SSL Connection Refused

[indexPlastic]

Hello,

 

I installed Plastic SCM Enterprise on a WIndows Server 2012.  I have confgured it to be able to use SSL, generated a CA certificate for the server, and believe I have opened the necessary ports on the firewall.  I can successfully connect to the server using standard TCP.  Also when I configure the server to use SSL, and "check connection" it makes it through to the server fine.  When I "Check credentials" it reports a connection, and that the credentials are valid.  When I try and create a repository, I get the following:

 

Unable to read data from the transport connection:  An existing connection was forcibly closed by the remote host.  Server: plastic://<server information>:<port>.  An existing connection was forcibly closed by the remote host.

 

Each firewall along the route is reporting as the connection being allowed through.  There are no events in the event log, and all signs point to the server operating correctly.

 

Why is Plastic rejecting connections which are attempting to create new repositories?

[manu]

Hi!

 

I think you are using the default 8087 port or you are using the 8088 without the ssl prefix.

 

From the command line, can you please try the following?

 

cm lrep ssl://<server name>:8088

 

Considering "8088" is the port you chose for SSL.

[indexPlastic]

After running the command I received:

A connection attempt failed because the connected party did not properly respond after a period of time or established connection failed because connected host has failed to respond <ip address>:8088 Server: ssl://<servername>:8088

[manu]

Hi,

 

that error complains about not being able to reach the server. Can you check the firewall rules? Sometimes, especially in windows server, you need to create a rule like the following one: 

 

Otherwise you get that network error.

 

 

[indexPlastic]

Confirmed, I have that exact rule in place, and am still receiving the error

[manu]

Do you have any antivirus that might be blocking the connection?

 

Is the 8088 port the one configured for SSL?

 

If the following command works from the server machine:

cm lrep ssl://localhost:8088

It has to be something not allowing the client connection from an external machine.

 

Notice that now the error is not "Unable to read data from the transport connection", now it's " the connected party did not properly respond after a period of time."

[indexPlastic]

Yes, 8088 is the TCP listening port for the SSL connection

 

No antivirus that would be blocking the connection is on the machine.

[manu]

Hi!

 

can you tell me if it's working from the server itself? The 

cm lrep ssl://localhost:8088

command I posted above.

 

Can you, temporally, disable the windows firewall (completely) from the client and also from the server machine and retry it?

[indexPlastic]

I turned off all three firewalls, and ran the command successfully, I turned back on the domain firewall, and ran the command successfully, when I turned on the private firewall, the command failed with the same error.

 

On the private firewall, I copied a replica of the rule you showed with a screenshot, and it is still blocking the connection.  Something about the private firewall rule is not configured correctly to allow the connection, are there other settings other than the Protocol/Ports which needs to be set?

[manu]

Ok, so now we know at least where the problem is.

 

You might be having a more restrictive rule overriding your particular rule.

You created an inbound rule in the server right? Can you check the details to verify it's enabled for the three profiles? This is how I have it in a W2012 server.

 

[indexPlastic]

Okay, so it is an inbound rule, and the rule is being applied to all three profiles, domain, private, and public.

 

I did find something under "Programs and Services" where the connection was being routed to a specific program "<PlasticSCM Path>\client.exe"

 

I have changed this setting to "All programs that meet the specified conditions"

 

The "cm lrep ssl://plasticscms.cloudapp.net:8088" command still runs successfully on the server with a result "There are no repositories in this server"

 

The "cm lrep ssl://plasticscms.cloudapp.net:8088" command now runs successfully from the client with a result "There are no repositories on this server"

 

However, using the client GUI trying to create a repository the error has changed back to:

 

Unable to read data from the transport connection:  An existing connection was forcibly closed by the remote host.  Server: plastic://<server path>:8088.  An existing connection was forcibly closed by the remote host.

 

The client is configured with an address of ssl://<serverpath>:8088

The "Use encryption (SSL)" box is checked

 

During configuration the testing the connection results in "Connected OK (UPWorkingMode)"

 

I notice when it attempts to create the repository, the address changes to plastic:// from ssl:// could this have something to do with it?

[manu]

Hi!

 

did you remove the "default" repository? I mean, does it make sense you don't have any repo? I usually see that error when the server can't create the default repo.

 

Which repository server address are you using? make sure it's using the SSL address like mine: 

 

You can alternatively use the command line for creating the new repo, it would be as follows:

cm mkrep myNewRepo ss://192.168.1.68:8088

Tell me how it goes.

[indexPlastic]

If I try and use the "ssl://" prefix when creating the Repo through the GUI I get:

"AssertFalse has found a positive condition"

 

When using the command "cm mkrep NewRepo ssl://<address>:8088

If I include the SSL prefix, I receive the error "Repository name cannot contain any character of: @#:"?'    I have ensured the repo name does not contain any of those charatcers, it is a simple word.  However remove the "ssl://" prefix and the ":8088" suffix from the address I get the following error

Error: No channel found trying to connect to [NewRepo]

[manu]

I always type it wrong, I'm sorry it's:

cm mkrep ss://192.168.1.68:8088 myNewRepo

What about the question regarding the lack of repositories? Is that normal?

[indexPlastic]

I am getting a similar error through the command line when the prefix and suffix: "Error: AssertFalse has found a positive condition"

 

I did not remove any repositories.  It's a fresh installation, I followed the admin guide for installation on a windows server machine.

 

This connection goes through a Barracuda firewall, which is reporting that the connections are being closed by the destination, but being allowed through the firewall.  The server is also in Microsoft's Azure cloud.  The virtual machine has endpoints listening at 8088 and 8087 over TCP.

[manu]

Ok, I think the problem is then with the server not being able to create repositories.

 

Can you send me, or attach here, the Plastic SCM server log file, it's called "plastic.server.log" and it's stored inside the Plastic SCM server directory.