Mac Sierra Server Not Responding on Port

I set up SSL for Tomcat to use port 9443 by modifying the server.xml to match configuration guidelines.


I opened the port in Mac Server and checked the router to verify that port is being forwarded to the static internal IP address.


Yet, when I go to: "https://mysite.com:9443", I get a server is not responding message (though: https://mysite.com works fine).


The Java keystore file appears to be correctly configured as there are no errors in the Tomcat log reading that file.


Just wondering if anyone has any ideas for things I might have missed.


Thanks,

Posted on Jul 12, 2017 3:16 AM

Reply
6 replies

Jul 12, 2017 6:11 AM in response to Strontium90

Hey Reid,


Nothing pertinent in system.log.


Very helpful idea about using Telnet.


OK, on the server itself if I type telnet localhost 9443, I get:


Trying ::1...

Connected to localhost

Escape character is '^]'


(Doesn't work remotely.)


----


Tomcat itself starts fine, though with the unreachable port 9443 as noted below, I can't access it.


On the server in Safari: https://mysite.com:9443 gives me a "Safari can't open the page mysite.com:9443 because Safari can't establish a secure connection to the server 'mysite.com'".


Remotely, however, trying to connect to the server (https://mysite.com:9443) just times out (should bring up the main Tomcat window).


----


I have ports 9443 open and port 8009 in Mac Server (Airport Extreme).


Below is the only addition I made to Tomcat's server.xml


<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

<Connector

protocol="org.apache.coyote.http11.Http11NioProtocol"

port="8443" maxThreads="200"

scheme="https" secure="true" SSLEnabled="true"

keystoreFile="/path_to_keystore_directory/keystore.jks" keystorePass="thePassword"

keystoreType="JKS"

clientAuth="false" sslProtocol="TLS"/>


--


My keystore file has a single entry (I created the CSR separately) - just the trusted certificate, but Tomcat isn't throwing any errors about it.


I'm a bit stumped at the moment.


If the keystore file is supposed to have more, well, "keys", in it, I'm wondering if that could give me the symptoms I'm seeing or would I just get some kind of "insecure connection" message?


--


Would appreciate any ideas.


Thanks very much for your kind reply. 🙂

Jul 12, 2017 8:19 AM in response to Morkafur

Wait a sec. In your example you note that you are trying to connect to port 9443 but your Tomcat code says 8443. 8443 is a port used by Apple's Server.app so you might be getting a conflict there. Although, the odd issue is that the telnet attempt revealed that port 9443 is listening.


Also, another suggestion. OS X Server generally wants to be set up with a fully qualified host name (host.domain.tld). In your example, you show only domain.ltd (mysite.com). Let's make sure that DNS is working as expected. If you are behind the Airport as a router, then you will need to support split horizon DNS.


On the Server, try:


nslookup mysite.com


Do you get the private IP address of the server? If not, what happens if you try https://localhost:9443 or https://<your_server's_IPaddress>:9443?


And oh, Tomcat keystone files. There is not many things that bring me so much pain. Let's assume it is created properly and lets focus on the ports and DNS.


Reid

Jul 12, 2017 8:43 AM in response to Strontium90

Strontium90 wrote:


Wait a sec. In your example you note that you are trying to connect to port 9443 but your Tomcat code says 8443. 8443 is a port used by Apple's Server.app so you might be getting a conflict there. Although, the odd issue is that the telnet attempt revealed that port 9443 is listening.


Also, another suggestion. OS X Server generally wants to be set up with a fully qualified host name (host.domain.tld). In your example, you show only domain.ltd (mysite.com). Let's make sure that DNS is working as expected. If you are behind the Airport as a router, then you will need to support split horizon DNS.


On the Server, try:


nslookup mysite.com


Do you get the private IP address of the server? If not, what happens if you try https://localhost:9443 or https://<your_server's_IPaddress>:9443?


And oh, Tomcat keystone files. There is not many things that bring me so much pain. Let's assume it is created properly and lets focus on the ports and DNS.


Reid


Oops, sorry, typo in message. It should have been 9443.


nslookup mysite.com -> I get the local server private IP address (10.0.1.25).


I re-did the (eyes bleeding process) keystore.jks - doing the CSR from there instead of separately - and re-issued the certificate. Good news. On the server itself, localhost:9443 correctly brings up Tomcat with the Comodo certificate shown (though I have to allow the site name mismatch).


If I use, again on the server, mysite.com:9443, that works perfectly now using the correct certificate.


Connecting remotely still hangs.


Gotta be a port that's not open or something.


If I comment out the 9443 settings in server.xml that now works OK on the server, then I can connect remotely on HTTP port 8080.


How do you debug situations like this?


I do have the excellent Charles reverse proxy program, but it doesn't seem like the request is making it to the server on port 9443 at all so I'm not sure it will help/work. Nothing is logged.


Let me know what else to look at.


Appreciate your knowledgeable replies.


Thanks,

Jul 12, 2017 9:48 AM in response to Morkafur

Sounds like forward progress is being made. The last remaining piece sounds to be the port forward through the Airport. Let's make sure we are not chasing a DNS thing. On your server, try this command:


nslookup mysite.com 8.8.8.8


This is similar to the one before but now you are targeting an external DNS server (Google's). Does the result return your public IP address (from your server you can visit http://whatismyip.com to determine what it is if you are not sure - are you fixed IP or dynamic - if dynamic are you using dynamic DNS service)? This will confirm that external DNS is pointing to the right place.


The second thing you can try, if you have access to another network, is to try telnetting to port 9443 from outside the environment. This would be:


telnet <public_IP> 9443


Again, I am hoping your public apex record is pointing in the wrong direction. If this is the case, then the public resolution is simply to correct DNS.


If the nslookup checks out but the telnet fails, then the Airport is not port forwarding properly. Any chance you are on a double NAT? Possibly try removing the port forward and then adding it back in. Airports are a little fiddle as routers.


Reid

Apple Consultants Network

Author - "El Capitan Server – Foundation Services"

Author - "El Capitan Server – Control & Collaboration"

Author - "El Capitan Server – Advanced Services"

:: Exclusively available in Apple's iBooks Store

Jul 12, 2017 11:22 AM in response to Strontium90

Hey Reid,


Whatdoyaknow...it works!


The remote connectivity problem turned out to by my VPN. Once I disabled that, it was all good.


--


Don't know if you know anything about this other error, but using the same keystore using the "JavaSpark" web services framework, I still get this error:


$curl -k https://mysite.com:4567/secureHello

curl: (35) Unknown SSL protocol error in connection to mysite.com:-9847


secureHello is a simple GET function I wrote for testing:


get("/secureHello", (req, res) ->

{

secure("/path-to-keystore-directory/keystore.jks", "thePassword", "", "");


return "\nSecure Hello.\n\n" ;

});


This is a left-over issue that had nothing to do with Tomcat or port 9443. The JavaSpark framework is light weight and super simple to use (a GET function can really be one line of code). However, support is nearly non-existent.


Now that I know the certificate is right and I know the keystore is right, I'm in a good position to go forward.


I'm also assuming when I renew my certificate next year, I basically "start over". Perhaps I can still keep the private key I created the first time to generate the first CSR (that's in keystore.jks), but I'd generate a new CSR from that key and re-do, re-pay, etc..


Thanks so very much. You're amazing....again! 🙂


- m

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Mac Sierra Server Not Responding on Port

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.