SSL protocol error in connection to localhost:3001
* Curl_done
* Closing connection 0
* The cache now contains 0 members
curl: (35) Unknown SSL protocol error in connection to localhost:3001

But these commands are returning successful connections when run on the Vagrant vm terminal!

What do I need to do to get my Windows PC/browser to accept the app's certificates so that I can access the app from Mozilla Firefox? Since it already has server.key and certs, surely I do not need to generate my own keys again for the app to use?

EDIT: Here is my Vagrant file:

Vagrant.configure(2) do |config|
  config.vm.box = "centos7"
  config.vm.network "forwarded_port", guest: 3000, host: 3000, auto_correct: true
  config.vm.network "forwarded_port", guest: 3001, host: 3001, auto_correct: true
end

I've only got the port forwarding configs..the rest are default.

And when the app is running on Vagrant, netstat shows that the port is listening for connection

$ netstat -an | grep 3001
  TCP    0.0.0.0:3001           0.0.0.0:0              LISTENING

And when I access https://localhost:3001 on the browser, I see this:

 netstat -an | grep 3001
  TCP    0.0.0.0:3001           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:3001         127.0.0.1:49651        ESTABLISHED
  TCP    127.0.0.1:49651        127.0.0.1:3001         ESTABLISHED

Seems like the port connections are fine, but vm is not able to return data.

evkwan
  • 693
  • 3
  • 9
  • 17

2 Answers2

1

After much digging around I stumbled upon this comment: https://unix.stackexchange.com/a/255404

Because I was on CentOS 7, disabling firewalld did the trick for me. I didn't realize the change. In a sense, the note from joelnb to check iptables in his answer comments is the right direction (thanks!). Do check your OS's firewall and try disabling it to see if it helps with the issue. If yes, then you can proceed to configure a rule for the port if you wish.

For CentOS 7, to open a port on firewalld: centos 7 - open firewall port

I hope this helps somebody.

Community
  • 1
  • 1
evkwan
  • 693
  • 3
  • 9
  • 17
0

I suspect that you don't have the port forward setup in your Vagrantfile because I get that exact error if I don't/if nothing is listening on that port. Does your Vagrantfile look like the following? The forwarded_port part is the important bit.

Vagrant.configure(2) do |config|
  config.vm.box = "ubuntu/trusty64"
  config.vm.network "forwarded_port", guest: 3001, host: 3001
end

Otherwise could you please post your Vagrantfile and I will revise my answer.

joelnb
  • 1,426
  • 11
  • 14
  • Hi, I've added my Vagrant file. I forwarded both port 3000 and 3001, but currently only using 3001 for SSL. – evkwan Apr 29 '16 at 11:32
  • Okay, what is the output of `sudo iptables -L` in the VM? And also you may wish to check the output from `vagrant up` - because you have auto_correct on the ports it may assign different port if there is something else listening on 3001 (although this is less likely). – joelnb Apr 29 '16 at 11:42
  • Since I'm running the app for test only, I've actually disabled iptables on the vm. – evkwan Apr 29 '16 at 11:55
  • How have you done that? With something like `sudo iptables -P INPUT ACCEPT`? It definitely seems like no connecton can be made to the app over that port (rather than any problem with the certs). – joelnb Apr 29 '16 at 12:01
  • I did this: `service iptables stop` when the machine starts.I didn't want iptables to be interfering with the connection. The interesting is netstat shows the port connection is established. I've updated the info in the summary above. – evkwan Apr 29 '16 at 15:04