Andre, I apologize for not giving all my information. As you perceived, I'm running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144. As you suggested, using netstat and telnet I found that port 8443 is not open. Looking further Windows firewall is controlled by Norton security. I am now trying to find out how to open ports in Norton security using the Norton blog.
Thank you for your help. As is obvious, I'm a newbee in low level admin work. I'm hoping that when I get port 8443 open things will work. I'll let you know. Don On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 24.09.2017 02:36, Don Flinn wrote: > >> I'm trying to use a self signed certificate generated in keytool. When I >> run the application Chrome, Firefox and internet Explorer using >> localhost:8080/<myapp> all the browsers do a redirect to localhost:8443 >> and >> then return This site can’t be reachedL*ocalhost* refused to connect. >> There is no red lined out protocol in any of the browsers. All the Tomcat >> logs show no errors or warnings. I can access applications that are not >> protected and tomcat itself. >> > > I would suggest that you first re-read what you wrote above, line by line, > and reflect quietly on what each line is telling you. > > 1) you say "localhost". That means that you are using a browser as client, > on the same machine as the one which is running the server. > 2) you also say that one of the browsers is IE. > 3) (1) and (2) together imply that the host in a Windows server (and the > client also of course). > 4) you are not saying which version of Tomcat you are using, neither which > version of Java, neither which version of Windows. That makes helping you > more complicated and time-consuming, and delays any help, because now we > have to ask you, and you have to respond. > 5) "refused to connect" : before any kind of SSL dialog can even take > place, the browser must be able to establish a TCP connection to the > host:port in question. > "refused to connect" seens to indicate that this is not the case. > 6) the logs do not show anything : that would seem to corroborate (5) : > tomcat does not even see this connection. iow, there is no connection. > > There are several possible reasons for this. > a) Tomcat never opens the port 8443 for listening on it. > That can be checked, with tomcat running, with the "netstat" utility > program, included in Windows. With the proper arguments (which I will leave > to you as an exercise)(but "netstat -h" will help), netstat will show you > on which ports tomcat is listening locally. If this does not include a > ":8443" port, then it is not listening on that port, and certainly the logs > of tomcat will tell you why. > b) tomcat does listen on port 8443, but something else is blocking access > to that port. > Then you probably have to check your local firewall settings (or whatever > else in whatever version of Windows may be blocking connections to a port). > > Another quick way to check if tomcat (or anything) is listening on port > 8443 (and/or something is blocking it) would be, in a command window, to > run the following command : > telnet localhost 8443 > (also with tomcat running) > If it also tells you "no connection", then (a) or (b) above would be > confirmed. > If it connects, then you may get another message, due to the fact that it > expects an SSL connection. (If it did not expect an SSL connection, you'd > just get a blank page until you type something else). > Obviously, access to tomcat's port 8080 is fine, so you can compare the > responses above with what happens when you substitute 8080 for 8443. > > Once the above is really cleared up, then it may be worth looking at the > rest of the information which you sent below. > > If I set <transport-guarantee> > >> CONFIDENTIAL</transport-guarantee> to NONE everything works with >> localhost:8080. >> >> My SSL files in tomcat - >> >> *server.xml -* >> >> Connector >> protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" >> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI >> mplementation" >> SSLEnabled="true" acceptCount="100" clientAuth="false" >> disableUploadTimeout="true" enableLookups="false" maxThreads="25" >> port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar" >> secure="true" sslProtocol="TLS" clientAuth="false" /> >> >> *web.xml -* >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>Financials</web-resource-name> >> <url-pattern>/*</url-pattern> >> </web-resource-collection> >> <user-data-constraint> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> </user-data-constraint> >> </security-constraint> >> >> *the output from my keystore list -* >> >> C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe" >> -list -v -keystore c:/temp/mkeystore2.jks >> Enter keystore password: >> >> Keystore type: JKS >> Keystore provider: SUN >> >> Your keystore contains 1 entry >> >> Alias name: tomcat >> Creation date: Sep 23, 2017 >> Entry type: PrivateKeyEntry >> Certificate chain length: 1 >> Certificate[1]: >> Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown >> Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, >> C=Unknown >> Serial number: 6b5fe428 >> Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT >> 2018 >> Certificate fingerprints: >> MD5: 11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE >> SHA1: 63:EF:21:21:3C:22:82:46:21:84: >> 9C:81:C6:B0:C1:EC:0F:1C:87:31 >> SHA256: >> 4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE: >> 0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7 >> Signature algorithm name: SHA256withRSA >> Version: 3 >> >> Extensions: >> >> #1: ObjectId: 2.5.29.14 Criticality=false >> SubjectKeyIdentifier [ >> KeyIdentifier [ >> 0000: 46 C9 48 D4 54 2A 54 CE 24 1F 22 ED 1D FC 6E 14 F.H.T*T.$."...n. >> 0010: BE 6F 4A 49 .oJI >> ] >> ] >> >> What am I doing wrong? I want to get a self-signed keystore working >> before >> I purchase a commercial certificate. >> >> Don >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >