Debugging https issues

I’m running into some issues debugging my https setup.

Here’s the config section:

## Server config
play.server.https {
	port = 9443
	keyStore.path = "public/server.p12"
}

This results in the keystore being loaded, or so it seems, so that’s good.

When I attempt to make a curl POST request (a request which currently works with normal http) I get the following verbose output:

* STATE: INIT => CONNECT handle 0x600057950; line 1404 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x600057950; line 1440 (connection #0)
*   Trying ::1...
* TCP_NODELAY set
* STATE: WAITRESOLVE => WAITCONNECT handle 0x600057950; line 1521 (connection #0)
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (::1) port 9443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x600057950; line 1573 (connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x600057950; line 1587 (connection #0)
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Marked for [closure]: Failed HTTPS connection
* multi_done
* stopped the pause stream!
* Closing connection 0
* The cache now contains 0 members
* Expire cleared
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

and this in the server output:

[warn] a.a.ActorSystemImpl - Illegal request, responding with status '400 Bad Request': Unsupported HTTP method: HTTP method too long (started with ' $QX]ᅰ'). Increase `akka.http.server.parsing.max-method-length` to support HTTP methods with more characters.

When I send a wget to http://localhost:9443 I get:

--2018-03-22 09:50:30--  http://localhost:9443/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:9443... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-03-22 09:50:30 ERROR 404: Not Found.

I’m afraid I’m at a bit of a loss on this. Can anyone help?

You mention that you get this error with a curl POST request. Does that mean you don’t see the error if you make a GET request?

If you’re debugging HTTPS you can also try typing your own HTTP request using OpenSSL’s client. See https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html.

No, GET requests do the same thing. It’s just that my login is a POST and it’s the easiest one to curl.

I tried doing this with the openssl client:

openssl s_client -connect localhost:9443

and got this:

CONNECTED(00000003)
4294956672:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:827:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1521751745
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

So it’s failing from the very beginning.

I have some further info:

When I run my project:

sbt "run -Dconfig.resource=local.conf" -jvm-debug 9990

I do not get confirmation that the application is listenting on port 9443, even though it is in the application.conf.

If I run it:

sbt "run -Dconfig.resource=local.conf -Dhttps.port=9443" -jvm-debug 9990

then I do get confirmation that the application is listening on port 9443, and now I get different errors when attempting to curl into it.

Is the application.conf configuration not enough to run the application in https mode??

You need to specify HTTPS port explicitly. There’s an example project showing Play with HTTPS that may help:

So what is the purpose of this section of application.conf?

play.server.https {
	port = 9443
	keyStore.path = "public/server.p12"
}

So what is the purpose of this section of application.conf?

Good question! I discussed some quirks of configuration in another topic: