I can't access https://mydomain from external network but it's OK from local


#1

Hi everyone

My domain is:pianziwulai.com

I have installed a certificate for the domain on a VPS. everything is OK.
I can see the port 443 is listening.
I can telnet pianziwulai.com 443 from the VPS itself.
I can curl https://pianziwulai.com from the VPS itself.
But I can’t run above commands successfully from an external network(such as another VPS or my PC)

My web server is (include version):apache/2.2.15 (unix)

The operating system my web server runs on is (include version):centos release 6.10(final)

My hosting provider, if applicable, is:VULTR

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

Certbot is friendly to use, it even can recognize all my existing virtual hosting configurations and add SSL configuration automatically. Nice work!


#2

Hi @wildlily980,

You might have a host firewall (like ufw) or a network firewall (where VULTR might require you to specify in a control panel which TCP ports you want to allow to connect to your VPS from the Internet).


#3

Hi Schoen
I though so too, but VULTR support team says they don’t blocks 443 port.
I think they might be right, because they only provide bare VPS, no any control panel , so I’m stuck here.
I don’t have ufw
[root@XXX ~]# ufw
-bash: ufw: command not found
No special iptable rules
[root@XXX ~]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp dpt:http
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh
REJECT all – anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all – anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


#4

I’m sure it’s a firewall… I ran a packet sniffer and tried to connect to your HTTPS service.

What came back (which applications normally don’t explicitly break out for you) is an ICMP code 10, administratively prohibited. By contrast, connecting to an unfirewalled closed port would instead give a TCP packet with RST,ACK flags. So we’re not reaching your host and encountering a closed port, but rather getting a firewall rejection.


#5

Oh, in fact we can see the reason from the iptables rules that you posted above. :slight_smile:

Notice that you only ACCEPT tcp dpt:ssh and tcp dpt:http, not tcp dpt:https. So your REJECT all applies to dpt:https by default and forbids incoming HTTPS connections!


#6

Thank you for point me out, I’m newbie for iptable, the iptable rules are default setting I have never changed. I am wondering why SSL connections are denied by default.
However, Is any iptable command you can share me to fix this problem?


#7

iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
This is the command I used and it works
thank you schoen


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.