Debugging mod_ssl Timeouts


This afternoon I was treated to one of those fantastic little debugging sessions that make us all realize why computers are sometimes so utterly exasperating. I have been wanting to get SSL working on the virtual server that I run Movable Type since I switched at the first of the year. With SSL, my MT passwords are protected when I'm out and about and blogging. I was anxious to get it working because I'll be at ETCon next week and using the Wi-Fi to log in.

I had installed mod_ssl long ago, but never really configured it, so I followed the instructions and...no joy. I could see the port in netstat, so I knew that the server was listening on 443. I set the LogLevel to "debug" and saw that the certificates were being read and the server was starting up without a hiccup. Yet, "curl https:dev.windley.net" wouldn't return. It would just time out. Figuring that I must have something misconfigured, I googled everything I could find and rearranged the configuration file a dozen times. Still no joy.

Finally, I solved the problem. Something I saw as I was googling for an answer mentioned firewalls in a completely different context and I thought "I wonder if port 443 is open?" Sure enough, running curl on the local machine returned the document right away. So after a short visit to IPTABLES, I was up and running.

Interestingly, accessing port 443 when its shielded by the firewall is different than port 443 just not being configured. If a port isn't configured, curl, and other HTTP clients return immediately with a "socket error." But if the port is configured, but shielded by the firewall, the HTTP client keeps trying to connect until it times out (errno=60). I'm not sure I understand this behavior, but its part of what confused me. I was sure that curl was seeing the SSL server, but having trouble with the handshake.

In any event, the SSL server is configured and things seem to be working fine--let me know if you see something strange. Moral of the story: always try connecting from the local machine as one of the first steps when something doesn't work.