2

I am currently having some problems at work when having our web under ssl and using the 443 port. I found this website that checks the status of your server. It says that the 443 is closed.

Port 443 is closed on xx.xxx.xx.xxx.

After a while I tried everything and I don't know what I am doing wrong.

netstat shows this:

sudo netstat -anltp | grep LISTEN


tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN

And

netstat -nap | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      27898/nginx
tcp        1      0 127.0.0.1:34371         127.0.0.1:443           CLOSE_WAIT  25998/openssl

It is supposed that nginx is listening on that port, right?

Looks that way, because if I use an openssl client I get:

openssl s_client -connect 127.0.0.1:443
  CONNECTED(00000003)

But when I try to reach my server from the outside using 443 port I get a connection time out.

openssl s_client -connect xx.xx.xx.xx:443
connect: Connection timed out
connect:errno=110

And here the iptable rules

sudo iptables -L



Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Chain ufw-after-forward (0 references)
target     prot opt source               destination

Chain ufw-after-input (0 references)
target     prot opt source               destination

Chain ufw-after-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-after-logging-input (0 references)
target     prot opt source               destination

Chain ufw-after-logging-output (0 references)
target     prot opt source               destination

Chain ufw-after-output (0 references)
target     prot opt source               destination

Chain ufw-before-forward (0 references)
target     prot opt source               destination

Chain ufw-before-input (0 references)
target     prot opt source               destination

Chain ufw-before-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-before-logging-input (0 references)
target     prot opt source               destination

Chain ufw-before-logging-output (0 references)
target     prot opt source               destination

Chain ufw-before-output (0 references)
target     prot opt source               destination

Chain ufw-reject-forward (0 references)
target     prot opt source               destination

Chain ufw-reject-input (0 references)
target     prot opt source               destination

Chain ufw-reject-output (0 references)
target     prot opt source               destination

Chain ufw-track-input (0 references)
target     prot opt source               destination

Chain ufw-track-output (0 references)
target     prot opt source               destination

Any suggestion would be appreciated.

Thank you.

UPDATE: I forgot to mention that no firewall is actually running:

ufw status
Status: inactive
Jotaeme
  • 133
  • 1
  • 1
  • 4

2 Answers2

3

Some checks first:

  • Is your server behind a firewall? The port may be closed due to firewall configuration
  • Only the root user can bind to port 433 (and other low ports). Is your server started with the right priviledges? (It is usual to configure it to run under its own user, nevertheless it needs to be started by the root user.)

P.S. Given your edit (nginx is listening to port 443), it looks like a firewall problem. Note that there are two types of firewalls: Internal (running on your server) and external (running on another machine that controls the network access of your server). Your Update only shows that there is no internal firewall.

  • I sent by mistake before I finish the previous msg, sorry -.- I forgot to point out that no firewall is running on that server. And I'll check the priviledges of the server. It runs with www-data I think – Jotaeme Oct 19 '16 at 13:53
  • @Jotaeme: No need to apologize. It is always good to improve questions by editing them. –  Oct 19 '16 at 13:54
  • @Jotaeme, I'm willing to bet there is some firewall between the web site you used to check and your server. Any business that doesn't have its network protected by a firewall is not going to be in business for very long. It is also a strong possibility that you have NAT in there, too. You probably need to open the port on the firewall, and forward it on any NAT. – Ron Maupin Oct 19 '16 at 14:32
  • @jknappen, we just get that cloudserver and the apps that are running over Nginx in 80 are Ok. I've been looking for firewall but there are not and ufw seems to be disabled. – Jotaeme Oct 19 '16 at 15:11
0

If you are using some hosting service like Amazon Web Services that provides a front-end UI, search for the security groups that apply to your running node instance.

In my case I just needed to add 443 exception to the services allowed and that was all.

Viter Rod
  • 101
  • 1