Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id DFA61200D10 for ; Sun, 24 Sep 2017 23:52:16 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id D14EF1609E6; Sun, 24 Sep 2017 21:52:16 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id EDA171609A7 for ; Sun, 24 Sep 2017 23:52:15 +0200 (CEST) Received: (qmail 7777 invoked by uid 500); 24 Sep 2017 21:52:14 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 7766 invoked by uid 99); 24 Sep 2017 21:52:14 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 24 Sep 2017 21:52:14 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id B0AAF18357A for ; Sun, 24 Sep 2017 21:52:13 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.499 X-Spam-Level: X-Spam-Status: No, score=0.499 tagged_above=-999 required=6.31 tests=[KAM_NUMSUBJECT=0.5, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 3dv75I3CY9BG for ; Sun, 24 Sep 2017 21:52:09 +0000 (UTC) Received: from thor.wissensbank.com (thor.wissensbank.com [81.169.250.120]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 4A2BC5FB51 for ; Sun, 24 Sep 2017 21:52:09 +0000 (UTC) Received: from thor.wissensbank.com (localhost [127.0.0.1]) by thor.wissensbank.com (Postfix) with ESMTP id 075783DC81F28 for ; Sun, 24 Sep 2017 23:52:09 +0200 (CEST) Received: by thor.wissensbank.com (Postfix, from userid 500) id E59E13DC82E79; Sun, 24 Sep 2017 23:52:08 +0200 (CEST) Received: from [192.168.2.223] (84-113-112-122.cable.dynamic.surfer.at [84.113.112.122]) (Authenticated sender: andre.warnier@ice-sa.com) by thor.wissensbank.com (Postfix) with ESMTPA id 28D803DC81F28 for ; Sun, 24 Sep 2017 23:52:08 +0200 (CEST) Subject: Re: Trouble using SSL with Tomcat 9 To: users@tomcat.apache.org References: <59C78C9B.70806@ice-sa.com> From: =?UTF-8?Q?Andr=c3=a9_Warnier_=28tomcat=29?= Message-ID: <59C82906.2020105@ice-sa.com> Date: Sun, 24 Sep 2017 23:52:06 +0200 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP archived-at: Sun, 24 Sep 2017 21:52:17 -0000 On 24.09.2017 16:08, Don Flinn wrote: > Andre, > > I apologize for not giving all my information. As you perceived, I'm > running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144. As you > suggested, using netstat and telnet I found that port 8443 is not open. > Looking further Windows firewall is controlled by Norton security. I am > now trying to find out how to open ports in Norton security using the > Norton blog. > > Thank you for your help. As is obvious, I'm a newbee in low level admin > work. I'm hoping that when I get port 8443 open things will work. I'll > let you know. > Maybe wait just a second more, before you go digging in the firewall. You say that you found out that "the port is not open". That is not the same thing as - the port /is/ open - but it cannot be connected to If netstat shows the port open and listening, but you cannot connect to it with telnet, it is probably a firewall issue. But if the port is not open, then it is a tomcat issue. Provided that you configured tomcat properly, the port should be open, firewall or no firewall. (A firewall can only block access by a client, to a server port that is open. It cannot prevent a server process to open that port for listening.) If it isn't open, the tomcat logs should tell you why. > Don > > > > On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) > wrote: > >> On 24.09.2017 02:36, Don Flinn wrote: >> >>> I'm trying to use a self signed certificate generated in keytool. When I >>> run the application Chrome, Firefox and internet Explorer using >>> localhost:8080/ all the browsers do a redirect to localhost:8443 >>> and >>> then return This site can’t be reachedL*ocalhost* refused to connect. >>> There is no red lined out protocol in any of the browsers. All the Tomcat >>> logs show no errors or warnings. I can access applications that are not >>> protected and tomcat itself. >>> >> >> I would suggest that you first re-read what you wrote above, line by line, >> and reflect quietly on what each line is telling you. >> >> 1) you say "localhost". That means that you are using a browser as client, >> on the same machine as the one which is running the server. >> 2) you also say that one of the browsers is IE. >> 3) (1) and (2) together imply that the host in a Windows server (and the >> client also of course). >> 4) you