Andre,

I apologize for not giving all my information. As you perceived, I'm
running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144.  As you
suggested, using netstat and telnet I found that port 8443 is not open.
Looking further Windows firewall is controlled by Norton security.  I am
now trying to find out how to open ports in Norton security using the
Norton blog.

Thank you for your help.  As is obvious, I'm a newbee in low level admin
work.  I'm hoping that when I get port 8443 open things will work.  I'll
let you know.

Don



On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:

> On 24.09.2017 02:36, Don Flinn wrote:
>
>> I'm trying to use a self signed certificate generated in keytool.  When I
>> run the application Chrome, Firefox and internet Explorer using
>> localhost:8080/<myapp> all the browsers do a redirect to localhost:8443
>> and
>> then return This site can’t be reachedL*ocalhost* refused to connect.
>> There is no red lined out protocol in any of the browsers.  All the Tomcat
>> logs show no errors or warnings.  I can access applications that are not
>> protected and tomcat itself.
>>
>
> I would suggest that you first re-read what you wrote above, line by line,
> and reflect quietly on what each line is telling you.
>
> 1) you say "localhost". That means that you are using a browser as client,
> on the same machine as the one which is running the server.
> 2) you also say that one of the browsers is IE.
> 3) (1) and (2) together imply that the host in a Windows server (and the
> client also of course).
> 4) you are not saying which version of Tomcat you are using, neither which
> version of Java, neither which version of Windows.  That makes helping you
> more complicated and time-consuming, and delays any help, because now we
> have to ask you, and you have to respond.
> 5) "refused to connect" : before any kind of SSL dialog can even take
> place, the browser must be able to establish a TCP connection to the
> host:port in question.
> "refused to connect" seens to indicate that this is not the case.
> 6) the logs do not show anything : that would seem to corroborate (5) :
> tomcat does not even see this connection. iow, there is no connection.
>
> There are several possible reasons for this.
> a) Tomcat never opens the port 8443 for listening on it.
> That can be checked, with tomcat running, with the "netstat" utility
> program, included in Windows. With the proper arguments (which I will leave
> to you as an exercise)(but "netstat -h" will help), netstat will show you
> on which ports tomcat is listening locally.  If this does not include a
> ":8443" port, then it is not listening on that port, and certainly the logs
> of tomcat will tell you why.
> b) tomcat does listen on port 8443, but something else is blocking access
> to that port.
> Then you probably have to check your local firewall settings (or whatever
> else in whatever version of Windows may be blocking connections to a port).
>
> Another quick way to check if tomcat (or anything) is listening on port
> 8443 (and/or something is blocking it) would be, in a command window, to
> run the following command :
> telnet localhost 8443
> (also with tomcat running)
> If it also tells you "no connection", then (a) or (b) above would be
> confirmed.
> If it connects, then you may get another message, due to the fact that it
> expects an SSL connection. (If it did not expect an SSL connection, you'd
> just get a blank page until you type something else).
> Obviously, access to tomcat's port 8080 is fine, so you can compare the
> responses above with what happens when you substitute 8080 for 8443.
>
> Once the above is really cleared up, then it may be worth looking at the
> rest of the information which you sent below.
>
>  If I set <transport-guarantee>
>
>> CONFIDENTIAL</transport-guarantee> to NONE everything works with
>> localhost:8080.
>>
>> My SSL files in tomcat -
>>
>> *server.xml -*
>>
>> Connector
>> protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI
>> mplementation"
>> SSLEnabled="true" acceptCount="100" clientAuth="false"
>> disableUploadTimeout="true" enableLookups="false" maxThreads="25"
>> port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
>> secure="true" sslProtocol="TLS" clientAuth="false" />
>>
>> *web.xml -*
>>
>> <security-constraint>
>>      <web-resource-collection>
>>          <web-resource-name>Financials</web-resource-name>
>>          <url-pattern>/*</url-pattern>
>>      </web-resource-collection>
>>      <user-data-constraint>
>>          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>      </user-data-constraint>
>> </security-constraint>
>>
>> *the output from my keystore  list -*
>>
>> C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe"
>> -list  -v -keystore c:/temp/mkeystore2.jks
>> Enter keystore password:
>>
>> Keystore type: JKS
>> Keystore provider: SUN
>>
>> Your keystore contains 1 entry
>>
>> Alias name: tomcat
>> Creation date: Sep 23, 2017
>> Entry type: PrivateKeyEntry
>> Certificate chain length: 1
>> Certificate[1]:
>> Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
>> Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
>> C=Unknown
>> Serial number: 6b5fe428
>> Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT
>> 2018
>> Certificate fingerprints:
>>           MD5:  11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE
>>           SHA1: 63:EF:21:21:3C:22:82:46:21:84:
>> 9C:81:C6:B0:C1:EC:0F:1C:87:31
>>           SHA256:
>> 4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE:
>> 0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7
>>           Signature algorithm name: SHA256withRSA
>>           Version: 3
>>
>> Extensions:
>>
>> #1: ObjectId: 2.5.29.14 Criticality=false
>> SubjectKeyIdentifier [
>> KeyIdentifier [
>> 0000: 46 C9 48 D4 54 2A 54 CE   24 1F 22 ED 1D FC 6E 14  F.H.T*T.$."...n.
>> 0010: BE 6F 4A 49                                        .oJI
>> ]
>> ]
>>
>> What am I doing wrong?  I want to get a self-signed keystore working
>> before
>> I purchase a commercial certificate.
>>
>> Don
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to