are not saying which version of Tomcat you are using, neither which >> version of Java, neither which version of Windows. That makes helping you >> more complicated and time-consuming, and delays any help, because now we >> have to ask you, and you have to respond. >> 5) "refused to connect" : before any kind of SSL dialog can even take >> place, the browser must be able to establish a TCP connection to the >> host:port in question. >> "refused to connect" seens to indicate that this is not the case. >> 6) the logs do not show anything : that would seem to corroborate (5) : >> tomcat does not even see this connection. iow, there is no connection. >> >> There are several possible reasons for this. >> a) Tomcat never opens the port 8443 for listening on it. >> That can be checked, with tomcat running, with the "netstat" utility >> program, included in Windows. With the proper arguments (which I will leave >> to you as an exercise)(but "netstat -h" will help), netstat will show you >> on which ports tomcat is listening locally. If this does not include a >> ":8443" port, then it is not listening on that port, and certainly the logs >> of tomcat will tell you why. >> b) tomcat does listen on port 8443, but something else is blocking access >> to that port. >> Then you probably have to check your local firewall settings (or whatever >> else in whatever version of Windows may be blocking connections to a port). >> >> Another quick way to check if tomcat (or anything) is listening on port >> 8443 (and/or something is blocking it) would be, in a command window, to >> run the following command : >> telnet localhost 8443 >> (also with tomcat running) >> If it also tells you "no connection", then (a) or (b) above would be >> confirmed. >> If it connects, then you may get another message, due to the fact that it >> expects an SSL connection. (If it did not expect an SSL connection, you'd >> just get a blank page until you type something else). >> Obviously, access to tomcat's port 8080 is fine, so you can compare the >> responses above with what happens when you substitute 8080 for 8443. >> >> Once the above is really cleared up, then it may be worth looking at the >> rest of the information which you sent below. >> >> If I set >> >>> CONFIDENTIAL to NONE everything works with >>> localhost:8080. >>> >>> My SSL files in tomcat - >>> >>> *server.xml -* >>> >>> Connector >>> protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" >>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI >>> mplementation" >>> SSLEnabled="true" acceptCount="100" clientAuth="false" >>> disableUploadTimeout="true" enableLookups="false" maxThreads="25" >>> port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar" >>> secure="true" sslProtocol="TLS" clientAuth="false" /> >>> >>> *web.xml -* >>> >>> >>> >>> Financials >>> /* >>> >>> >>> CONFIDENTIAL >>> >>> >>> >>> *the output from my keystore list -* >>> >>> C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe" >>> -list -v -keystore c:/temp/mkeystore2.jks >>> Enter keystore password: >>> >>> Keystore type: JKS >>> Keystore provider: SUN >>> >>> Your keystore contains 1 entry >>> >>> Alias name: tomcat >>> Creation date: Sep 23, 2017 >>> Entry type: PrivateKeyEntry >>> Certificate chain length: 1 >>> Certificate[1]: >>> Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown >>> Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, >>> C=Unknown >>> Serial number: 6b5fe428 >>> Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT >>> 2018 >>> Certificate fingerprints: >>> MD5: 11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE >>> SHA1: 63:EF:21:21:3C:22:82:46:21:84: >>> 9C:81:C6:B0:C1:EC:0F:1C:87:31 >>> SHA256: >>> 4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE: >>> 0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7 >>> Signature algorithm name: SHA256withRSA >>> Version: 3 >>> >>> Extensions: >>> >>> #1: ObjectId: 2.5.29.14 Criticality=false >>> SubjectKeyIdentifier [ >>> KeyIdentifier [ >>> 0000: 46 C9 48 D4 54 2A 54 CE 24 1F 22 ED 1D FC 6E 14 F.H.T*T.$."...n.. >>> 0010: BE 6F 4A 49 .oJI >>> ] >>> ] >>> >>> What am I doing wrong? I want to get a self-signed keystore working >>> before >>> I purchase a commercial certificate. >>> >>> Don >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org